Index: /trunk/src/wp-includes/kses.php
===================================================================
--- /trunk/src/wp-includes/kses.php (revision 52303)
+++ /trunk/src/wp-includes/kses.php (revision 52304)
@@ -273,5 +273,8 @@
),
'object' => array(
- 'data' => true,
+ 'data' => array(
+ 'required' => true,
+ 'value_callback' => '_wp_kses_allow_pdf_objects',
+ ),
'type' => array(
'required' => true,
@@ -1662,4 +1665,15 @@
}
break;
+
+ case 'value_callback':
+ /*
+ * The value_callback check is used when you want to make sure that the attribute
+ * value is accepted by the callback function.
+ */
+
+ if ( ! call_user_func( $checkvalue, $value ) ) {
+ $ok = false;
+ }
+ break;
} // End switch.
@@ -2567,2 +2581,33 @@
return $value;
}
+
+/**
+ * Helper function to check if this is a safe PDF URL.
+ *
+ * @since 5.9.0
+ * @access private
+ * @ignore
+ *
+ * @param string $url The URL to check.
+ * @return bool True if the URL is safe, false otherwise.
+ */
+function _wp_kses_allow_pdf_objects( $value ) {
+ // We're not interested in URLs that contain query strings or fragments.
+ if ( strpos( $value, '?' ) !== false || strpos( $value, '#' ) !== false ) {
+ return false;
+ }
+
+ // If it doesn't have a PDF extension, it's not safe.
+ if ( 0 !== substr_compare( $value, '.pdf', -4, 4, true ) ) {
+ return false;
+ }
+
+ // If the URL host matches the current site's media URL, it's safe.
+ $upload_info = wp_upload_dir( null, false );
+ $upload_host = wp_parse_url( $upload_info['url'], PHP_URL_HOST );
+ if ( 0 === strpos( $value, "http://$upload_host/" ) || 0 === strpos( $value, "https://$upload_host/" ) ) {
+ return true;
+ }
+
+ return false;
+}
Index: /trunk/tests/phpunit/tests/kses.php
===================================================================
--- /trunk/tests/phpunit/tests/kses.php (revision 52303)
+++ /trunk/tests/phpunit/tests/kses.php (revision 52304)
@@ -1518,57 +1518,81 @@
return array(
'valid value for type' => array(
- '',
- '',
+ '',
+ '',
),
'invalid value for type' => array(
- '',
+ '',
'',
),
'multiple type attributes, last invalid' => array(
- '',
- '',
+ '',
+ '',
),
'multiple type attributes, first uppercase, last invalid' => array(
- '',
- '',
+ '',
+ '',
),
'multiple type attributes, last upper case and invalid' => array(
- '',
- '',
+ '',
+ '',
),
'multiple type attributes, first invalid' => array(
- '',
+ '',
'',
),
'multiple type attributes, first upper case and invalid' => array(
- '',
+ '',
'',
),
'multiple type attributes, first invalid, last uppercase' => array(
- '',
+ '',
'',
),
'multiple object tags, last invalid' => array(
- '',
- '',
+ '',
+ '',
),
'multiple object tags, first invalid' => array(
- '',
- '',
+ '',
+ '',
),
'type attribute with partially incorrect value' => array(
- '',
+ '',
'',
),
'type attribute with empty value' => array(
- '',
+ '',
'',
),
'type attribute with no value' => array(
- '',
+ '',
'',
),
'no type attribute' => array(
- '',
+ '',
+ '',
+ ),
+ 'different protocol in url' => array(
+ '',
+ '',
+ ),
+ 'query string on url' => array(
+ '',
+ '',
+ ),
+ 'fragment on url' => array(
+ '',
+ '',
+ ),
+ 'wrong extension' => array(
+ '',
+ '',
+ ),
+ 'protocol relative url' => array(
+ '',
+ '',
+ ),
+ 'relative url' => array(
+ '',
'',
),