Changeset 650
- Timestamp:
- 12/24/2003 08:43:04 PM (21 years ago)
- Location:
- trunk
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-includes/functions.php
r646 r650 1309 1309 $attributes = $regex[2]; 1310 1310 if($attributes) { 1311 // fix to avoid CSS defacements 1312 if ($is_comment) { 1313 $attributes = str_replace('style=', 'title=', $attributes); 1314 $attributes = str_replace('class=', 'title=', $attributes); 1315 $attributes = str_replace('id=', 'title=', $attributes); 1316 } 1311 1317 1312 $attributes = ' '.$attributes; 1318 1313 } -
trunk/wp-includes/kses.php
r649 r650 11 11 # [kses strips evil scripts!] 12 12 13 $allowedtags = array('b' => array(), 14 'i' => array(), 15 'strong' => array(), 16 'code' => array(), 17 'em' => array(), 18 'strike' => array(), 19 'a' => array('href' => array('minlen' => 3, 'maxlen' => 50), 20 'title' => array('valueless' => 'n'), 21 'rel' => array('minlen' => 3, 'maxlen' => 250)), 22 'blockquote' => array('cite' => array()), 23 'br' => array()); 13 24 14 25 function wp_kses($string, $allowed_html, $allowed_protocols = … … 22 33 ############################################################################### 23 34 { 24 $string = kses_no_null($string);25 $string = kses_js_entities($string);26 $string = kses_normalize_entities($string);27 $string = kses_hook($string);28 $allowed_html_fixed = kses_array_lc($allowed_html);29 return kses_split($string, $allowed_html_fixed, $allowed_protocols);35 $string = wp_kses_no_null($string); 36 $string = wp_kses_js_entities($string); 37 $string = wp_kses_normalize_entities($string); 38 $string = wp_kses_hook($string); 39 $allowed_html_fixed = wp_kses_array_lc($allowed_html); 40 return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols); 30 41 } # function wp_kses 31 42 … … 59 70 '(>|$)'. # > or end of string 60 71 '|>)%e', # OR: just a > 61 " kses_split2('\\1', \$allowed_html, ".72 "wp_kses_split2('\\1', \$allowed_html, ". 62 73 '$allowed_protocols)', 63 74 $string); … … 73 84 ############################################################################### 74 85 { 75 $string = kses_stripslashes($string);86 $string = wp_kses_stripslashes($string); 76 87 77 88 if (substr($string, 0, 1) != '<') … … 91 102 # They are using a not allowed HTML element 92 103 93 return kses_attr("$slash$elem", $attrlist, $allowed_html,104 return wp_kses_attr("$slash$elem", $attrlist, $allowed_html, 94 105 $allowed_protocols); 95 106 } # function wp_kses_split2 … … 99 110 ############################################################################### 100 111 # This function removes all attributes, if none are allowed for this element. 101 # If some are allowed it calls kses_hair() to split them further, and then it112 # If some are allowed it calls wp_kses_hair() to split them further, and then it 102 113 # builds up new HTML code from the data that kses_hair() returns. It also 103 114 # removes "<" and ">" characters, if there are any left. One more thing it … … 119 130 # Split it 120 131 121 $attrarr = kses_hair($attr, $allowed_protocols);132 $attrarr = wp_kses_hair($attr, $allowed_protocols); 122 133 123 134 # Go through $attrarr, and save the allowed attributes for this element … … 142 153 $ok = true; 143 154 foreach ($current as $currkey => $currval) 144 if (! kses_check_attr_val($arreach['value'], $arreach['vless'],155 if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'], 145 156 $currkey, $currval)) 146 157 { $ok = false; break; } … … 219 230 # "value" 220 231 { 221 $thisval = kses_bad_protocol($match[1], $allowed_protocols);232 $thisval = wp_kses_bad_protocol($match[1], $allowed_protocols); 222 233 223 234 $attrarr[] = array … … 234 245 # 'value' 235 246 { 236 $thisval = kses_bad_protocol($match[1], $allowed_protocols);247 $thisval = wp_kses_bad_protocol($match[1], $allowed_protocols); 237 248 238 249 $attrarr[] = array … … 249 260 # value 250 261 { 251 $thisval = kses_bad_protocol($match[1], $allowed_protocols);262 $thisval = wp_kses_bad_protocol($match[1], $allowed_protocols); 252 263 253 264 $attrarr[] = array … … 266 277 if ($working == 0) # not well formed, remove and try again 267 278 { 268 $attr = kses_html_error($attr);279 $attr = wp_kses_html_error($attr); 269 280 $mode = 0; 270 281 } … … 358 369 ############################################################################### 359 370 { 360 $string = kses_no_null($string);371 $string = wp_kses_no_null($string); 361 372 $string2 = $string.'a'; 362 373 … … 364 375 { 365 376 $string2 = $string; 366 $string = kses_bad_protocol_once($string, $allowed_protocols);377 $string = wp_kses_bad_protocol_once($string, $allowed_protocols); 367 378 } # while 368 379 … … 431 442 function wp_kses_html_error($string) 432 443 ############################################################################### 433 # This function deals with parsing errors in kses_hair(). The general plan is444 # This function deals with parsing errors in wp_kses_hair(). The general plan is 434 445 # to remove everything to and including some whitespace, but it deals with 435 446 # quotes and apostrophes as well. … … 448 459 return preg_replace('/^((&[^;]*;|[\sA-Za-z0-9])*)'. 