Make WordPress Core


Ignore:
Timestamp:
05/16/2023 03:13:50 PM (10 months ago)
Author:
audrasjb
Message:

Grouped backports to the 6.1 branch.

  • Media: Prevent CSRF setting attachment thumbnails.
  • Embeds: Add protocol validation for WordPress Embed code.
  • I18N: Introduce sanitization function for locale.
  • Editor: Ensure block comments are of a valid form.
  • Editor: Remove shortcode support from block templates.

Merges [55760-55764] to the 6.1 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/6.1/src/wp-includes/blocks.php

    r54520 r55771  
    795795    $result = '';
    796796
     797    if ( false !== strpos( $text, '<!--' ) && false !== strpos( $text, '--->' ) ) {
     798        $text = preg_replace_callback( '%<!--(.*?)--->%', '_filter_block_content_callback', $text );
     799    }
     800
    797801    $blocks = parse_blocks( $text );
    798802    foreach ( $blocks as $block ) {
     
    802806
    803807    return $result;
     808}
     809
     810/**
     811 * Callback used for regular expression replacement in filter_block_content().
     812 *
     813 * @private
     814 * @since 6.2.1
     815 *
     816 * @param array $matches Array of preg_replace_callback matches.
     817 * @return string Replacement string.
     818 */
     819function _filter_block_content_callback( $matches ) {
     820    return '<!--' . rtrim( $matches[1], '-' ) . '-->';
    804821}
    805822
Note: See TracChangeset for help on using the changeset viewer.