WordPress.org

Make WordPress Core


Ignore:
Timestamp:
09/04/2019 05:51:33 PM (6 weeks ago)
Author:
desrosj
Message:

Fix for URL sanitization that can lead to cross-site scripting (XSS) attacks.

Props irsdl, sstoqnov, whyisjake.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/kses.php

    r45607 r45997  
    146146            'feed:javascript:alert(1)',
    147147            'feed:javascript:feed:javascript:feed:javascript:alert(1)',
     148            'javascript&#58alert(1)',
     149            'javascript&#x3ax=1;alert(1)',
    148150        );
    149151        foreach ( $bad as $k => $x ) {
     
    166168                        $this->assertEquals( 'feed:alert(1)', $result );
    167169                        break;
     170                    case 26:
     171                        $this->assertEquals( 'javascript&#58alert(1)', $result );
     172                        break;
     173                    case 27:
     174                        $this->assertEquals( 'javascript&#x3ax=1;alert(1)', $result );
     175                        break;
    168176                    default:
    169                         $this->fail( "wp_kses_bad_protocol failed on $x. Result: $result" );
     177                        $this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
    170178                }
    171179            }
Note: See TracChangeset for help on using the changeset viewer.