WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
12/12/2019 06:25:04 PM (6 years ago)
Author:
SergeyBiryukov
Message:

Update wp_kses_bad_protocol() to recognize : on uri attributes,

wp_kses_bad_protocol() makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 3.7 branch.

Props: xknown, nickdaugherty, peterwilsoncc.

Location:
branches/3.7
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • branches/3.7

  • branches/3.7/src

  • branches/3.7/src/wp-includes/kses.php

    r46023 r46903  
    13081308function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) {
    13091309    $string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
    1310     $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
     1310    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;|:/i', $string, 2 );
    13111311    if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {
    13121312        $string = trim( $string2[1] );
Note: See TracChangeset for help on using the changeset viewer.