Changeset 54933
- Timestamp:
- 12/05/2022 01:55:20 PM (2 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/kses.php
r54698 r54933 737 737 * @since 1.0.0 738 738 * 739 * @param string $ stringText content to filter.739 * @param string $content Text content to filter. 740 740 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 741 741 * or a context name such as 'post'. See wp_kses_allowed_html() … … 745 745 * @return string Filtered content containing only the allowed HTML. 746 746 */ 747 function wp_kses( $ string, $allowed_html, $allowed_protocols = array() ) {747 function wp_kses( $content, $allowed_html, $allowed_protocols = array() ) { 748 748 if ( empty( $allowed_protocols ) ) { 749 749 $allowed_protocols = wp_allowed_protocols(); 750 750 } 751 751 752 $ string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );753 $ string = wp_kses_normalize_entities( $string);754 $ string = wp_kses_hook( $string, $allowed_html, $allowed_protocols );755 756 return wp_kses_split( $ string, $allowed_html, $allowed_protocols );752 $content = wp_kses_no_null( $content, array( 'slash_zero' => 'keep' ) ); 753 $content = wp_kses_normalize_entities( $content ); 754 $content = wp_kses_hook( $content, $allowed_html, $allowed_protocols ); 755 756 return wp_kses_split( $content, $allowed_html, $allowed_protocols ); 757 757 } 758 758 … … 764 764 * @since 4.2.3 765 765 * 766 * @param string $ stringThe 'whole' attribute, including name and value.766 * @param string $attr The 'whole' attribute, including name and value. 767 767 * @param string $element The HTML element name to which the attribute belongs. 768 768 * @return string Filtered attribute. 769 769 */ 770 function wp_kses_one_attr( $ string, $element ) {770 function wp_kses_one_attr( $attr, $element ) { 771 771 $uris = wp_kses_uri_attributes(); 772 772 $allowed_html = wp_kses_allowed_html( 'post' ); 773 773 $allowed_protocols = wp_allowed_protocols(); 774 $ string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );774 $attr = wp_kses_no_null( $attr, array( 'slash_zero' => 'keep' ) ); 775 775 776 776 // Preserve leading and trailing whitespace. 777 777 $matches = array(); 778 preg_match( '/^\s*/', $ string, $matches );778 preg_match( '/^\s*/', $attr, $matches ); 779 779 $lead = $matches[0]; 780 preg_match( '/\s*$/', $ string, $matches );780 preg_match( '/\s*$/', $attr, $matches ); 781 781 $trail = $matches[0]; 782 782 if ( empty( $trail ) ) { 783 $ string = substr( $string, strlen( $lead ) );783 $attr = substr( $attr, strlen( $lead ) ); 784 784 } else { 785 $ string = substr( $string, strlen( $lead ), -strlen( $trail ) );785 $attr = substr( $attr, strlen( $lead ), -strlen( $trail ) ); 786 786 } 787 787 788 788 // Parse attribute name and value from input. 789 $split = preg_split( '/\s*=\s*/', $ string, 2 );789 $split = preg_split( '/\s*=\s*/', $attr, 2 ); 790 790 $name = $split[0]; 791 791 if ( count( $split ) == 2 ) { … … 793 793 794 794 // Remove quotes surrounding $value. 795 // Also guarantee correct quoting in $ stringfor this one attribute.795 // Also guarantee correct quoting in $attr for this one attribute. 796 796 if ( '' === $value ) { 797 797 $quote = ''; … … 816 816 } 817 817 818 $ string= "$name=$quote$value$quote";819 $vless 818 $attr = "$name=$quote$value$quote"; 819 $vless = 'n'; 820 820 } else { 821 821 $value = ''; … … 824 824 825 825 // Sanitize attribute by name. 826 wp_kses_attr_check( $name, $value, $ string, $vless, $element, $allowed_html );826 wp_kses_attr_check( $name, $value, $attr, $vless, $element, $allowed_html ); 827 827 828 828 // Restore whitespace. 829 return $lead . $ string. $trail;829 return $lead . $attr . $trail; 830 830 } 831 831 … … 923 923 * @since 1.0.0 924 924 * 925 * @param string $ stringContent to filter through KSES.925 * @param string $content Content to filter through KSES. 926 926 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 927 927 * or a context name such as 'post'. See wp_kses_allowed_html() … … 930 930 * @return string Filtered content through {@see 'pre_kses'} hook. 931 931 */ 932 function wp_kses_hook( $ string, $allowed_html, $allowed_protocols ) {932 function wp_kses_hook( $content, $allowed_html, $allowed_protocols ) { 933 933 /** 934 934 * Filters content to be run through KSES. … … 936 936 * @since 2.3.0 937 937 * 938 * @param string $ stringContent to filter through KSES.938 * @param string $content Content to filter through KSES. 939 939 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 940 940 * or a context name such as 'post'. See wp_kses_allowed_html() … … 942 942 * @param string[] $allowed_protocols Array of allowed URL protocols. 