Make WordPress Core

Changeset 8386


Ignore:
Timestamp:
07/21/2008 03:21:09 AM (17 years ago)
Author:
azaozz
Message:

kses - properly escape non-Unicode entities. Fixes #6583. Props schiller.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/kses.php

    r8384 r8386  
    274274        'ul' => array (
    275275            'class' => array (),
    276             'style' => array (), 
     276            'style' => array (),
    277277            'type' => array ()),
    278278        'ol' => array (
    279279            'class' => array (),
    280280            'start' => array (),
    281             'style' => array (), 
     281            'style' => array (),
    282282            'type' => array ()),
    283283        'var' => array ());
     
    912912    $string = preg_replace('/&([A-Za-z][A-Za-z0-9]{0,19});/', '&\\1;', $string);
    913913    $string = preg_replace_callback('/&#0*([0-9]{1,5});/', create_function('$matches', 'return wp_kses_normalize_entities2($matches[1]);'), $string);
    914     $string = preg_replace('/&#([Xx])0*(([0-9A-Fa-f]{2}){1,2});/', '&#\\1\\2;', $string);
     914    $string = preg_replace_callback('/&#([Xx])0*(([0-9A-Fa-f]{2}){1,2});/', create_function('$matches', 'return wp_kses_normalize_entities3($matches[2]);'), $string);
    915915
    916916    return $string;
     
    929929 */
    930930function wp_kses_normalize_entities2($i) {
    931     return (($i > 65535) ? "&#$i;" : "&#$i;");
     931    return ( (!valid_unicode($i)) || ($i > 65535) ? "&#$i;" : "&#$i;");
     932}
     933
     934/**
     935 * wp_kses_normalize_entities3() - Callback for wp_kses_normalize_entities() for regular expression
     936 *
     937 * This function helps wp_kses_normalize_entities() to only accept valid Unicode numeric entities
     938 * in hex form.
     939 *
     940 * @param string $h Hex string of encoded entity
     941 * @return string Correctly encoded entity
     942 */
     943function wp_kses_normalize_entities3($hexchars) {
     944    return ( (!valid_unicode(hexdec($hexchars))) ? "&#x$hexchars;" : "&#x$hexchars;");
     945}
     946
     947/**
     948 * valid_unicode() - Helper function to determine if a Unicode value is valid.
     949 *
     950 * @param int $i Unicode value
     951 * @return bool true if the value was a valid Unicode number
     952 */
     953function valid_unicode($i) {
     954    return ( $i == 0x9 || $i == 0xa || $i == 0xd ||
     955            ($i >= 0x20 && $i <= 0xd7ff) ||
     956            ($i >= 0xe000 && $i <= 0xfffd) ||
     957            ($i >= 0x10000 && $i <= 0x10ffff) );
    932958}
    933959
Note: See TracChangeset for help on using the changeset viewer.