449 460 '(:|:|&#[Xx]3[Aa];)\s*/e', 450 ' kses_bad_protocol_once2("\\1", $allowed_protocols)',461 'wp_kses_bad_protocol_once2("\\1", $allowed_protocols)', 451 462 $string); 452 463 } # function wp_kses_bad_protocol_once … … 459 470 ############################################################################### 460 471 { 461 $string2 = kses_decode_entities($string);472 $string2 = wp_kses_decode_entities($string); 462 473 $string2 = preg_replace('/\s/', '', $string2); 463 $string2 = kses_no_null($string2);474 $string2 = wp_kses_no_null($string2); 464 475 $string2 = strtolower($string2); 465 476 … … 494 505 '&\\1;', $string); 495 506 $string = preg_replace('/&#0*([0-9]{1,5});/e', 496 ' kses_normalize_entities2("\\1")', $string);507 'wp_kses_normalize_entities2("\\1")', $string); 497 508 $string = preg_replace('/&#([Xx])0*(([0-9A-Fa-f]{2}){1,2});/', 498 509 '&#\\1\\2;', $string); … … 504 515 function wp_kses_normalize_entities2($i) 505 516 ############################################################################### 506 # This function helps kses_normalize_entities() to only accept 16 bit values517 # This function helps wp_kses_normalize_entities() to only accept 16 bit values 507 518 # and nothing more for &#number; entities. 508 519 ############################################################################### … … 526 537 } # function wp_kses_decode_entities 527 538 539 function wp_filter_kses($data) { 540 global $allowedtags; 541 return wp_kses($data, $allowedtags); 542 } 543 544 // Filter untrusted content 545 add_filter('comment_author', 'wp_filter_kses'); 546 add_filter('comment_text', 'wp_filter_kses'); 547 528 548 ?> -
trunk/wp-includes/template-functions.php
r643 r650 1525 1525 function comment_author() { 1526 1526 global $comment; 1527 if (!empty($comment->comment_author)) { 1528 echo htmlspecialchars(stripslashes($comment->comment_author)); 1527 $author = stripslashes(stripslashes($comment->comment_author)); 1528 $author = apply_filters('comment_auther', $author); 1529 if (!empty($author)) { 1530 echo htmlspecialchars($comment->comment_author); 1529 1531 } 1530 1532 else { … … 1535 1537 function comment_author_email() { 1536 1538 global $comment; 1539 $email = stripslashes(stripslashes($comment->comment_author_email)); 1540 1537 1541 echo antispambot(stripslashes($comment->comment_author_email)); 1538 1542 } … … 1548 1552 1549 1553 $url = str_replace('http://url', '', $url); 1550 1554 $url = preg_replace('|[^a-z0-9-_.,/:]|i', '', $url); 1551 1555 if (empty($url) && empty($email)) { 1552 1556 echo $author; … … 1579 1583 // convert & into & 1580 1584 $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); 1585 $url = preg_replace('|[^a-z0-9-_.,/:]|i', '', $url); 1581 1586 if ($url != 'http://url') { 1582 1587 echo $url; … … 1600 1605 $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); 1601 1606 $url = (!stristr($url, '://')) ? 'http://'.$url : $url; 1607 $url = preg_replace('|[^a-z0-9-_.,/:]|i', '', $url); 1602 1608 if ((!empty($url)) && ($url != 'http://') && ($url != 'http://url')) { 1603 1609 $display = ($linktext != '') ? $linktext : stripslashes($url); 1604 1610 echo $before; 1605 echo '<a href="'.stripslashes($url).'" target="_blank">'.$display.'</a>';1611 echo '<a href="'.stripslashes($url).'" rel="external">'.$display.'</a>'; 1606 1612 echo $after; 1607 1613 } … … 1680 1686 1681 1687 function comment_link_rss() { 1682 global $comment,$postdata,$pagenow,$siteurl,$blogfilename; 1683 global $querystring_start, $querystring_equal, $querystring_separator; 1688 global $comment; 1684 1689 echo get_permalink($comment->comment_post_ID).'#comments'; 1685 1690 } 1686 1691 1687 1692 function permalink_comments_rss() { 1688 global $comment,$postdata,$pagenow,$siteurl,$blogfilename; 1689 global $querystring_start, $querystring_equal, $querystring_separator; 1693 global $comment; 1690 1694 echo get_permalink($comment->comment_post_ID); 1691 1695 } -
trunk/wp-settings.php
r630 r650 29 29 require (ABSPATH . WPINC . '/class-xmlrpcs.php'); 30 30 require (ABSPATH . WPINC . '/links.php'); 31 require (ABSPATH . WPINC . '/kses.php'); 31 32 32 33 //setup the old globals from b2config.php
Note: See TracChangeset
for help on using the changeset viewer.