WordPress.org

Make WordPress Core

Changeset 8386


Ignore:
Timestamp:
07/21/08 03:21:09 (6 years ago)
Author:
azaozz
Message:

kses - properly escape non-Unicode entities. Fixes #6583. Props schiller.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/kses.php

    r8384 r8386  
    274274        'ul' => array ( 
    275275            'class' => array (), 
    276             'style' => array (),  
     276            'style' => array (), 
    277277            'type' => array ()), 
    278278        'ol' => array ( 
    279279            'class' => array (), 
    280280            'start' => array (), 
    281             'style' => array (),  
     281            'style' => array (), 
    282282            'type' => array ()), 
    283283        'var' => array ()); 
     
    912912    $string = preg_replace('/&([A-Za-z][A-Za-z0-9]{0,19});/', '&\\1;', $string); 
    913913    $string = preg_replace_callback('/&#0*([0-9]{1,5});/', create_function('$matches', 'return wp_kses_normalize_entities2($matches[1]);'), $string); 
    914     $string = preg_replace('/&#([Xx])0*(([0-9A-Fa-f]{2}){1,2});/', '&#\\1\\2;', $string); 
     914    $string = preg_replace_callback('/&#([Xx])0*(([0-9A-Fa-f]{2}){1,2});/', create_function('$matches', 'return wp_kses_normalize_entities3($matches[2]);'), $string); 
    915915 
    916916    return $string; 
     
    929929 */ 
    930930function wp_kses_normalize_entities2($i) { 
    931     return (($i > 65535) ? "&#$i;" : "&#$i;"); 
     931    return ( (!valid_unicode($i)) || ($i > 65535) ? "&#$i;" : "&#$i;"); 
     932} 
     933 
     934/** 
     935 * wp_kses_normalize_entities3() - Callback for wp_kses_normalize_entities() for regular expression 
     936 * 
     937 * This function helps wp_kses_normalize_entities() to only accept valid Unicode numeric entities 
     938 * in hex form. 
     939 * 
     940 * @param string $h Hex string of encoded entity 
     941 * @return string Correctly encoded entity 
     942 */ 
     943function wp_kses_normalize_entities3($hexchars) { 
     944    return ( (!valid_unicode(hexdec($hexchars))) ? "&#x$hexchars;" : "&#x$hexchars;"); 
     945} 
     946 
     947/** 
     948 * valid_unicode() - Helper function to determine if a Unicode value is valid. 
     949 * 
     950 * @param int $i Unicode value 
     951 * @return bool true if the value was a valid Unicode number 
     952 */ 
     953function valid_unicode($i) { 
     954    return ( $i == 0x9 || $i == 0xa || $i == 0xd || 
     955            ($i >= 0x20 && $i <= 0xd7ff) || 
     956            ($i >= 0xe000 && $i <= 0xfffd) || 
     957            ($i >= 0x10000 && $i <= 0x10ffff) ); 
    932958} 
    933959 
Note: See TracChangeset for help on using the changeset viewer.