Make WordPress Core


Ignore:
Timestamp:
12/12/2019 06:36:20 PM (5 years ago)
Author:
whyisjake
Message:

Ensure that a user can publish_posts before making a post sticky.
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.

Location:
branches/5.1
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.1

  • branches/5.1/src/wp-includes/kses.php

    r46002 r46907  
    16591659function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
    16601660    $string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
    1661     $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
     1661    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;|:/i', $string, 2 );
    16621662    if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
    16631663        $string   = trim( $string2[1] );
Note: See TracChangeset for help on using the changeset viewer.