Changeset 58474
- Timestamp:
- 06/24/2024 03:02:41 PM (5 months ago)
- Location:
- branches/6.5/src/wp-includes
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/6.5/src/wp-includes/blocks.php
r57677 r58474 1448 1448 */ 1449 1449 function filter_block_kses( $block, $allowed_html, $allowed_protocols = array() ) { 1450 $block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols );1450 $block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols, $block ); 1451 1451 1452 1452 if ( is_array( $block['innerBlocks'] ) ) { … … 1464 1464 * 1465 1465 * @since 5.3.1 1466 * @since 6.5.5 Added the `$block_context` parameter. 1466 1467 * 1467 1468 * @param string[]|string $value The attribute value to filter. … … 1471 1472 * @param string[] $allowed_protocols Optional. Array of allowed URL protocols. 1472 1473 * Defaults to the result of wp_allowed_protocols(). 1474 * @param array $block_context Optional. The block the attribute belongs to, in parsed block array format. 1473 1475 * @return string[]|string The filtered and sanitized result. 1474 1476 */ 1475 function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array() ) {1477 function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array(), $block_context = null ) { 1476 1478 if ( is_array( $value ) ) { 1477 1479 foreach ( $value as $key => $inner_value ) { 1478 $filtered_key = filter_block_kses_value( $key, $allowed_html, $allowed_protocols ); 1479 $filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols ); 1480 $filtered_key = filter_block_kses_value( $key, $allowed_html, $allowed_protocols, $block_context ); 1481 $filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols, $block_context ); 1482 1483 if ( isset( $block_context['blockName'] ) && 'core/template-part' === $block_context['blockName'] ) { 1484 $filtered_value = filter_block_core_template_part_attributes( $filtered_value, $filtered_key, $allowed_html ); 1485 } 1480 1486 1481 1487 if ( $filtered_key !== $key ) { … … 1490 1496 1491 1497 return $value; 1498 } 1499 1500 /** 1501 * Sanitizes the value of the Template Part block's `tagName` attribute. 1502 * 1503 * @since 6.5.5 1504 * 1505 * @param string $attribute_value The attribute value to filter. 1506 * @param string $attribute_name The attribute name. 1507 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 1508 * or a context name such as 'post'. See wp_kses_allowed_html() 1509 * for the list of accepted context names. 1510 * @return string The sanitized attribute value. 1511 */ 1512 function filter_block_core_template_part_attributes( $attribute_value, $attribute_name, $allowed_html ) { 1513 if ( empty( $attribute_value ) || 'tagName' !== $attribute_name ) { 1514 return $attribute_value; 1515 } 1516 if ( ! is_array( $allowed_html ) ) { 1517 $allowed_html = wp_kses_allowed_html( $allowed_html ); 1518 } 1519 return isset( $allowed_html[ $attribute_value ] ) ? $attribute_value : ''; 1492 1520 } 1493 1521 -
branches/6.5/src/wp-includes/formatting.php
r57626 r58474 4803 4803 * 4804 4804 * @since 2.5.0 4805 * @since 6.5.5 Allow hyphens in tag names (i.e. custom elements). 4805 4806 * 4806 4807 * @param string $tag_name … … 4808 4809 */ 4809 4810 function tag_escape( $tag_name ) { 4810 $safe_tag = strtolower( preg_replace( '/[^a-zA-Z0-9 _:]/', '', $tag_name ) );4811 $safe_tag = strtolower( preg_replace( '/[^a-zA-Z0-9-_:]/', '', $tag_name ) ); 4811 4812 /** 4812 4813 * Filters a string cleaned and escaped for output as an HTML tag. -
branches/6.5/src/wp-includes/functions.php
r57707 r58474 6193 6193 } 6194 6194 6195 // Normalize path for Windows servers 6196 $file = wp_normalize_path( $file ); 6197 6195 6198 // `../` on its own is not allowed: 6196 6199 if ( '../' === $file ) { -
branches/6.5/src/wp-includes/html-api/class-wp-html-tag-processor.php
r57815 r58474 2969 2969 $updated_attribute = $name; 2970 2970 } else { 2971 $escaped_new_value = esc_attr( $value ); 2971 $comparable_name = strtolower( $name ); 2972 2973 /* 2974 * Escape URL attributes. 2975 * 2976 * @see https://html.spec.whatwg.org/#attributes-3 2977 */ 2978 $escaped_new_value = in_array( $comparable_name, wp_kses_uri_attributes() ) ? esc_url( $value ) : esc_attr( $value ); 2972 2979 $updated_attribute = "{$name}=\"{$escaped_new_value}\""; 2973 2980 }
Note: See TracChangeset
for help on using the changeset viewer.