| [ Index ] |
PHP Cross Reference of WordPress Trunk (Updated Daily) |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes 4 * Copyright (C) 2002, 2003, 2005 Ulf Harnhammar 5 * 6 * This program is free software and open source software; you can redistribute 7 * it and/or modify it under the terms of the GNU General Public License as 8 * published by the Free Software Foundation; either version 2 of the License, 9 * or (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 14 * more details. 15 * 16 * You should have received a copy of the GNU General Public License along 17 * with this program; if not, write to the Free Software Foundation, Inc., 18 * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA 19 * http://www.gnu.org/licenses/gpl.html 20 * 21 * [kses strips evil scripts!] 22 * 23 * Added wp_ prefix to avoid conflicts with existing kses users 24 * 25 * @version 0.2.2 26 * @copyright (C) 2002, 2003, 2005 27 * @author Ulf Harnhammar <http://advogato.org/person/metaur/> 28 * 29 * @package External 30 * @subpackage KSES 31 */ 32 33 /** 34 * Specifies the default allowable HTML tags. 35 * 36 * Using `CUSTOM_TAGS` is not recommended and should be considered deprecated. The 37 * {@see 'wp_kses_allowed_html'} filter is more powerful and supplies context. 38 * 39 * When using this constant, make sure to set all of these globals to arrays: 40 * 41 * - `$allowedposttags` 42 * - `$allowedtags` 43 * - `$allowedentitynames` 44 * - `$allowedxmlentitynames` 45 * 46 * @see wp_kses_allowed_html() 47 * @since 1.2.0 48 * 49 * @var array[]|false Array of default allowable HTML tags, or false to use the defaults. 50 */ 51 if ( ! defined( 'CUSTOM_TAGS' ) ) { 52 define( 'CUSTOM_TAGS', false ); 53 } 54 55 // Ensure that these variables are added to the global namespace 56 // (e.g. if using namespaces / autoload in the current PHP environment). 57 global $allowedposttags, $allowedtags, $allowedentitynames, $allowedxmlentitynames; 58 59 if ( ! CUSTOM_TAGS ) { 60 /** 61 * KSES global for default allowable HTML tags. 62 * 63 * Can be overridden with the `CUSTOM_TAGS` constant. 64 * 65 * @var array[] $allowedposttags Array of default allowable HTML tags. 66 * @since 2.0.0 67 */ 68 $allowedposttags = array( 69 'address' => array(), 70 'a' => array( 71 'href' => true, 72 'rel' => true, 73 'rev' => true, 74 'name' => true, 75 'target' => true, 76 'download' => array( 77 'valueless' => 'y', 78 ), 79 ), 80 'abbr' => array(), 81 'acronym' => array(), 82 'area' => array( 83 'alt' => true, 84 'coords' => true, 85 'href' => true, 86 'nohref' => true, 87 'shape' => true, 88 'target' => true, 89 ), 90 'article' => array( 91 'align' => true, 92 ), 93 'aside' => array( 94 'align' => true, 95 ), 96 'audio' => array( 97 'autoplay' => true, 98 'controls' => true, 99 'loop' => true, 100 'muted' => true, 101 'preload' => true, 102 'src' => true, 103 ), 104 'b' => array(), 105 'bdo' => array(), 106 'big' => array(), 107 'blockquote' => array( 108 'cite' => true, 109 ), 110 'br' => array(), 111 'button' => array( 112 'disabled' => true, 113 'name' => true, 114 'type' => true, 115 'value' => true, 116 'popovertarget' => true, 117 'popovertargetaction' => true, 118 'aria-haspopup' => true, 119 ), 120 'caption' => array( 121 'align' => true, 122 ), 123 'cite' => array(), 124 'code' => array(), 