Changeset 17172

Timestamp:

12/29/2010 08:49:02 PM (11 years ago)

Author:

ryan

Message:

Don't be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url(). Props Mauro Gentile, duck_, miqrogroove

Location:

branches/3.0/wp-includes

Files:

• formatting.php (modified) (1 diff)
• kses.php (modified) (7 diffs)

branches/3.0/wp-includes/formatting.php

@@ -2237 +2237 @@
     // Replace ampersands and single quotes only when displaying.
     if ( 'display' == $_context ) {
-        $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
+        $url = wp_kses_normalize_entities( $url );
+        $url = str_replace( '&', '&', $url );
         $url = str_replace( "'", ''', $url );
     }

branches/3.0/wp-includes/kses.php

@@ -671 +671 @@
                 }
 
-            if ( $arreach['name'] == 'style' ) {
+            if ( strtolower($arreach['name']) == 'style' ) {
                 $orig_value = $arreach['value'];
 
@@ -763 +763 @@
                     {
                     $thisval = $match[1];
-                    if ( in_array($attrname, $uris) )
+                    if ( in_array(strtolower($attrname), $uris) )
                         $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
 
@@ -779 +779 @@
                     {
                     $thisval = $match[1];
-                    if ( in_array($attrname, $uris) )
+                    if ( in_array(strtolower($attrname), $uris) )
                         $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
 
@@ -795 +795 @@
                     {
                     $thisval = $match[1];
-                    if ( in_array($attrname, $uris) )
+                    if ( in_array(strtolower($attrname), $uris) )
                         $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
 
@@ -1018 +1018 @@
  */
 function wp_kses_bad_protocol_once($string, $allowed_protocols) {
-    global $_kses_allowed_protocols;
-    $_kses_allowed_protocols = $allowed_protocols;
-
-    $string2 = preg_split('/:|:|:/i', $string, 2);
-    if ( isset($string2[1]) && !preg_match('%/\?%', $string2[0]) )
-        $string = wp_kses_bad_protocol_once2($string2[0]) . trim($string2[1]);
-    else
-        $string = preg_replace_callback('/^((&[^;]*;|[\sA-Za-z0-9])*)'.'(:|:|&#[Xx]3[Aa];)\s*/', 'wp_kses_bad_protocol_once2', $string);
+    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
+    if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) )
+        $string = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ) . trim( $string2[1] );
 
     return $string;
@@ -1039 +1034 @@
  * @since 1.0.0
  *
- * @param mixed $matches string or preg_replace_callback() matches array to check for bad protocols
+ * @param string $string URI scheme to check against the whitelist
+ * @param string $allowed_protocols Allowed protocols
  * @return string Sanitized content
  */
-function wp_kses_bad_protocol_once2($matches) {
-    global $_kses_allowed_protocols;
-
-    if ( is_array($matches) ) {
-        if ( empty($matches[1]) )
-            return '';
-
-        $string = $matches[1];
-    } else {
-        $string = $matches;
-    }
-
+function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {
     $string2 = wp_kses_decode_entities($string);
     $string2 = preg_replace('/\s/', '', $string2);
@@ -1060 +1045 @@
 
     $allowed = false;
-    foreach ( (array) $_kses_allowed_protocols as $one_protocol)
-        if (strtolower($one_protocol) == $string2) {
+    foreach ( (array) $allowed_protocols as $one_protocol )
+        if ( strtolower($one_protocol) == $string2 ) {
             $allowed = true;
             break;