Make WordPress Core


Ignore:
Timestamp:
12/12/2019 06:00:45 PM (5 years ago)
Author:
whyisjake
Message:

Prevent stored XSS in the block editor.

Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.

Props: aduth, epiqueras,

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/formatting.php

    r46894 r46896  
    49064906
    49074907/**
     4908 * Remove non-allowable HTML from parsed block attribute values when filtering
     4909 * in the post context.
     4910 *
     4911 * @since 5.3.1
     4912 *
     4913 * @param string         $string            Content to be run through KSES.
     4914 * @param array[]|string $allowed_html      An array of allowed HTML elements
     4915 *                                          and attributes, or a context name
     4916 *                                          such as 'post'.
     4917 * @param string[]       $allowed_protocols Array of allowed URL protocols.
     4918 * @return string Filtered text to run through KSES.
     4919 */
     4920function wp_pre_kses_block_attributes( $string, $allowed_html, $allowed_protocols ) {
     4921    /*
     4922     * `filter_block_content` is expected to call `wp_kses`. Temporarily remove
     4923     * the filter to avoid recursion.
     4924     */
     4925    remove_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10 );
     4926    $string = filter_block_content( $string, $allowed_html, $allowed_protocols );
     4927    add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 );
     4928
     4929    return $string;
     4930}
     4931
     4932/**
    49084933 * WordPress implementation of PHP sprintf() with filters.
    49094934 *
Note: See TracChangeset for help on using the changeset viewer.