Make WordPress Core


Ignore:
Timestamp:
08/17/2019 01:58:12 PM (5 years ago)
Author:
SergeyBiryukov
Message:

Pings/Trackbacks: In wp_xmlrpc_server::pingback_ping(), strip inline JS and CSS while trying to figure out the pingback context.

Props david.binda.
Fixes #47283.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-xmlrpc-server.php

    r45723 r45823  
    68816881        }
    68826882
    6883         $remote_source = strip_tags( $remote_source, '<a>' ); // just keep the tag we need
     6883        // Remove all script and style tags including their content.
     6884        $remote_source = preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $remote_source );
     6885        // Just keep the tag we need.
     6886        $remote_source = strip_tags( $remote_source, '<a>' );
    68846887
    68856888        $p = explode( "\n\n", $remote_source );
Note: See TracChangeset for help on using the changeset viewer.