Changeset 47891
- Timestamp:
- 06/02/2020 11:44:40 PM (5 years ago)
- Location:
- trunk
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/kses.php
r47837 r47891 2302 2302 } 2303 2303 2304 // Remove any CSS containing containing \ ( & } = or comments, except for url() useage checked above. 2305 if ( $found && ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ) ) { 2306 if ( '' !== $css ) { 2307 $css .= ';'; 2304 if ( $found ) { 2305 /** 2306 * Filters the regex limiting the list of characters not allowed in CSS rules. 2307 * 2308 * Default behaviour is to remove any css containing \ ( & } = or comments, except for url() usage. 2309 * 2310 * @since 5.5.0 2311 * 2312 * @param string $regex Regex pattern of disallowed characters in CSS rules. Default is '%[\\\(&=}]|/\*%'. 2313 * @param string $css_test_string CSS value to test. 2314 */ 2315 $disallowed_chars = apply_filters( 'safe_style_disallowed_chars', '%[\\\(&=}]|/\*%', $css_test_string ); 2316 if ( ! preg_match( $disallowed_chars, $css_test_string ) ) { 2317 if ( '' !== $css ) { 2318 $css .= ';'; 2319 } 2320 $css .= $css_item; 2308 2321 } 2309 2310 $css .= $css_item;2311 2322 } 2312 2323 } -
trunk/tests/phpunit/tests/kses.php
r47837 r47891 1003 1003 'expected' => 'background: conic-gradient(at 0% 30%, red 10%, yellow 30%, #1e90ff 50%)', 1004 1004 ), 1005 1005 // Expressions are not allowed. 1006 array( 1007 'css' => 'height: expression( body.scrollTop + 50 + "px" )', 1008 'expected' => '', 1009 ), 1010 // RGB color values are not allowed. 1011 array( 1012 'css' => 'color: rgb( 100, 100, 100 )', 1013 'expected' => '', 1014 ), 1015 // RGBA color values are not allowed. 1016 array( 1017 'css' => 'color: rgb( 100, 100, 100, .4 )', 1018 'expected' => '', 1019 ), 1006 1020 ); 1007 1021 } … … 1248 1262 ); 1249 1263 } 1264 1265 /** 1266 * Filter for disallowed characters never matches thus allowing all characters. 1267 */ 1268 function _safe_style_disallowed_chars_filter( $regex ) { 1269 return '%a^%'; // Regex with no matches. 1270 1271 } 1272 /** 1273 * Testing the safecss_filter_attr() function with the safe_style_disallowed_chars filter. 1274 * 1275 * @ticket 37134 1276 * 1277 * @dataProvider data_test_safecss_filter_attr_filtered 1278 * 1279 * @param string $css A string of CSS rules. 1280 * @param string $expected Expected string of CSS rules. 1281 */ 1282 public function test_safecss_filter_attr_filtered( $css, $expected ) { 1283 add_filter( 'safe_style_disallowed_chars', array( $this, '_safe_style_disallowed_chars_filter' ) ); 1284 $this->assertSame( $expected, safecss_filter_attr( $css ) ); 1285 remove_filter( 'safe_style_disallowed_chars', array( $this, '_safe_style_disallowed_chars_filter' ) ); 1286 } 1287 1288 /** 1289 * Data Provider for test_safecss_filter_attr_filtered(). 1290 * 1291 * @return array { 1292 * @type array { 1293 * @string string $css A string of CSS rules. 1294 * @string string $expected Expected string of CSS rules. 1295 * } 1296 * } 1297 */ 1298 public function data_test_safecss_filter_attr_filtered() { 1299 return array( 1300 1301 // A single attribute name, with a single value. 1302 array( 1303 'css' => 'margin-top: 2px', 1304 'expected' => 'margin-top: 2px', 1305 ), 1306 // Backslash \ can be allowed with the 'safe_style_disallowed_chars' filter. 1307 array( 1308 'css' => 'margin-top: \2px', 1309 'expected' => 'margin-top: \2px', 1310 ), 1311 // Curly bracket } can be allowed with the 'safe_style_disallowed_chars' filter. 1312 array( 1313 'css' => 'margin-bottom: 2px}', 1314 'expected' => 'margin-bottom: 2px}', 1315 ), 1316 // Parenthesis ) can be allowed with the 'safe_style_disallowed_chars' filter. 1317 array( 1318 'css' => 'margin-bottom: 2px)', 1319 'expected' => 'margin-bottom: 2px)', 1320 ), 1321 // Ampersand & can be allowed with the 'safe_style_disallowed_chars' filter. 1322 array( 1323 'css' => 'margin-bottom: 2px&', 1324 'expected' => 'margin-bottom: 2px&', 1325 ), 1326 // Expressions can be allowed with the 'safe_style_disallowed_chars' filter. 1327 array( 1328 'css' => 'height: expression( body.scrollTop + 50 + "px" )', 1329 'expected' => 'height: expression( body.scrollTop + 50 + "px" )', 1330 ), 1331 // RGB color values can be allowed with the 'safe_style_disallowed_chars' filter. 1332 array( 1333 'css' => 'color: rgb( 100, 100, 100 )', 1334 'expected' => 'color: rgb( 100, 100, 100 )', 1335 ), 1336 // RGBA color values can be allowed with the 'safe_style_disallowed_chars' filter. 1337 array( 1338 'css' => 'color: rgb( 100, 100, 100, .4 )', 1339 'expected' => 'color: rgb( 100, 100, 100, .4 )', 1340 ), 1341 ); 1342 } 1250 1343 }
Note: See TracChangeset
for help on using the changeset viewer.