Make WordPress Core


Ignore:
Timestamp:
06/18/2020 08:59:43 PM (4 years ago)
Author:
adamsilverstein
Message:

Formatting: new filter safecss_filter_attr_allow_css on css parts.

Enables developers to determine whether a section of CSS should be allowed or discarded. By default, the value will be false if the part contains \ ( & } = or comments. Returning true allows the CSS part to be included in the output.

Replaces the safe_style_disallowed_chars filter introduced in r47891.

Props azaozz.
Fixes #37134.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/kses.php

    r48072 r48086  
    23582358
    23592359        if ( $found ) {
     2360            // Check for any CSS containing \ ( & } = or comments, except for url() usage checked above.
     2361            $allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
     2362
    23602363            /**
    2361              * Filters the regex limiting the list of characters not allowed in CSS rules.
     2364             * Filters the check for unsafe CSS in `safecss_filter_attr`.
    23622365             *
    2363              * Default behaviour is to remove any CSS containing \ ( & } = or comments,
    2364              * except for url() usage.
     2366             * Enables developers to determine whether a section of CSS should be allowed or discarded.
     2367             * By default, the value will be false if the part contains \ ( & } = or comments.
     2368             * Return true to allow the CSS part to be included in the output.
    23652369             *
    23662370             * @since 5.5.0
    23672371             *
    2368              * @param string $regex           Regex pattern of disallowed characters in CSS rules.
    2369              *                                Default is '%[\\\(&=}]|/\*%'.
    2370              * @param string $css_test_string CSS value to test.
     2372             * @param bool   $allow_css       Whether the CSS in the test string is considered safe.
     2373             * @param string $css_test_string The css string to test.
    23712374             */
    2372             $disallowed_chars = apply_filters( 'safe_style_disallowed_chars', '%[\\\(&=}]|/\*%', $css_test_string );
    2373             if ( ! preg_match( $disallowed_chars, $css_test_string ) ) {
     2375            $allow_css = apply_filters( 'safecss_filter_attr_allow_css', $allow_css, $css_test_string );
     2376
     2377             // Only add the css part if it passes the regex check.
     2378            if ( $allow_css ) {
    23742379                if ( '' !== $css ) {
    23752380                    $css .= ';';
    23762381                }
     2382
    23772383                $css .= $css_item;
    23782384            }
Note: See TracChangeset for help on using the changeset viewer.