Changeset 48086
- Timestamp:
- 06/18/2020 08:59:43 PM (4 years ago)
- Location:
- trunk
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/kses.php
r48072 r48086 2358 2358 2359 2359 if ( $found ) { 2360 // Check for any CSS containing \ ( & } = or comments, except for url() usage checked above. 2361 $allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ); 2362 2360 2363 /** 2361 * Filters the regex limiting the list of characters not allowed in CSS rules.2364 * Filters the check for unsafe CSS in `safecss_filter_attr`. 2362 2365 * 2363 * Default behaviour is to remove any CSS containing \ ( & } = or comments, 2364 * except for url() usage. 2366 * Enables developers to determine whether a section of CSS should be allowed or discarded. 2367 * By default, the value will be false if the part contains \ ( & } = or comments. 2368 * Return true to allow the CSS part to be included in the output. 2365 2369 * 2366 2370 * @since 5.5.0 2367 2371 * 2368 * @param string $regex Regex pattern of disallowed characters in CSS rules. 2369 * Default is '%[\\\(&=}]|/\*%'. 2370 * @param string $css_test_string CSS value to test. 2372 * @param bool $allow_css Whether the CSS in the test string is considered safe. 2373 * @param string $css_test_string The css string to test. 2371 2374 */ 2372 $disallowed_chars = apply_filters( 'safe_style_disallowed_chars', '%[\\\(&=}]|/\*%', $css_test_string ); 2373 if ( ! preg_match( $disallowed_chars, $css_test_string ) ) { 2375 $allow_css = apply_filters( 'safecss_filter_attr_allow_css', $allow_css, $css_test_string ); 2376 2377 // Only add the css part if it passes the regex check. 2378 if ( $allow_css ) { 2374 2379 if ( '' !== $css ) { 2375 2380 $css .= ';'; 2376 2381 } 2382 2377 2383 $css .= $css_item; 2378 2384 } -
trunk/tests/phpunit/tests/kses.php
r47891 r48086 1264 1264 1265 1265 /** 1266 * Filter for disallowed characters never matches thus allowing all characters. 1267 */ 1268 function _safe_style_disallowed_chars_filter( $regex ) { 1269 return '%a^%'; // Regex with no matches. 1270 1271 } 1272 /** 1273 * Testing the safecss_filter_attr() function with the safe_style_disallowed_chars filter. 1266 * Testing the safecss_filter_attr() function with the safecss_filter_attr_allow_css filter. 1274 1267 * 1275 1268 * @ticket 37134 … … 1281 1274 */ 1282 1275 public function test_safecss_filter_attr_filtered( $css, $expected ) { 1283 add_filter( 'safe _style_disallowed_chars', array( $this, '_safe_style_disallowed_chars_filter' ));1276 add_filter( 'safecss_filter_attr_allow_css', '__return_true' ); 1284 1277 $this->assertSame( $expected, safecss_filter_attr( $css ) ); 1285 remove_filter( 'safe _style_disallowed_chars', array( $this, '_safe_style_disallowed_chars_filter' ));1278 remove_filter( 'safecss_filter_attr_allow_css', '__return_true' ); 1286 1279 } 1287 1280 … … 1304 1297 'expected' => 'margin-top: 2px', 1305 1298 ), 1306 // Backslash \ can be allowed with the 'safe _style_disallowed_chars' filter.1299 // Backslash \ can be allowed with the 'safecss_filter_attr_allow_css' filter. 1307 1300 array( 1308 1301 'css' => 'margin-top: \2px', 1309 1302 'expected' => 'margin-top: \2px', 1310 1303 ), 1311 // Curly bracket } can be allowed with the 'safe _style_disallowed_chars' filter.1304 // Curly bracket } can be allowed with the 'safecss_filter_attr_allow_css' filter. 1312 1305 array( 1313 1306 'css' => 'margin-bottom: 2px}', 1314 1307 'expected' => 'margin-bottom: 2px}', 1315 1308 ), 1316 // Parenthesis ) can be allowed with the 'safe _style_disallowed_chars' filter.1309 // Parenthesis ) can be allowed with the 'safecss_filter_attr_allow_css' filter. 1317 1310 array( 1318 1311 'css' => 'margin-bottom: 2px)', 1319 1312 'expected' => 'margin-bottom: 2px)', 1320 1313 ), 1321 // Ampersand & can be allowed with the 'safe _style_disallowed_chars' filter.1314 // Ampersand & can be allowed with the 'safecss_filter_attr_allow_css' filter. 1322 1315 array( 1323 1316 'css' => 'margin-bottom: 2px&', 1324 1317 'expected' => 'margin-bottom: 2px&', 1325 1318 ), 1326 // Expressions can be allowed with the 'safe _style_disallowed_chars' filter.1319 // Expressions can be allowed with the 'safecss_filter_attr_allow_css' filter. 1327 1320 array( 1328 1321 'css' => 'height: expression( body.scrollTop + 50 + "px" )', 1329 1322 'expected' => 'height: expression( body.scrollTop + 50 + "px" )', 1330 1323 ), 1331 // RGB color values can be allowed with the 'safe _style_disallowed_chars' filter.1324 // RGB color values can be allowed with the 'safecss_filter_attr_allow_css' filter. 1332 1325 array( 1333 1326 'css' => 'color: rgb( 100, 100, 100 )', 1334 1327 'expected' => 'color: rgb( 100, 100, 100 )', 1335 1328 ), 1336 // RGBA color values can be allowed with the 'safe _style_disallowed_chars' filter.1329 // RGBA color values can be allowed with the 'safecss_filter_attr_allow_css' filter. 1337 1330 array( 1338 1331 'css' => 'color: rgb( 100, 100, 100, .4 )',
Note: See TracChangeset
for help on using the changeset viewer.