Changeset 46901 for branches/5.2/src/wp-includes/formatting.php

Timestamp:

12/12/2019 06:17:35 PM (6 years ago)

Author:

whyisjake

Message:

Ensure that a user can publish_posts before making a post sticky.

Props: danielbachhuber, whyisjake, peterwilson, xknown.

Prevent stored XSS through wp_targeted_link_rel().

Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.

Update wp_kses_bad_protocol() to recognize : on uri attributes,

wp_kses_bad_protocol() makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 5.3 branch.

Props: xknown, nickdaugherty, peterwilsoncc.

Prevent stored XSS in the block editor.

Brings r46896 to the 5.3 branch.

Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.

Props: aduth, epiqueras.

Location:

branches/5.2

Files:

• . (modified) (1 prop)
• src/wp-includes/formatting.php (modified) (4 diffs)

branches/5.2/src/wp-includes/formatting.php

@@ -3044 +3044 @@
 function wp_targeted_link_rel( $text ) {
     // Don't run (more expensive) regex if no links with targets.
-    if ( stripos( $text, 'target' ) !== false && stripos( $text, '<a ' ) !== false ) {
-        $text = preg_replace_callback( '|<a\s([^>]*target\s*=[^>]*)>|i', 'wp_targeted_link_rel_callback', $text );
+    if ( stripos( $text, 'target' ) === false || stripos( $text, '<a ' ) === false || is_serialized( $text ) ) {
+        return $text;
+    }
+
+    $script_and_style_regex = '/<(script|style).*?<\/\\1>/si';
+
+    preg_match_all( $script_and_style_regex, $text, $matches );
+    $extra_parts = $matches[0];
+    $html_parts  = preg_split( $script_and_style_regex, $text );
+
+    foreach ( $html_parts as &$part ) {
+        $part = preg_replace_callback( '|<a\s([^>]*target\s*=[^>]*)>|i', 'wp_targeted_link_rel_callback', $part );
+    }
+
+    $text = '';
+    for ( $i = 0; $i < count( $html_parts ); $i++ ) {
+        $text .= $html_parts[ $i ];
+        if ( isset( $extra_parts[ $i ] ) ) {
+            $text .= $extra_parts[ $i ];
+        }
     }
 
@@ -3063 +3081 @@
  */
 function wp_targeted_link_rel_callback( $matches ) {
-    $link_html = $matches[1];
-    $rel_match = array();
+    $link_html          = $matches[1];
+    $original_link_html = $link_html;
+
+    // Consider the html escaped if there are no unescaped quotes
+    $is_escaped = ! preg_match( '/(^|[^\\\\])[\'"]/', $link_html );
+    if ( $is_escaped ) {
+        // Replace only the quotes so that they are parsable by wp_kses_hair, leave the rest as is
+        $link_html = preg_replace( '/\\\\([\'"])/', '$1', $link_html );
+    }
+
+    $atts = wp_kses_hair( $link_html, wp_allowed_protocols() );
 
     /**
@@ -3076 +3103 @@
     $rel = apply_filters( 'wp_targeted_link_rel', 'noopener noreferrer', $link_html );
 
-    // Avoid additional regex if the filter removes rel values.
-    if ( ! $rel ) {
-        return "<a $link_html>";
-    }
-
-    // Value with delimiters, spaces around are optional.
-    $attr_regex = '|rel\s*=\s*?(\\\\{0,1}["\'])(.*?)\\1|i';
-    preg_match( $attr_regex, $link_html, $rel_match );
-
-    if ( empty( $rel_match[0] ) ) {
-        // No delimiters, try with a single value and spaces, because `rel =  va"lue` is totally fine...
-        $attr_regex = '|rel\s*=(\s*)([^\s]*)|i';
-        preg_match( $attr_regex, $link_html, $rel_match );
-    }
-
-    if ( ! empty( $rel_match[0] ) ) {
-        $parts     = preg_split( '|\s+|', strtolower( $rel_match[2] ) );
-        $parts     = array_map( 'esc_attr', $parts );
-        $needed    = explode( ' ', $rel );
-        $parts     = array_unique( array_merge( $parts, $needed ) );
-        $delimiter = trim( $rel_match[1] ) ? $rel_match[1] : '"';
-        $rel       = 'rel=' . $delimiter . trim( implode( ' ', $parts ) ) . $delimiter;
-        $link_html = str_replace( $rel_match[0], $rel, $link_html );
-    } elseif ( preg_match( '|target\s*=\s*?\\\\"|', $link_html ) ) {
-        $link_html .= " rel=\\\"$rel\\\"";
-    } elseif ( preg_match( '#(target|href)\s*=\s*?\'#', $link_html ) ) {
-        $link_html .= " rel='$rel'";
-    } else {
-        $link_html .= " rel=\"$rel\"";
+    // Return early if no rel values to be added or if no actual target attribute
+    if ( ! $rel || ! isset( $atts['target'] ) ) {
+        return "<a $original_link_html>";
+    }
+
+    if ( isset( $atts['rel'] ) ) {
+        $all_parts = preg_split( '/\s/', "{$atts['rel']['value']} $rel", -1, PREG_SPLIT_NO_EMPTY );
+        $rel       = implode( ' ', array_unique( $all_parts ) );
+    }
+
+    $atts['rel']['whole'] = 'rel="' . esc_attr( $rel ) . '"';
+    $link_html            = join( ' ', array_column( $atts, 'whole' ) );
+
+    if ( $is_escaped ) {
+        $link_html = preg_replace( '/[\'"]/', '\\\\$0', $link_html );
     }
 
@@ -4809 +4822 @@
 
 /**
+ * Remove non-allowable HTML from parsed block attribute values when filtering
+ * in the post context.
+ *
+ * @since 5.3.1
+ *
+ * @param string         $string            Content to be run through KSES.
+ * @param array[]|string $allowed_html      An array of allowed HTML elements
+ *                                          and attributes, or a context name
+ *                                          such as 'post'.
+ * @param string[]       $allowed_protocols Array of allowed URL protocols.
+ * @return string Filtered text to run through KSES.
+ */
+function wp_pre_kses_block_attributes( $string, $allowed_html, $allowed_protocols ) {
+    /*
+     * `filter_block_content` is expected to call `wp_kses`. Temporarily remove
+     * the filter to avoid recursion.
+     */
+    remove_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10 );
+    $string = filter_block_content( $string, $allowed_html, $allowed_protocols );
+    add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 );
+
+    return $string;
+}
+
+/**
  * WordPress implementation of PHP sprintf() with filters.
  *