Changeset 52309
- Timestamp:
- 12/03/2021 02:42:17 AM (3 years ago)
- Location:
- trunk
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/kses.php
r52304 r52309 2592 2592 * @return bool True if the URL is safe, false otherwise. 2593 2593 */ 2594 function _wp_kses_allow_pdf_objects( $ value) {2594 function _wp_kses_allow_pdf_objects( $url ) { 2595 2595 // We're not interested in URLs that contain query strings or fragments. 2596 if ( strpos( $ value, '?' ) !== false || strpos( $value, '#' ) !== false ) {2596 if ( strpos( $url, '?' ) !== false || strpos( $url, '#' ) !== false ) { 2597 2597 return false; 2598 2598 } 2599 2599 2600 2600 // If it doesn't have a PDF extension, it's not safe. 2601 if ( 0 !== substr_compare( $ value, '.pdf', -4, 4, true ) ) {2601 if ( 0 !== substr_compare( $url, '.pdf', -4, 4, true ) ) { 2602 2602 return false; 2603 2603 } … … 2605 2605 // If the URL host matches the current site's media URL, it's safe. 2606 2606 $upload_info = wp_upload_dir( null, false ); 2607 $upload_host = wp_parse_url( $upload_info['url'], PHP_URL_HOST ); 2608 if ( 0 === strpos( $value, "http://$upload_host/" ) || 0 === strpos( $value, "https://$upload_host/" ) ) { 2607 $parsed_url = wp_parse_url( $upload_info['url'] ); 2608 $upload_host = isset( $parsed_url['host'] ) ? $parsed_url['host'] : ''; 2609 $upload_port = isset( $parsed_url['port'] ) ? ':' . $parsed_url['port'] : ''; 2610 if ( 0 === strpos( $url, "http://$upload_host$upload_port/" ) || 0 === strpos( $url, "https://$upload_host$upload_port/" ) ) { 2609 2611 return true; 2610 2612 } -
trunk/tests/phpunit/tests/kses.php
r52304 r52309 1597 1597 '', 1598 1598 ), 1599 ); 1599 'url with port number-like path' => array( 1600 '<object type="application/pdf" data="https://example.org/cat:8888/foo.pdf" />', 1601 '<object type="application/pdf" data="https://example.org/cat:8888/foo.pdf" />', 1602 ), 1603 ); 1604 } 1605 1606 /** 1607 * Test that object tags are allowed when there is a port number in the URL. 1608 * 1609 * @ticket 54261 1610 * 1611 * @dataProvider data_wp_kses_object_data_url_with_port_number_allowed 1612 * 1613 * @param string $html A string of HTML to test. 1614 * @param string $expected The expected result from KSES. 1615 */ 1616 function test_wp_kses_object_data_url_with_port_number_allowed( $html, $expected ) { 1617 add_filter( 'upload_dir', array( $this, 'wp_kses_upload_dir_filter' ), 10, 2 ); 1618 $this->assertSame( $expected, wp_kses_post( $html ) ); 1619 } 1620 1621 /** 1622 * Data provider for test_wp_kses_object_data_url_with_port_number_allowed(). 1623 */ 1624 function data_wp_kses_object_data_url_with_port_number_allowed() { 1625 return array( 1626 'url with port number' => array( 1627 '<object type="application/pdf" data="https://example.org:8888/cat/foo.pdf" />', 1628 '<object type="application/pdf" data="https://example.org:8888/cat/foo.pdf" />', 1629 ), 1630 'url with port number and http protocol' => array( 1631 '<object type="application/pdf" data="http://example.org:8888/cat/foo.pdf" />', 1632 '<object type="application/pdf" data="http://example.org:8888/cat/foo.pdf" />', 1633 ), 1634 'url with wrong port number' => array( 1635 '<object type="application/pdf" data="http://example.org:3333/cat/foo.pdf" />', 1636 '', 1637 ), 1638 'url without port number' => array( 1639 '<object type="application/pdf" data="http://example.org/cat/foo.pdf" />', 1640 '', 1641 ), 1642 ); 1643 } 1644 1645 /** 1646 * Filter upload directory for tests using port number. 1647 * 1648 * @param array $param See wp_upload_dir() 1649 * @return array $param with a modified `url`. 1650 */ 1651 public function wp_kses_upload_dir_filter( $param ) { 1652 $url_with_port_number = is_string( $param['url'] ) ? str_replace( 'example.org', 'example.org:8888', $param['url'] ) : $param['url']; 1653 $param['url'] = $url_with_port_number; 1654 return $param; 1600 1655 } 1601 1656
Note: See TracChangeset
for help on using the changeset viewer.