Make WordPress Core


Ignore:
Timestamp:
12/12/2019 06:36:20 PM (4 years ago)
Author:
whyisjake
Message:

Ensure that a user can publish_posts before making a post sticky.
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.

Location:
branches/5.1
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.1

  • branches/5.1/tests/phpunit/tests/kses.php

    r46002 r46907  
    179179        }
    180180
     181        $bad_not_normalized = array(
     182            'dummy:alert(1)',
     183            'javascript:alert(1)',
     184            'javascript&CoLon;alert(1)',
     185            'javascript:alert(1);',
     186            'javascript:alert(1);',
     187            'javascript:alert(1);',
     188            'javascript&#0000058alert(1);',
     189            'jav    ascript:alert(1);',
     190            'javascript:javascript:alert(1);',
     191            'javascript:javascript:alert(1);',
     192            'javascript&#0000058javascript:alert(1);',
     193            'javascript:javascript&#0000058alert(1);',
     194            'javascript&#58alert(1)',
     195        );
     196        foreach ( $bad_not_normalized as $k => $x ) {
     197            $result = wp_kses_bad_protocol( $x, wp_allowed_protocols() );
     198            if ( ! empty( $result ) && 'alert(1);' !== $result && 'alert(1)' !== $result ) {
     199                $this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
     200            }
     201        }
     202
    181203        $safe = array(
    182204            'dummy:alert(1)',
Note: See TracChangeset for help on using the changeset viewer.