125 'col' => array( 126 'align' => true, 127 'char' => true, 128 'charoff' => true, 129 'span' => true, 130 'valign' => true, 131 'width' => true, 132 ), 133 'colgroup' => array( 134 'align' => true, 135 'char' => true, 136 'charoff' => true, 137 'span' => true, 138 'valign' => true, 139 'width' => true, 140 ), 141 'data' => array( 142 'value' => true, 143 ), 144 'del' => array( 145 'datetime' => true, 146 ), 147 'dd' => array(), 148 'dfn' => array(), 149 'details' => array( 150 'align' => true, 151 'open' => true, 152 ), 153 'div' => array( 154 'align' => true, 155 'popover' => true, 156 ), 157 'dialog' => array( 158 'closedby' => true, 159 'open' => true, 160 'popover' => true, 161 ), 162 'dl' => array(), 163 'dt' => array(), 164 'em' => array(), 165 'fieldset' => array(), 166 'figure' => array( 167 'align' => true, 168 ), 169 'figcaption' => array( 170 'align' => true, 171 ), 172 'font' => array( 173 'color' => true, 174 'face' => true, 175 'size' => true, 176 ), 177 'footer' => array( 178 'align' => true, 179 ), 180 'h1' => array( 181 'align' => true, 182 ), 183 'h2' => array( 184 'align' => true, 185 ), 186 'h3' => array( 187 'align' => true, 188 ), 189 'h4' => array( 190 'align' => true, 191 ), 192 'h5' => array( 193 'align' => true, 194 ), 195 'h6' => array( 196 'align' => true, 197 ), 198 'header' => array( 199 'align' => true, 200 ), 201 'hgroup' => array( 202 'align' => true, 203 ), 204 'hr' => array( 205 'align' => true, 206 'noshade' => true, 207 'size' => true, 208 'width' => true, 209 ), 210 'i' => array(), 211 'img' => array( 212 'alt' => true, 213 'align' => true, 214 'border' => true, 215 'height' => true, 216 'hspace' => true, 217 'loading' => true, 218 'longdesc' => true, 219 'vspace' => true, 220 'src' => true, 221 'usemap' => true, 222 'width' => true, 223 ), 224 'ins' => array( 225 'datetime' => true, 226 'cite' => true, 227 ), 228 'kbd' => array(), 229 'label' => array( 230 'for' => true, 231 ), 232 'legend' => array( 233 'align' => true, 234 ), 235 'li' => array( 236 'align' => true, 237 'value' => true, 238 ), 239 'main' => array( 240 'align' => true, 241 ), 242 'map' => array( 243 'name' => true, 244 ), 245 'mark' => array(), 246 'menu' => array( 247 'type' => true, 248 ), 249 'meter' => array( 250 'high' => true, 251 'low' => true, 252 'max' => true, 253 'min' => true, 254 'optimum' => true, 255 'value' => true, 256 ), 257 'nav' => array( 258 'align' => true, 259 ), 260 'object' => array( 261 'data' => array( 262 'required' => true, 263 'value_callback' => '_wp_kses_allow_pdf_objects', 264 ), 265 'type' => array( 266 'required' => true, 267 'values' => array( 'application/pdf' ), 268 ), 269 ), 270 'p' => array( 271 'align' => true, 272 ), 273 'pre' => array( 274 'width' => true, 275 ), 276 'progress' => array( 277 'max' => true, 278 'value' => true, 279 ), 280 'q' => array( 281 'cite' => true, 282 ), 283 'rb' => array(), 284 'rp' => array(), 285 'rt' => array(), 286 'rtc' => array(), 287 'ruby' => array(), 288 's' => array(), 289 'samp' => array(), 290 'search' => array(), 291 'span' => array( 292 'align' => true, 293 ), 294 'section' => array( 295 'align' => true, 296 ), 297 'small' => array(), 298 'strike' => array(), 299 'strong' => array(), 300 'sub' => array(), 301 'summary' => array( 302 'align' => true, 303 ), 