Changeset 45997 for trunk

Timestamp:

09/04/2019 05:51:33 PM (5 years ago)

Author:

desrosj

Message:

Fix for URL sanitization that can lead to cross-site scripting (XSS) attacks.

Props irsdl, sstoqnov, whyisjake.

Location:

trunk

Files:

• src/wp-includes/kses.php (modified) (1 diff)
• tests/phpunit/tests/kses.php (modified) (2 diffs)

trunk/src/wp-includes/kses.php

@@ -1665 +1665 @@
  */
 function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
+    $string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
     $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
     if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {

trunk/tests/phpunit/tests/kses.php

@@ -146 +146 @@
             'feed:javascript:alert(1)',
             'feed:javascript:feed:javascript:feed:javascript:alert(1)',
+            'javascript&#58alert(1)',
+            'javascript&#x3ax=1;alert(1)',
         );
         foreach ( $bad as $k => $x ) {
@@ -166 +168 @@
                         $this->assertEquals( 'feed:alert(1)', $result );
                         break;
+                    case 26:
+                        $this->assertEquals( 'javascript&#58alert(1)', $result );
+                        break;
+                    case 27:
+                        $this->assertEquals( 'javascript&#x3ax=1;alert(1)', $result );
+                        break;
                     default:
-                        $this->fail( "wp_kses_bad_protocol failed on $x. Result: $result" );
+                        $this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
                 }
             }