Changeset 47122 for trunk/src/wp-includes/kses.php
- Timestamp:
- 01/29/2020 12:43:23 AM (5 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/kses.php
r46959 r47122 1053 1053 return ''; 1054 1054 } 1055 // prevent multiple dashes in comments1055 // Prevent multiple dashes in comments. 1056 1056 $string = preg_replace( '/--+/', '-', $string ); 1057 // prevent three dashes closing a comment1057 // Prevent three dashes closing a comment. 1058 1058 $string = preg_replace( '/-$/', '', $string ); 1059 1059 return "<!--{$string}-->"; … … 1120 1120 } 1121 1121 1122 // Split it 1122 // Split it. 1123 1123 $attrarr = wp_kses_hair( $attr, $allowed_protocols ); 1124 1124 1125 1125 // Go through $attrarr, and save the allowed attributes for this element 1126 // in $attr2 1126 // in $attr2. 1127 1127 $attr2 = ''; 1128 1128 foreach ( $attrarr as $arreach ) { … … 1132 1132 } 1133 1133 1134 // Remove any "<" or ">" characters 1134 // Remove any "<" or ">" characters. 1135 1135 $attr2 = preg_replace( '/[<>]/', '', $attr2 ); 1136 1136 … … 1205 1205 1206 1206 if ( is_array( $allowed_attr[ $name_low ] ) ) { 1207 // there are some checks1207 // There are some checks. 1208 1208 foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) { 1209 1209 if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) { … … 1242 1242 $uris = wp_kses_uri_attributes(); 1243 1243 1244 // Loop through the whole attribute list 1244 // Loop through the whole attribute list. 1245 1245 1246 1246 while ( strlen( $attr ) != 0 ) { … … 1259 1259 1260 1260 case 1: 1261 if ( preg_match( '/^\s*=\s*/', $attr ) ) { // equals sign1261 if ( preg_match( '/^\s*=\s*/', $attr ) ) { // Equals sign. 1262 1262 $working = 1; 1263 1263 $mode = 2; … … 1266 1266 } 1267 1267 1268 if ( preg_match( '/^\s+/', $attr ) ) { // valueless1268 if ( preg_match( '/^\s+/', $attr ) ) { // Valueless. 1269 1269 $working = 1; 1270 1270 $mode = 0; … … 1347 1347 1348 1348 break; 1349 } // switch1350 1351 if ( $working == 0 ) { // not well formed, remove and try again1349 } // End switch. 1350 1351 if ( $working == 0 ) { // Not well-formed, remove and try again. 1352 1352 $attr = wp_kses_html_error( $attr ); 1353 1353 $mode = 0; 1354 1354 } 1355 } // while1355 } // End while. 1356 1356 1357 1357 if ( $mode == 1 && false === array_key_exists( $attrname, $attrarr ) ) { 1358 // special case, for when the attribute list ends with a valueless1359 // attribute like "selected" 1358 // Special case, for when the attribute list ends with a valueless 1359 // attribute like "selected". 1360 1360 $attrarr[ $attrname ] = array( 1361 1361 'name' => $attrname, … … 1406 1406 } 1407 1407 1408 // Split it 1408 // Split it. 1409 1409 $attrarr = wp_kses_hair_parse( $attr ); 1410 1410 if ( false === $attrarr ) { … … 1445 1445 . ')' 1446 1446 . '(?:' // Attribute value. 1447 . '\s*=\s*' // All values begin with '=' 1447 . '\s*=\s*' // All values begin with '='. 1448 1448 . '(?:' 1449 . '"[^"]*"' // Double-quoted 1449 . '"[^"]*"' // Double-quoted. 1450 1450 . '|' 1451 . "'[^']*'" // Single-quoted 1451 . "'[^']*'" // Single-quoted. 1452 1452 . '|' 1453 . '[^\s"\']+' // Non-quoted 1454 . '(?:\s|$)' // Must have a space 1453 . '[^\s"\']+' // Non-quoted. 1454 . '(?:\s|$)' // Must have a space. 1455 1455 . ')' 1456 1456 . '|' … … 1493 1493 switch ( strtolower( $checkname ) ) { 1494 1494 case 'maxlen': 1495 // The maxlen check makes sure that the attribute value has a length not 1496 // greater than the given value. This can be used to avoid Buffer Overflows 1497 // in WWW clients and various Internet servers. 1495 /* 1496 * The maxlen check makes sure that the attribute value has a length not 1497 * greater than the given value. This can be used to avoid Buffer Overflows 1498 * in WWW clients and various Internet servers. 1499 */ 1498 1500 1499 1501 if ( strlen( $value ) > $checkvalue ) { … … 1503 1505 1504 1506 case 'minlen': 1505 // The minlen check makes sure that the attribute value has a length not 1506 // smaller than the given value. 