304 'sup' => array(), 305 'table' => array( 306 'align' => true, 307 'bgcolor' => true, 308 'border' => true, 309 'cellpadding' => true, 310 'cellspacing' => true, 311 'rules' => true, 312 'summary' => true, 313 'width' => true, 314 ), 315 'tbody' => array( 316 'align' => true, 317 'char' => true, 318 'charoff' => true, 319 'valign' => true, 320 ), 321 'td' => array( 322 'abbr' => true, 323 'align' => true, 324 'axis' => true, 325 'bgcolor' => true, 326 'char' => true, 327 'charoff' => true, 328 'colspan' => true, 329 'headers' => true, 330 'height' => true, 331 'nowrap' => true, 332 'rowspan' => true, 333 'scope' => true, 334 'valign' => true, 335 'width' => true, 336 ), 337 'textarea' => array( 338 'cols' => true, 339 'rows' => true, 340 'disabled' => true, 341 'name' => true, 342 'readonly' => true, 343 ), 344 'tfoot' => array( 345 'align' => true, 346 'char' => true, 347 'charoff' => true, 348 'valign' => true, 349 ), 350 'th' => array( 351 'abbr' => true, 352 'align' => true, 353 'axis' => true, 354 'bgcolor' => true, 355 'char' => true, 356 'charoff' => true, 357 'colspan' => true, 358 'headers' => true, 359 'height' => true, 360 'nowrap' => true, 361 'rowspan' => true, 362 'scope' => true, 363 'valign' => true, 364 'width' => true, 365 ), 366 'thead' => array( 367 'align' => true, 368 'char' => true, 369 'charoff' => true, 370 'valign' => true, 371 ), 372 'time' => array( 373 'datetime' => true, 374 ), 375 'title' => array(), 376 'tr' => array( 377 'align' => true, 378 'bgcolor' => true, 379 'char' => true, 380 'charoff' => true, 381 'valign' => true, 382 ), 383 'track' => array( 384 'default' => true, 385 'kind' => true, 386 'label' => true, 387 'src' => true, 388 'srclang' => true, 389 ), 390 'tt' => array(), 391 'u' => array(), 392 'ul' => array( 393 'type' => true, 394 'popover' => true, 395 'role' => true, 396 ), 397 'ol' => array( 398 'start' => true, 399 'type' => true, 400 'reversed' => true, 401 ), 402 'var' => array(), 403 'video' => array( 404 'autoplay' => true, 405 'controls' => true, 406 'height' => true, 407 'loop' => true, 408 'muted' => true, 409 'playsinline' => true, 410 'poster' => true, 411 'preload' => true, 412 'src' => true, 413 'width' => true, 414 ), 415 'wbr' => array(), 416 ); 417 418 /** 419 * @var array[] $allowedtags Array of KSES allowed HTML elements. 420 * @since 1.0.0 421 */ 422 $allowedtags = array( 423 'a' => array( 424 'href' => true, 425 'title' => true, 426 ), 427 'abbr' => array( 428 'title' => true, 429 ), 430 'acronym' => array( 431 'title' => true, 432 ), 433 'b' => array(), 434 'blockquote' => array( 435 'cite' => true, 436 ), 437 'cite' => array(), 438 'code' => array(), 439 'del' => array( 440 'datetime' => true, 441 ), 442 'em' => array(), 443 'i' => array(), 444 'q' => array( 445 'cite' => true, 446 ), 447 's' => array(), 448 'strike' => array(), 449 'strong' => array(), 450 ); 451 452 /** 453 * @var string[] $allowedentitynames Array of KSES allowed HTML entity names. 