Make WordPress Core

Changeset 650


Ignore:
Timestamp:
12/24/2003 08:43:04 PM (21 years ago)
Author:
saxmatt
Message:

Add kses HTML cleaning to comment functions.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/functions.php

    r646 r650  
    13091309            $attributes = $regex[2];
    13101310            if($attributes) {
    1311                 // fix to avoid CSS defacements
    1312                 if ($is_comment) {
    1313                     $attributes = str_replace('style=', 'title=', $attributes);
    1314                     $attributes = str_replace('class=', 'title=', $attributes);
    1315                     $attributes = str_replace('id=', 'title=', $attributes);
    1316                 }
     1311
    13171312                $attributes = ' '.$attributes;
    13181313            }
  • trunk/wp-includes/kses.php

    r649 r650  
    1111# [kses strips evil scripts!]
    1212
     13$allowedtags = array('b' => array(),
     14                 'i' => array(),
     15                 'strong' => array(),
     16                 'code' => array(),
     17                 'em' => array(),
     18                 'strike' => array(),
     19                 'a' => array('href'  => array('minlen' => 3, 'maxlen' => 50),
     20                              'title' => array('valueless' => 'n'),
     21                              'rel' => array('minlen' => 3, 'maxlen' => 250)),
     22                'blockquote' => array('cite' => array()),
     23                 'br' => array());
    1324
    1425function wp_kses($string, $allowed_html, $allowed_protocols =
     
    2233###############################################################################
    2334{
    24   $string = kses_no_null($string);
    25   $string = kses_js_entities($string);
    26   $string = kses_normalize_entities($string);
    27   $string = kses_hook($string);
    28   $allowed_html_fixed = kses_array_lc($allowed_html);
    29   return kses_split($string, $allowed_html_fixed, $allowed_protocols);
     35  $string = wp_kses_no_null($string);
     36  $string = wp_kses_js_entities($string);
     37  $string = wp_kses_normalize_entities($string);
     38  $string = wp_kses_hook($string);
     39  $allowed_html_fixed = wp_kses_array_lc($allowed_html);
     40  return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);
    3041} # function wp_kses
    3142
     
    5970                      '(>|$)'. # > or end of string
    6071                      '|>)%e', # OR: just a >
    61                       "kses_split2('\\1', \$allowed_html, ".
     72                      "wp_kses_split2('\\1', \$allowed_html, ".
    6273                      '$allowed_protocols)',
    6374                      $string);
     
    7384###############################################################################
    7485{
    75   $string = kses_stripslashes($string);
     86  $string = wp_kses_stripslashes($string);
    7687
    7788  if (substr($string, 0, 1) != '<')
     
    91102    # They are using a not allowed HTML element
    92103
    93   return kses_attr("$slash$elem", $attrlist, $allowed_html,
     104  return wp_kses_attr("$slash$elem", $attrlist, $allowed_html,
    94105                   $allowed_protocols);
    95106} # function wp_kses_split2
     
    99110###############################################################################
    100111# This function removes all attributes, if none are allowed for this element.
    101 # If some are allowed it calls kses_hair() to split them further, and then it
     112# If some are allowed it calls wp_kses_hair() to split them further, and then it
    102113# builds up new HTML code from the data that kses_hair() returns. It also
    103114# removes "<" and ">" characters, if there are any left. One more thing it
     
    119130# Split it
    120131
    121   $attrarr = kses_hair($attr, $allowed_protocols);
     132  $attrarr = wp_kses_hair($attr, $allowed_protocols);
    122133
    123134# Go through $attrarr, and save the allowed attributes for this element
     
    142153      $ok = true;
    143154      foreach ($current as $currkey => $currval)
    144         if (!kses_check_attr_val($arreach['value'], $arreach['vless'],
     155        if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'],
    145156                                 $currkey, $currval))
    146157        { $ok = false; break; }
     
    219230         # "value"
    220231        {
    221           $thisval = kses_bad_protocol($match[1], $allowed_protocols);
     232          $thisval = wp_kses_bad_protocol($match[1], $allowed_protocols);
    222233
    223234          $attrarr[] = array
     
    234245         # 'value'
    235246        {
    236           $thisval = kses_bad_protocol($match[1], $allowed_protocols);
     247          $thisval = wp_kses_bad_protocol($match[1], $allowed_protocols);
    237248
    238249          $attrarr[] = array
     
    249260         # value
    250261        {
    251           $thisval = kses_bad_protocol($match[1], $allowed_protocols);
     262          $thisval = wp_kses_bad_protocol($match[1], $allowed_protocols);
    252263
    253264          $attrarr[] = array
     
    266277    if ($working == 0) # not well formed, remove and try again
    267278    {
    268       $attr = kses_html_error($attr);
     279      $attr = wp_kses_html_error($attr);
    269280      $mode = 0;
    270281    }
     
    358369###############################################################################
    359370{
    360   $string = kses_no_null($string);
     371  $string = wp_kses_no_null($string);
    361372  $string2 = $string.'a';
    362373
     
    364375  {
    365376    $string2 = $string;
    366     $string = kses_bad_protocol_once($string, $allowed_protocols);
     377    $string = wp_kses_bad_protocol_once($string, $allowed_protocols);
    367378  } # while
    368379
     
    431442function wp_kses_html_error($string)
    432443###############################################################################
    433 # This function deals with parsing errors in kses_hair(). The general plan is
     444# This function deals with parsing errors in wp_kses_hair(). The general plan is
    434445# to remove everything to and including some whitespace, but it deals with
    435446# quotes and apostrophes as well.
     
