Make WordPress Core


Ignore:
Timestamp:
12/12/2019 05:52:18 PM (5 years ago)
Author:
whyisjake
Message:

Update wp_kses_bad_protocol() to recognize : on uri attributes,

wp_kses_bad_protocol() makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Props: xknown, nickdaugherty, peterwilsoncc.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/kses.php

    r46793 r46895  
    180180        }
    181181
     182        $bad_not_normalized = array(
     183            'dummy:alert(1)',
     184            'javascript:alert(1)',
     185            'javascript&CoLon;alert(1)',
     186            'javascript:alert(1);',
     187            'javascript:alert(1);',
     188            'javascript:alert(1);',
     189            'javascript&#0000058alert(1);',
     190            'jav    ascript:alert(1);',
     191            'javascript:javascript:alert(1);',
     192            'javascript:javascript:alert(1);',
     193            'javascript&#0000058javascript:alert(1);',
     194            'javascript:javascript&#0000058alert(1);',
     195            'javascript&#58alert(1)',
     196        );
     197        foreach ( $bad_not_normalized as $k => $x ) {
     198            $result = wp_kses_bad_protocol( $x, wp_allowed_protocols() );
     199            if ( ! empty( $result ) && 'alert(1);' !== $result && 'alert(1)' !== $result ) {
     200                $this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
     201            }
     202        }
     203
    182204        $safe = array(
    183205            'dummy:alert(1)',
Note: See TracChangeset for help on using the changeset viewer.