WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
12/12/2019 06:51:11 PM (6 years ago)
Author:
whyisjake
Message:

Ensure that a user can publish_posts before making a post sticky.
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.

Location:
branches/5.0
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/5.0

  • branches/5.0/tests/phpunit/tests/kses.php

    r46004 r46915  
    171171        }
    172172
     173        $bad_not_normalized = array(
     174            'dummy:alert(1)',
     175            'javascript:alert(1)',
     176            'javascript&CoLon;alert(1)',
     177            'javascript:alert(1);',
     178            'javascript:alert(1);',
     179            'javascript:alert(1);',
     180            'javascript&#0000058alert(1);',
     181            'jav    ascript:alert(1);',
     182            'javascript:javascript:alert(1);',
     183            'javascript:javascript:alert(1);',
     184            'javascript&#0000058javascript:alert(1);',
     185            'javascript:javascript&#0000058alert(1);',
     186            'javascript&#58alert(1)',
     187        );
     188        foreach ( $bad_not_normalized as $k => $x ) {
     189            $result = wp_kses_bad_protocol( $x, wp_allowed_protocols() );
     190            if ( ! empty( $result ) && 'alert(1);' !== $result && 'alert(1)' !== $result ) {
     191                $this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
     192            }
     193        }
     194
    173195        $safe = array(
    174196            'dummy:alert(1)',
Note: See TracChangeset for help on using the changeset viewer.