    448459  return preg_replace('/^((&[^;]*;|[\sA-Za-z0-9])*)'.
    449460                      '(:|&#58;|&#[Xx]3[Aa];)\s*/e',
    450                       'kses_bad_protocol_once2("\\1", $allowed_protocols)',
     461                      'wp_kses_bad_protocol_once2("\\1", $allowed_protocols)',
    451462                      $string);
    452463} # function wp_kses_bad_protocol_once
     
    459470###############################################################################
    460471{
    461   $string2 = kses_decode_entities($string);
     472  $string2 = wp_kses_decode_entities($string);
    462473  $string2 = preg_replace('/\s/', '', $string2);
    463   $string2 = kses_no_null($string2);
     474  $string2 = wp_kses_no_null($string2);
    464475  $string2 = strtolower($string2);
    465476
     
    494505                         '&\\1;', $string);
    495506  $string = preg_replace('/&amp;#0*([0-9]{1,5});/e',
    496                          'kses_normalize_entities2("\\1")', $string);
     507                         'wp_kses_normalize_entities2("\\1")', $string);
    497508  $string = preg_replace('/&amp;#([Xx])0*(([0-9A-Fa-f]{2}){1,2});/',
    498509                         '&#\\1\\2;', $string);
     
    504515function wp_kses_normalize_entities2($i)
    505516###############################################################################
    506 # This function helps kses_normalize_entities() to only accept 16 bit values
     517# This function helps wp_kses_normalize_entities() to only accept 16 bit values
    507518# and nothing more for &#number; entities.
    508519###############################################################################
     
    526537} # function wp_kses_decode_entities
    527538
     539function wp_filter_kses($data) {
     540    global $allowedtags;
     541    return wp_kses($data, $allowedtags);
     542}
     543
     544// Filter untrusted content
     545add_filter('comment_author', 'wp_filter_kses');
     546add_filter('comment_text', 'wp_filter_kses');
     547
    528548?>
  • trunk/wp-includes/template-functions.php

    r643 r650  
    15251525function comment_author() {
    15261526    global $comment;
    1527     if (!empty($comment->comment_author)) {
    1528         echo htmlspecialchars(stripslashes($comment->comment_author));
     1527    $author = stripslashes(stripslashes($comment->comment_author));
     1528    $author = apply_filters('comment_auther', $author);
     1529    if (!empty($author)) {
     1530        echo htmlspecialchars($comment->comment_author);
    15291531    }
    15301532    else {
     
    15351537function comment_author_email() {
    15361538    global $comment;
     1539    $email = stripslashes(stripslashes($comment->comment_author_email));
     1540   
    15371541    echo antispambot(stripslashes($comment->comment_author_email));
    15381542}
     
    15481552
    15491553    $url = str_replace('http://url', '', $url);
    1550 
     1554    $url = preg_replace('|[^a-z0-9-_.,/:]|i', '', $url);
    15511555    if (empty($url) && empty($email)) {
    15521556        echo $author;
     
    15791583    // convert & into &amp;
    15801584    $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&#038;$1', $url);
     1585    $url = preg_replace('|[^a-z0-9-_.,/:]|i', '', $url);
    15811586    if ($url != 'http://url') {
    15821587        echo $url;
     
    16001605    $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&#038;$1', $url);
    16011606    $url = (!stristr($url, '://')) ? 'http://'.$url : $url;
     1607    $url = preg_replace('|[^a-z0-9-_.,/:]|i', '', $url);
    16021608    if ((!empty($url)) && ($url != 'http://') && ($url != 'http://url')) {
    16031609        $display = ($linktext != '') ? $linktext : stripslashes($url);
    16041610        echo $before;
    1605         echo '<a href="'.stripslashes($url).'" target="_blank">'.$display.'</a>';
     1611        echo '<a href="'.stripslashes($url).'" rel="external">'.$display.'</a>';
    16061612        echo $after;
    16071613    }
     
    16801686
    16811687function comment_link_rss() {
    1682     global $comment,$postdata,$pagenow,$siteurl,$blogfilename;
    1683     global $querystring_start, $querystring_equal, $querystring_separator;
     1688    global $comment;
    16841689    echo get_permalink($comment->comment_post_ID).'#comments';
    16851690}
    16861691
    16871692function permalink_comments_rss() {
    1688     global $comment,$postdata,$pagenow,$siteurl,$blogfilename;
    1689     global $querystring_start, $querystring_equal, $querystring_separator;
     1693    global $comment;
    16901694    echo get_permalink($comment->comment_post_ID);
    16911695}
  • trunk/wp-settings.php

    r630 r650  
    2929require (ABSPATH . WPINC . '/class-xmlrpcs.php');
    3030require (ABSPATH . WPINC . '/links.php');
     31require (ABSPATH . WPINC . '/kses.php');
    3132
    3233//setup the old globals from b2config.php
Note: See TracChangeset for help on using the changeset viewer.