Make WordPress Core

Changeset 46000


Ignore:
Timestamp:
09/04/2019 05:56:11 PM (5 years ago)
Author:
desrosj
Message:

Fix for URL sanitization in wp_kses_bad_protocol_once().

Merges [45997] to the 5.2 branch.

Props irsdl, sstoqnov, whyisjake.

Location:
branches/5.2
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/5.2

  • branches/5.2/src/wp-includes/kses.php

    r45242 r46000  
    16581658 */
    16591659function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
     1660    $string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
    16601661    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
    16611662    if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
  • branches/5.2/tests/phpunit/tests/kses.php

    r44156 r46000  
    145145            'feed:javascript:alert(1)',
    146146            'feed:javascript:feed:javascript:feed:javascript:alert(1)',
     147            'javascript&#58alert(1)',
     148            'javascript&#x3ax=1;alert(1)',
    147149        );
    148150        foreach ( $bad as $k => $x ) {
     
    165167                        $this->assertEquals( 'feed:alert(1)', $result );
    166168                        break;
     169                    case 26:
     170                        $this->assertEquals( 'javascript&#58alert(1)', $result );
     171                        break;
     172                    case 27:
     173                        $this->assertEquals( 'javascript&#x3ax=1;alert(1)', $result );
     174                        break;
    167175                    default:
    168                         $this->fail( "wp_kses_bad_protocol failed on $x. Result: $result" );
     176                        $this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
    169177                }
    170178            }
Note: See TracChangeset for help on using the changeset viewer.