WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
12/02/2021 12:54:03 AM (4 years ago)
Author:
peterwilsoncc
Message:

KSES: Allow attributes to be restricted via callbacks.

Add callback validation to HTML tag attributes for increased flexibility over an array of values only.

In object tags, validate the data attribute via a callback to ensure it is a PDF and matches the type attribute. This prevents mime type mismatches in browsers.

Follow up to [51963].

Props Pento, dd32, swissspidy, xknown, peterwilsoncc.
Fixes #54261.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/kses.php

    r52234 r52304  
    273273        ),
    274274        'object'     => array(
    275             'data' => true,
     275            'data' => array(
     276                'required'       => true,
     277                'value_callback' => '_wp_kses_allow_pdf_objects',
     278            ),
    276279            'type' => array(
    277280                'required' => true,
     
    16621665            }
    16631666            break;
     1667
     1668        case 'value_callback':
     1669            /*
     1670             * The value_callback check is used when you want to make sure that the attribute
     1671             * value is accepted by the callback function.
     1672             */
     1673
     1674            if ( ! call_user_func( $checkvalue, $value ) ) {
     1675                $ok = false;
     1676            }
     1677            break;
    16641678    } // End switch.
    16651679
     
    25672581    return $value;
    25682582}
     2583
     2584/**
     2585 * Helper function to check if this is a safe PDF URL.
     2586 *
     2587 * @since 5.9.0
     2588 * @access private
     2589 * @ignore
     2590 *
     2591 * @param string $url The URL to check.
     2592 * @return bool True if the URL is safe, false otherwise.
     2593 */
     2594function _wp_kses_allow_pdf_objects( $value ) {
     2595    // We're not interested in URLs that contain query strings or fragments.
     2596    if ( strpos( $value, '?' ) !== false || strpos( $value, '#' ) !== false ) {
     2597        return false;
     2598    }
     2599
     2600    // If it doesn't have a PDF extension, it's not safe.
     2601    if ( 0 !== substr_compare( $value, '.pdf', -4, 4, true ) ) {
     2602        return false;
     2603    }
     2604
     2605    // If the URL host matches the current site's media URL, it's safe.
     2606    $upload_info = wp_upload_dir( null, false );
     2607    $upload_host = wp_parse_url( $upload_info['url'], PHP_URL_HOST );
     2608    if ( 0 === strpos( $value, "http://$upload_host/" ) || 0 === strpos( $value, "https://$upload_host/" ) ) {
     2609        return true;
     2610    }
     2611
     2612    return false;
     2613}
Note: See TracChangeset for help on using the changeset viewer.