Make WordPress Core

Changeset 48086


Ignore:
Timestamp:
06/18/2020 08:59:43 PM (4 years ago)
Author:
adamsilverstein
Message:

Formatting: new filter safecss_filter_attr_allow_css on css parts.

Enables developers to determine whether a section of CSS should be allowed or discarded. By default, the value will be false if the part contains \ ( & } = or comments. Returning true allows the CSS part to be included in the output.

Replaces the safe_style_disallowed_chars filter introduced in r47891.

Props azaozz.
Fixes #37134.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/kses.php

    r48072 r48086  
    23582358
    23592359        if ( $found ) {
     2360            // Check for any CSS containing \ ( & } = or comments, except for url() usage checked above.
     2361            $allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
     2362
    23602363            /**
    2361              * Filters the regex limiting the list of characters not allowed in CSS rules.
     2364             * Filters the check for unsafe CSS in `safecss_filter_attr`.
    23622365             *
    2363              * Default behaviour is to remove any CSS containing \ ( & } = or comments,
    2364              * except for url() usage.
     2366             * Enables developers to determine whether a section of CSS should be allowed or discarded.
     2367             * By default, the value will be false if the part contains \ ( & } = or comments.
     2368             * Return true to allow the CSS part to be included in the output.
    23652369             *
    23662370             * @since 5.5.0
    23672371             *
    2368              * @param string $regex           Regex pattern of disallowed characters in CSS rules.
    2369              *                                Default is '%[\\\(&=}]|/\*%'.
    2370              * @param string $css_test_string CSS value to test.
     2372             * @param bool   $allow_css       Whether the CSS in the test string is considered safe.
     2373             * @param string $css_test_string The css string to test.
    23712374             */
    2372             $disallowed_chars = apply_filters( 'safe_style_disallowed_chars', '%[\\\(&=}]|/\*%', $css_test_string );
    2373             if ( ! preg_match( $disallowed_chars, $css_test_string ) ) {
     2375            $allow_css = apply_filters( 'safecss_filter_attr_allow_css', $allow_css, $css_test_string );
     2376
     2377             // Only add the css part if it passes the regex check.
     2378            if ( $allow_css ) {
    23742379                if ( '' !== $css ) {
    23752380                    $css .= ';';
    23762381                }
     2382
    23772383                $css .= $css_item;
    23782384            }
  • trunk/tests/phpunit/tests/kses.php

    r47891 r48086  
    12641264
    12651265    /**
    1266      * Filter for disallowed characters never matches thus allowing all characters.
    1267      */
    1268     function _safe_style_disallowed_chars_filter( $regex ) {
    1269         return '%a^%'; // Regex with no matches.
    1270 
    1271     }
    1272     /**
    1273      * Testing the safecss_filter_attr() function with the safe_style_disallowed_chars filter.
     1266     * Testing the safecss_filter_attr() function with the safecss_filter_attr_allow_css filter.
    12741267     *
    12751268     * @ticket 37134
     
    12811274     */
    12821275    public function test_safecss_filter_attr_filtered( $css, $expected ) {
    1283         add_filter( 'safe_style_disallowed_chars', array( $this, '_safe_style_disallowed_chars_filter' ) );
     1276        add_filter( 'safecss_filter_attr_allow_css', '__return_true' );
    12841277        $this->assertSame( $expected, safecss_filter_attr( $css ) );
    1285         remove_filter( 'safe_style_disallowed_chars', array( $this, '_safe_style_disallowed_chars_filter' ) );
     1278        remove_filter( 'safecss_filter_attr_allow_css', '__return_true' );
    12861279    }
    12871280
     
    13041297                'expected' => 'margin-top: 2px',
    13051298            ),
    1306             // Backslash \ can be allowed with the 'safe_style_disallowed_chars' filter.
     1299            // Backslash \ can be allowed with the 'safecss_filter_attr_allow_css' filter.
    13071300            array(
    13081301                'css'      => 'margin-top: \2px',
    13091302                'expected' => 'margin-top: \2px',
    13101303            ),
    1311             // Curly bracket } can be allowed with the 'safe_style_disallowed_chars' filter.
     1304            // Curly bracket } can be allowed with the 'safecss_filter_attr_allow_css' filter.
    13121305            array(
    13131306                'css'      => 'margin-bottom: 2px}',
    13141307                'expected' => 'margin-bottom: 2px}',
    13151308            ),
    1316             // Parenthesis ) can be allowed with the 'safe_style_disallowed_chars' filter.
     1309            // Parenthesis ) can be allowed with the 'safecss_filter_attr_allow_css' filter.
    13171310            array(
    13181311                'css'      => 'margin-bottom: 2px)',
    13191312                'expected' => 'margin-bottom: 2px)',
    13201313            ),
    1321             // Ampersand & can be allowed with the 'safe_style_disallowed_chars' filter.
     1314            // Ampersand & can be allowed with the 'safecss_filter_attr_allow_css' filter.
    13221315            array(
    13231316                'css'      => 'margin-bottom: 2px&',
    13241317                'expected' => 'margin-bottom: 2px&',
    13251318            ),
    1326             // Expressions can be allowed with the 'safe_style_disallowed_chars' filter.
     1319            // Expressions can be allowed with the 'safecss_filter_attr_allow_css' filter.
    13271320            array(
    13281321                'css'      => 'height: expression( body.scrollTop + 50 + "px" )',
    13291322                'expected' => 'height: expression( body.scrollTop + 50 + "px" )',
    13301323            ),
    1331             // RGB color values can be allowed with the 'safe_style_disallowed_chars' filter.
     1324            // RGB color values can be allowed with the 'safecss_filter_attr_allow_css' filter.
    13321325            array(
    13331326                'css'      => 'color: rgb( 100, 100, 100 )',
    13341327                'expected' => 'color: rgb( 100, 100, 100 )',
    13351328            ),
    1336             // RGBA color values can be allowed with the 'safe_style_disallowed_chars' filter.
     1329            // RGBA color values can be allowed with the 'safecss_filter_attr_allow_css' filter.
    13371330            array(
    13381331                'css'      => 'color: rgb( 100, 100, 100, .4 )',
Note: See TracChangeset for help on using the changeset viewer.