Changeset 47891 for trunk/src/wp-includes/kses.php

Timestamp:

06/02/2020 11:44:40 PM (5 years ago)

Author:

adamsilverstein

Message:

Formatting: add a new 'safe_style_disallowed_chars' filter.

Enable developers to change the regex used in safecss_filter_attr to limit characters in the parsed CSS.

Props paulschreiber, swissspidy, rmccue, bartekcholewa, miinasikk.
Fixes #37134.

File:

• trunk/src/wp-includes/kses.php (modified) (1 diff)

trunk/src/wp-includes/kses.php

@@ -2302 +2302 @@
         }
 
-        // Remove any CSS containing containing \ ( & } = or comments, except for url() useage checked above.
-        if ( $found && ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ) ) {
-            if ( '' !== $css ) {
-                $css .= ';';
+        if ( $found ) {
+            /**
+             * Filters the regex limiting the list of characters not allowed in CSS rules.
+             *
+             * Default behaviour is to remove any css containing \ ( & } = or comments, except for url() usage.
+             *
+             * @since 5.5.0
+             *
+             * @param string $regex           Regex pattern of disallowed characters in CSS rules. Default is '%[\\\(&=}]|/\*%'.
+             * @param string $css_test_string CSS value to test.
+             */
+            $disallowed_chars = apply_filters( 'safe_style_disallowed_chars', '%[\\\(&=}]|/\*%', $css_test_string );
+            if ( ! preg_match( $disallowed_chars, $css_test_string ) ) {
+                if ( '' !== $css ) {
+                    $css .= ';';
+                }
+                $css .= $css_item;
             }
-
-            $css .= $css_item;
         }
     }