Make WordPress Core


Ignore:
Timestamp:
12/12/2019 06:36:20 PM (5 years ago)
Author:
whyisjake
Message:

Ensure that a user can publish_posts before making a post sticky.
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.

Location:
branches/5.1
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.1

  • branches/5.1/src/wp-includes/default-filters.php

    r44714 r46907  
    246246add_filter( 'teeny_mce_before_init', '_mce_set_direction' );
    247247add_filter( 'pre_kses', 'wp_pre_kses_less_than' );
     248add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 );
    248249add_filter( 'sanitize_title', 'sanitize_title_with_dashes', 10, 3 );
    249250add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
Note: See TracChangeset for help on using the changeset viewer.