WordPress.org

Make WordPress Core


Ignore:
Timestamp:
09/04/2019 05:51:33 PM (7 weeks ago)
Author:
desrosj
Message:

Fix for URL sanitization that can lead to cross-site scripting (XSS) attacks.

Props irsdl, sstoqnov, whyisjake.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/kses.php

    r45590 r45997  
    16651665 */
    16661666function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
     1667    $string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
    16671668    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
    16681669    if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
Note: See TracChangeset for help on using the changeset viewer.