Changeset 46900 for branches/5.3/src/wp-includes/formatting.php

Timestamp:

12/12/2019 06:10:56 PM (5 years ago)

Author:

whyisjake

Message:

Prevent stored XSS in the block editor.

Brings r46896 to the 5.3 branch.

Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.

File:

• branches/5.3/src/wp-includes/formatting.php (modified) (1 diff)

branches/5.3/src/wp-includes/formatting.php

@@ -4904 +4904 @@
 
 /**
+ * Remove non-allowable HTML from parsed block attribute values when filtering
+ * in the post context.
+ *
+ * @since 5.3.1
+ *
+ * @param string         $string            Content to be run through KSES.
+ * @param array[]|string $allowed_html      An array of allowed HTML elements
+ *                                          and attributes, or a context name
+ *                                          such as 'post'.
+ * @param string[]       $allowed_protocols Array of allowed URL protocols.
+ * @return string Filtered text to run through KSES.
+ */
+function wp_pre_kses_block_attributes( $string, $allowed_html, $allowed_protocols ) {
+    /*
+     * `filter_block_content` is expected to call `wp_kses`. Temporarily remove
+     * the filter to avoid recursion.
+     */
+    remove_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10 );
+    $string = filter_block_content( $string, $allowed_html, $allowed_protocols );
+    add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 );
+
+    return $string;
+}
+
+/**
  * WordPress implementation of PHP sprintf() with filters.
  *