Index: src/wp-includes/kses.php =================================================================== --- src/wp-includes/kses.php (revision 35817) +++ src/wp-includes/kses.php (working copy) @@ -525,7 +525,6 @@ if ( empty( $allowed_protocols ) ) $allowed_protocols = wp_allowed_protocols(); $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); - $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook return wp_kses_split($string, $allowed_html, $allowed_protocols); @@ -548,7 +547,6 @@ $allowed_html = wp_kses_allowed_html( 'post' ); $allowed_protocols = wp_allowed_protocols(); $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); - $string = wp_kses_js_entities( $string ); // Preserve leading and trailing whitespace. $matches = array(); @@ -1294,15 +1292,27 @@ } /** - * Removes the HTML JavaScript entities found in early versions of Netscape 4. + * Stub for maintaining plugin compatability. * + * Previously, this function was pulled in from the original + * import of kses and removed a specific vulnerability only + * existent in early version of Netscape 4. However, this + * vulnerability never affected any other browsers and can + * be considered safe for the modern web. + * + * The regular expression which sanitized this vulnerability + * has been removed in consideration of the performance and + * energy demands it placed, now merely passing through its + * input to the return. + * * @since 1.0.0 + * @deprecated deprecated since 4.4 * * @param string $string * @return string */ function wp_kses_js_entities($string) { - return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string); + return $string; } /** Index: tests/phpunit/tests/kses.php =================================================================== --- tests/phpunit/tests/kses.php (revision 35817) +++ tests/phpunit/tests/kses.php (working copy) @@ -195,7 +195,7 @@ switch ( $attack->name ) { case 'XSS Locator': - $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=', $result); + $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=&{}', $result); break; case 'XSS Quick Test': $this->assertEquals('\'\';!--"=', $result);