1507 /* 1508 * The minlen check makes sure that the attribute value has a length not 1509 * smaller than the given value. 1510 */ 1507 1511 1508 1512 if ( strlen( $value ) < $checkvalue ) { … … 1512 1516 1513 1517 case 'maxval': 1514 // The maxval check does two things: it checks that the attribute value is 1515 // an integer from 0 and up, without an excessive amount of zeroes or 1516 // whitespace (to avoid Buffer Overflows). It also checks that the attribute 1517 // value is not greater than the given value. 1518 // This check can be used to avoid Denial of Service attacks. 1518 /* 1519 * The maxval check does two things: it checks that the attribute value is 1520 * an integer from 0 and up, without an excessive amount of zeroes or 1521 * whitespace (to avoid Buffer Overflows). It also checks that the attribute 1522 * value is not greater than the given value. 1523 * This check can be used to avoid Denial of Service attacks. 1524 */ 1519 1525 1520 1526 if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) { … … 1527 1533 1528 1534 case 'minval': 1529 // The minval check makes sure that the attribute value is a positive integer, 1530 // and that it is not smaller than the given value. 1535 /* 1536 * The minval check makes sure that the attribute value is a positive integer, 1537 * and that it is not smaller than the given value. 1538 */ 1531 1539 1532 1540 if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) { … … 1539 1547 1540 1548 case 'valueless': 1541 // The valueless check makes sure if the attribute has a value 1542 // (like `<a href="blah">`) or not (`<option selected>`). If the given value 1543 // is a "y" or a "Y", the attribute must not have a value. 1544 // If the given value is an "n" or an "N", the attribute must have a value. 1549 /* 1550 * The valueless check makes sure if the attribute has a value 1551 * (like `<a href="blah">`) or not (`<option selected>`). If the given value 1552 * is a "y" or a "Y", the attribute must not have a value. 1553 * If the given value is an "n" or an "N", the attribute must have a value. 1554 */ 1545 1555 1546 1556 if ( strtolower( $checkvalue ) != $vless ) { … … 1548 1558 } 1549 1559 break; 1550 } // switch1560 } // End switch. 1551 1561 1552 1562 return $ok; … … 1744 1754 $string = str_replace( '&', '&', $string ); 1745 1755 1746 // Change back the allowed entities in our entity whitelist 1756 // Change back the allowed entities in our entity whitelist. 1747 1757 $string = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string ); 1748 1758 $string = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string ); … … 1992 2002 */ 1993 2003 function kses_init_filters() { 1994 // Normal filtering 2004 // Normal filtering. 1995 2005 add_filter( 'title_save_pre', 'wp_filter_kses' ); 1996 2006 1997 // Comment filtering 2007 // Comment filtering. 1998 2008 if ( current_user_can( 'unfiltered_html' ) ) { 1999 2009 add_filter( 'pre_comment_content', 'wp_filter_post_kses' ); … … 2002 2012 } 2003 2013 2004 // Post filtering 2014 // Post filtering. 2005 2015 add_filter( 'content_save_pre', 'wp_filter_post_kses' ); 2006 2016 add_filter( 'excerpt_save_pre', 'wp_filter_post_kses' ); … … 2021 2031 */ 2022 2032 function kses_remove_filters() { 2023 // Normal filtering 2033 // Normal filtering. 2024 2034 remove_filter( 'title_save_pre', 'wp_filter_kses' ); 2025 2035 2026 // Comment filtering 2036 // Comment filtering. 2027 2037 remove_filter( 'pre_comment_content', 'wp_filter_post_kses' ); 2028 2038 remove_filter( 'pre_comment_content', 'wp_filter_kses' ); 2029 2039 2030 // Post filtering 2040 // Post filtering. 2031 2041 remove_filter( 'content_save_pre', 'wp_filter_post_kses' ); 2032 2042 remove_filter( 'excerpt_save_pre', 'wp_filter_post_kses' ); … … 2062 2072 function safecss_filter_attr( $css, $deprecated = '' ) { 2063 2073 if ( ! empty( $deprecated ) ) { 2064 _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented 2074 _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented. 2065 2075 } 2066 2076
Note: See TracChangeset
for help on using the changeset viewer.