943 943 */ 944 return apply_filters( 'pre_kses', $ string, $allowed_html, $allowed_protocols );944 return apply_filters( 'pre_kses', $content, $allowed_html, $allowed_protocols ); 945 945 } 946 946 … … 967 967 * @global string[] $pass_allowed_protocols Array of allowed URL protocols. 968 968 * 969 * @param string $ stringContent to filter.969 * @param string $content Content to filter. 970 970 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 971 971 * or a context name such as 'post'. See wp_kses_allowed_html() … … 974 974 * @return string Content with fixed HTML tags 975 975 */ 976 function wp_kses_split( $ string, $allowed_html, $allowed_protocols ) {976 function wp_kses_split( $content, $allowed_html, $allowed_protocols ) { 977 977 global $pass_allowed_html, $pass_allowed_protocols; 978 978 … … 980 980 $pass_allowed_protocols = $allowed_protocols; 981 981 982 return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $ string);982 return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $content ); 983 983 } 984 984 … … 1044 1044 * @global string[] $pass_allowed_protocols Array of allowed URL protocols. 1045 1045 * 1046 * @param array $match preg_replace regexp matches1046 * @param array $matches preg_replace regexp matches 1047 1047 * @return string 1048 1048 */ 1049 function _wp_kses_split_callback( $match ) {1049 function _wp_kses_split_callback( $matches ) { 1050 1050 global $pass_allowed_html, $pass_allowed_protocols; 1051 1051 1052 return wp_kses_split2( $match [0], $pass_allowed_html, $pass_allowed_protocols );1052 return wp_kses_split2( $matches[0], $pass_allowed_html, $pass_allowed_protocols ); 1053 1053 } 1054 1054 … … 1069 1069 * @since 1.0.0 1070 1070 * 1071 * @param string $ stringContent to filter.1071 * @param string $content Content to filter. 1072 1072 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 1073 1073 * or a context name such as 'post'. See wp_kses_allowed_html() … … 1076 1076 * @return string Fixed HTML element 1077 1077 */ 1078 function wp_kses_split2( $ string, $allowed_html, $allowed_protocols ) {1079 $ string = wp_kses_stripslashes( $string);1078 function wp_kses_split2( $content, $allowed_html, $allowed_protocols ) { 1079 $content = wp_kses_stripslashes( $content ); 1080 1080 1081 1081 // It matched a ">" character. 1082 if ( '<' !== substr( $ string, 0, 1 ) ) {1082 if ( '<' !== substr( $content, 0, 1 ) ) { 1083 1083 return '>'; 1084 1084 } 1085 1085 1086 1086 // Allow HTML comments. 1087 if ( '<!--' === substr( $ string, 0, 4 ) ) {1088 $ string = str_replace( array( '<!--', '-->' ), '', $string);1089 while ( ( $newstring = wp_kses( $ string, $allowed_html, $allowed_protocols ) ) != $string) {1090 $ string= $newstring;1087 if ( '<!--' === substr( $content, 0, 4 ) ) { 1088 $content = str_replace( array( '<!--', '-->' ), '', $content ); 1089 while ( ( $newstring = wp_kses( $content, $allowed_html, $allowed_protocols ) ) != $content ) { 1090 $content = $newstring; 1091 1091 } 1092 if ( '' === $ string) {1092 if ( '' === $content ) { 1093 1093 return ''; 1094 1094 } 1095 1095 // Prevent multiple dashes in comments. 1096 $ string = preg_replace( '/--+/', '-', $string);1096 $content = preg_replace( '/--+/', '-', $content ); 1097 1097 // Prevent three dashes closing a comment. 1098 $ string = preg_replace( '/-$/', '', $string);1099 return "<!--{$ string}-->";1098 $content = preg_replace( '/-$/', '', $content ); 1099 return "<!--{$content}-->"; 1100 1100 } 1101 1101 1102 1102 // It's seriously malformed. 1103 if ( ! preg_match( '%^<\s*(/\s*)?([a-zA-Z0-9-]+)([^>]*)>?$%', $ string, $matches ) ) {1103 if ( ! preg_match( '%^<\s*(/\s*)?([a-zA-Z0-9-]+)([^>]*)>?$%', $content, $matches ) ) { 1104 1104 return ''; 1105 1105 } … … 1682 1682 * @since 1.0.0 1683 1683 * 1684 * @param string $ stringContent to filter bad protocols from.1684 * @param string $content Content to filter bad protocols from. 1685 1685 * @param string[] $allowed_protocols Array of allowed URL protocols. 1686 1686 * @return string Filtered content. 