Changeset 46915 for branches/5.0/src/wp-includes/kses.php

Timestamp:

12/12/2019 06:51:11 PM (6 years ago)

Author:

whyisjake

Message:

Ensure that a user can publish_posts before making a post sticky.
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.

Location:

branches/5.0

Files:

• . (modified) (1 prop)
• src/wp-includes/kses.php (modified) (1 diff)

branches/5.0/src/wp-includes/kses.php

@@ -1409 +1409 @@
 function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) {
     $string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
-    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
-    if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {
-        $string = trim( $string2[1] );
+    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;|:/i', $string, 2 );
+    if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
+        $string   = trim( $string2[1] );
         $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );
         if ( 'feed:' == $protocol ) {