Make WordPress Core

Changeset 45997


Ignore:
Timestamp:
09/04/2019 05:51:33 PM (5 years ago)
Author:
desrosj
Message:

Fix for URL sanitization that can lead to cross-site scripting (XSS) attacks.

Props irsdl, sstoqnov, whyisjake.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/kses.php

    r45590 r45997  
    16651665 */
    16661666function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
     1667    $string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
    16671668    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
    16681669    if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
  • trunk/tests/phpunit/tests/kses.php

    r45607 r45997  
    146146            'feed:javascript:alert(1)',
    147147            'feed:javascript:feed:javascript:feed:javascript:alert(1)',
     148            'javascript&#58alert(1)',
     149            'javascript&#x3ax=1;alert(1)',
    148150        );
    149151        foreach ( $bad as $k => $x ) {
     
    166168                        $this->assertEquals( 'feed:alert(1)', $result );
    167169                        break;
     170                    case 26:
     171                        $this->assertEquals( 'javascript&#58alert(1)', $result );
     172                        break;
     173                    case 27:
     174                        $this->assertEquals( 'javascript&#x3ax=1;alert(1)', $result );
     175                        break;
    168176                    default:
    169                         $this->fail( "wp_kses_bad_protocol failed on $x. Result: $result" );
     177                        $this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
    170178                }
    171179            }
Note: See TracChangeset for help on using the changeset viewer.