1687 1687 */ 1688 function wp_kses_bad_protocol( $ string, $allowed_protocols ) {1689 $ string = wp_kses_no_null( $string);1688 function wp_kses_bad_protocol( $content, $allowed_protocols ) { 1689 $content = wp_kses_no_null( $content ); 1690 1690 $iterations = 0; 1691 1691 1692 1692 do { 1693 $original_ string = $string;1694 $ string = wp_kses_bad_protocol_once( $string, $allowed_protocols );1695 } while ( $original_ string != $string&& ++$iterations < 6 );1696 1697 if ( $original_ string != $string) {1693 $original_content = $content; 1694 $content = wp_kses_bad_protocol_once( $content, $allowed_protocols ); 1695 } while ( $original_content != $content && ++$iterations < 6 ); 1696 1697 if ( $original_content != $content ) { 1698 1698 return ''; 1699 1699 } 1700 1700 1701 return $ string;1701 return $content; 1702 1702 } 1703 1703 … … 1709 1709 * @since 1.0.0 1710 1710 * 1711 * @param string $ stringContent to filter null characters from.1711 * @param string $content Content to filter null characters from. 1712 1712 * @param array $options Set 'slash_zero' => 'keep' when '\0' is allowed. Default is 'remove'. 1713 1713 * @return string Filtered content. 1714 1714 */ 1715 function wp_kses_no_null( $ string, $options = null ) {1715 function wp_kses_no_null( $content, $options = null ) { 1716 1716 if ( ! isset( $options['slash_zero'] ) ) { 1717 1717 $options = array( 'slash_zero' => 'remove' ); 1718 1718 } 1719 1719 1720 $ string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string);1720 $content = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $content ); 1721 1721 if ( 'remove' === $options['slash_zero'] ) { 1722 $ string = preg_replace( '/\\\\+0+/', '', $string);1723 } 1724 1725 return $ string;1722 $content = preg_replace( '/\\\\+0+/', '', $content ); 1723 } 1724 1725 return $content; 1726 1726 } 1727 1727 … … 1734 1734 * @since 1.0.0 1735 1735 * 1736 * @param string $ stringString to strip slashes from.1736 * @param string $content String to strip slashes from. 1737 1737 * @return string Fixed string with quoted slashes. 1738 1738 */ 1739 function wp_kses_stripslashes( $ string) {1740 return preg_replace( '%\\\\"%', '"', $ string);1739 function wp_kses_stripslashes( $content ) { 1740 return preg_replace( '%\\\\"%', '"', $content ); 1741 1741 } 1742 1742 … … 1773 1773 * @since 1.0.0 1774 1774 * 1775 * @param string $ string1775 * @param string $attr 1776 1776 * @return string 1777 1777 */ 1778 function wp_kses_html_error( $ string) {1779 return preg_replace( '/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $ string);1778 function wp_kses_html_error( $attr ) { 1779 return preg_replace( '/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $attr ); 1780 1780 } 1781 1781 … … 1788 1788 * @since 1.0.0 1789 1789 * 1790 * @param string $ stringContent to check for bad protocols.1790 * @param string $content Content to check for bad protocols. 1791 1791 * @param string[] $allowed_protocols Array of allowed URL protocols. 1792 1792 * @param int $count Depth of call recursion to this function. 1793 1793 * @return string Sanitized content. 1794 1794 */ 1795 function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) { 1796 $string = preg_replace( '/(�*58(?![;0-9])|�*3a(?![;a-f0-9]))/i', '$1;', $string ); 1797 $string2 = preg_split( '/:|�*58;|�*3a;|:/i', $string, 2 ); 1798 if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) { 1799 $string = trim( $string2[1] ); 1800 $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ); 1795 function wp_kses_bad_protocol_once( $content, $allowed_protocols, $count = 1 ) { 1796 $content = preg_replace( '/(�*58(?![;0-9])|�*3a(?![;a-f0-9]))/i', '$1;', $content ); 1797 $content2 = preg_split( '/:|�*58;|�*3a;|:/i', $content, 2 ); 1798 1799 if ( isset( $content2[1] ) && ! preg_match( '%/\?%', $content2[0] ) ) { 1800 $content = trim( $content2[1] ); 1801 $protocol = wp_kses_bad_protocol_once2( $content2[0], $allowed_protocols ); 1801 1802 if ( 'feed:' === $protocol ) { 1802 1803 if ( $count > 2 ) { 1803 1804 return ''; 1804 1805 } 1805 $ string = wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count );1806 if ( empty( $ string) ) {1807 return $ string;1806 $content = wp_kses_bad_protocol_once( $content, $allowed_protocols, ++$count ); 1807 if ( empty( $content ) ) { 1808 return $content; 1808 1809 } 1809 1810 } 1810 $ string = $protocol . $string;1811 } 1812 1813 return $ string;1811 $content = $protocol . $content; 1812 } 1813 1814 return $content; 1814 1815 } 1815 1816 … … 1825 1826 * @since 1.0.0 1826 1827 * 1827 * @param string $s tringURI scheme to check against the list of allowed protocols.1828 * @param string $scheme URI scheme to check against the list of allowed protocols. 