WordPress.org

Make WordPress Core

Changeset 4672


Ignore:
Timestamp:
01/02/2007 09:22:41 PM (12 years ago)
Author:
ryan
Message:

Add kses protocol checking to clean_url. Props Andy. fixes #3515

Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/wp-includes/comment-functions.php

    r4656 r4672  
    212212    do_action('wp_set_comment_status', $comment_id, 'delete');
    213213    return true;
    214 }
    215 
    216 function clean_url( $url ) {
    217     if ('' == $url) return $url;
    218     $url = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $url);
    219     $strip = array('%0d', '%0a');
    220     $url = str_replace($strip, '', $url);
    221     $url = str_replace(';//', '://', $url);
    222     $url = (!strstr($url, '://')) ? 'http://'.$url : $url;
    223     $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
    224     return $url;
    225214}
    226215
  • branches/2.0/wp-includes/functions-formatting.php

    r4663 r4672  
    10461046}
    10471047
     1048function clean_url( $url, $protocols = null ) {
     1049    if ('' == $url) return $url;
     1050    $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%]|i', '', $url);
     1051    $strip = array('%0d', '%0a');
     1052    $url = str_replace($strip, '', $url);
     1053    $url = str_replace(';//', '://', $url);
     1054    $url = (!strstr($url, '://')) ? 'http://'.$url : $url;
     1055    $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
     1056    if ( !is_array($protocols) )
     1057        $protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet');
     1058    if ( wp_kses_bad_protocol( $url, $protocols ) != $url )
     1059        return '';
     1060    return $url;
     1061}
     1062
    10481063// Escape single quotes, specialchar double quotes, and fix line endings.
    10491064function js_escape($text) {
  • trunk/wp-includes/formatting.php

    r4669 r4672  
    10571057}
    10581058
    1059 function clean_url( $url ) {
     1059function clean_url( $url, $protocols = null ) {
    10601060    if ('' == $url) return $url;
    10611061    $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%]|i', '', $url);
     
    10651065    $url = (!strstr($url, '://')) ? 'http://'.$url : $url;
    10661066    $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
     1067    if ( !is_array($protocols) )
     1068        $protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet');
     1069    if ( wp_kses_bad_protocol( $url, $protocols ) != $url )
     1070        return '';
    10671071    return $url;
    10681072}
Note: See TracChangeset for help on using the changeset viewer.