1828 1829 * @param string[] $allowed_protocols Array of allowed URL protocols. 1829 1830 * @return string Sanitized content. 1830 1831 */ 1831 function wp_kses_bad_protocol_once2( $s tring, $allowed_protocols ) {1832 $s tring2 = wp_kses_decode_entities( $string);1833 $s tring2 = preg_replace( '/\s/', '', $string2);1834 $s tring2 = wp_kses_no_null( $string2);1835 $s tring2 = strtolower( $string2);1832 function wp_kses_bad_protocol_once2( $scheme, $allowed_protocols ) { 1833 $scheme = wp_kses_decode_entities( $scheme ); 1834 $scheme = preg_replace( '/\s/', '', $scheme ); 1835 $scheme = wp_kses_no_null( $scheme ); 1836 $scheme = strtolower( $scheme ); 1836 1837 1837 1838 $allowed = false; 1838 1839 foreach ( (array) $allowed_protocols as $one_protocol ) { 1839 if ( strtolower( $one_protocol ) == $s tring2) {1840 if ( strtolower( $one_protocol ) == $scheme ) { 1840 1841 $allowed = true; 1841 1842 break; … … 1844 1845 1845 1846 if ( $allowed ) { 1846 return "$s tring2:";1847 return "$scheme:"; 1847 1848 } else { 1848 1849 return ''; … … 1862 1863 * @since 5.5.0 Added `$context` parameter. 1863 1864 * 1864 * @param string $ stringContent to normalize entities.1865 * @param string $content Content to normalize entities. 1865 1866 * @param string $context Context for normalization. Can be either 'html' or 'xml'. 1866 1867 * Default 'html'. 1867 1868 * @return string Content with normalized entities. 1868 1869 */ 1869 function wp_kses_normalize_entities( $ string, $context = 'html' ) {1870 function wp_kses_normalize_entities( $content, $context = 'html' ) { 1870 1871 // Disarm all entities by converting & to & 1871 $ string = str_replace( '&', '&', $string);1872 $content = str_replace( '&', '&', $content ); 1872 1873 1873 1874 // Change back the allowed entities in our list of allowed entities. 1874 1875 if ( 'xml' === $context ) { 1875 $ string = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_xml_named_entities', $string);1876 $content = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_xml_named_entities', $content ); 1876 1877 } else { 1877 $ string = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string);1878 } 1879 $ string = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string);1880 $ string = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string);1881 1882 return $ string;1878 $content = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $content ); 1879 } 1880 $content = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $content ); 1881 $content = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $content ); 1882 1883 return $content; 1883 1884 } 1884 1885 … … 2015 2016 * @since 1.0.0 2016 2017 * 2017 * @param string $ stringContent to change entities.2018 * @param string $content Content to change entities. 2018 2019 * @return string Content after decoded entities. 2019 2020 */ 2020 function wp_kses_decode_entities( $ string) {2021 $ string = preg_replace_callback( '/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string);2022 $ string = preg_replace_callback( '/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string);2023 2024 return $ string;2021 function wp_kses_decode_entities( $content ) { 2022 $content = preg_replace_callback( '/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $content ); 2023 $content = preg_replace_callback( '/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $content ); 2024 2025 return $content; 2025 2026 } 2026 2027 … … 2032 2033 * @ignore 2033 2034 * 2034 * @param array $match preg match2035 * @param array $matches preg match 2035 2036 * @return string 2036 2037 */ 2037 function _wp_kses_decode_entities_chr( $match ) {2038 return chr( $match [1] );2038 function _wp_kses_decode_entities_chr( $matches ) { 2039 return chr( $matches[1] ); 2039 2040 } 2040 2041 … … 2046 2047 * @ignore 2047 2048 * 2048 * @param array $match preg match2049 * @param array $matches preg match 2049 2050 * @return string 2050 2051 */ 2051 function _wp_kses_decode_entities_chr_hexdec( $match ) {2052 return chr( hexdec( $match [1] ) );2052 function _wp_kses_decode_entities_chr_hexdec( $matches ) { 2053 return chr( hexdec( $matches[1] ) ); 2053 2054 } 2054 2055
Note: See TracChangeset
for help on using the changeset viewer.