454 * @since 1.0.0 455 */ 456 $allowedentitynames = array( 457 'nbsp', 458 'iexcl', 459 'cent', 460 'pound', 461 'curren', 462 'yen', 463 'brvbar', 464 'sect', 465 'uml', 466 'copy', 467 'ordf', 468 'laquo', 469 'not', 470 'shy', 471 'reg', 472 'macr', 473 'deg', 474 'plusmn', 475 'acute', 476 'micro', 477 'para', 478 'middot', 479 'cedil', 480 'ordm', 481 'raquo', 482 'iquest', 483 'Agrave', 484 'Aacute', 485 'Acirc', 486 'Atilde', 487 'Auml', 488 'Aring', 489 'AElig', 490 'Ccedil', 491 'Egrave', 492 'Eacute', 493 'Ecirc', 494 'Euml', 495 'Igrave', 496 'Iacute', 497 'Icirc', 498 'Iuml', 499 'ETH', 500 'Ntilde', 501 'Ograve', 502 'Oacute', 503 'Ocirc', 504 'Otilde', 505 'Ouml', 506 'times', 507 'Oslash', 508 'Ugrave', 509 'Uacute', 510 'Ucirc', 511 'Uuml', 512 'Yacute', 513 'THORN', 514 'szlig', 515 'agrave', 516 'aacute', 517 'acirc', 518 'atilde', 519 'auml', 520 'aring', 521 'aelig', 522 'ccedil', 523 'egrave', 524 'eacute', 525 'ecirc', 526 'euml', 527 'igrave', 528 'iacute', 529 'icirc', 530 'iuml', 531 'eth', 532 'ntilde', 533 'ograve', 534 'oacute', 535 'ocirc', 536 'otilde', 537 'ouml', 538 'divide', 539 'oslash', 540 'ugrave', 541 'uacute', 542 'ucirc', 543 'uuml', 544 'yacute', 545 'thorn', 546 'yuml', 547 'quot', 548 'amp', 549 'lt', 550 'gt', 551 'apos', 552 'OElig', 553 'oelig', 554 'Scaron', 555 'scaron', 556 'Yuml', 557 'circ', 558 'tilde', 559 'ensp', 560 'emsp', 561 'thinsp', 562 'zwnj', 563 'zwj', 564 'lrm', 565 'rlm', 566 'ndash', 567 'mdash', 568 'lsquo', 569 'rsquo', 570 'sbquo', 571 'ldquo', 572 'rdquo', 573 'bdquo', 574 'dagger', 575 'Dagger', 576 'permil', 577 'lsaquo', 578 'rsaquo', 579 'euro', 580 'fnof', 581 'Alpha', 582 'Beta', 583 'Gamma', 584 'Delta', 585 'Epsilon', 586 'Zeta', 587 'Eta', 588 'Theta', 589 'Iota', 590 'Kappa', 591 'Lambda', 592 'Mu', 593 'Nu', 594 'Xi', 595 'Omicron', 596 'Pi', 597 'Rho', 598 'Sigma', 599 'Tau', 600 'Upsilon', 601 'Phi', 602 'Chi', 603 'Psi', 604 'Omega', 605 'alpha', 606 'beta', 607 'gamma', 608 'delta', 609 'epsilon', 610 'zeta', 611 'eta', 612 'theta', 613 'iota', 614 'kappa', 615 'lambda', 616 'mu', 617 'nu', 618 'xi', 619 'omicron', 620 'pi', 621 'rho', 622 'sigmaf', 623 'sigma', 624 'tau', 625 'upsilon', 626 'phi', 627 'chi', 628 'psi', 629 'omega', 630 'thetasym', 631 'upsih', 632 'piv', 633 'bull', 634 'hellip', 635 'prime', 636 'Prime', 637 'oline', 638 'frasl', 639 'weierp', 640 'image', 641 'real', 642 'trade', 643 'alefsym', 644 'larr', 645 'uarr', 646 'rarr', 647 'darr', 648 'harr', 649 'crarr', 650 'lArr', 651 'uArr', 652 'rArr', 653 'dArr', 654 'hArr', 655 'forall', 656 'part', 657 'exist', 658 'empty', 659 'nabla', 660 'isin', 661 'notin', 662 'ni', 663 'prod', 664 'sum', 665 'minus', 666 'lowast', 667 'radic', 668 'prop', 669 'infin', 670 'ang', 671 'and', 672 'or', 673 'cap', 674 'cup', 675 'int', 676 'sim', 677 'cong', 678 'asymp', 679 'ne', 680 'equiv', 681 'le', 682 'ge', 683 'sub', 684 'sup', 685 'nsub', 686 'sube', 687 'supe', 688 'oplus', 689 'otimes', 690 'perp', 691 'sdot', 692 'lceil', 693 'rceil', 694 'lfloor', 695 'rfloor', 696 'lang', 697 'rang', 698 'loz', 699 'spades', 700 'clubs', 701 'hearts', 702 'diams', 703 'sup1', 704 'sup2', 705 'sup3', 706 'frac14', 707 'frac12', 708 'frac34', 709 'there4', 710 ); 711 712 /** 713 * @var string[] $allowedxmlentitynames Array of KSES allowed XML entity names. 714 * @since 5.5.0 715 */ 716 $allowedxmlentitynames = array( 717 'amp', 718 'lt', 719 'gt', 720 'apos', 721 'quot', 722 ); 723 724 $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags ); 725 } else { 726 $required_kses_globals = array( 727 'allowedposttags', 728 'allowedtags', 729 'allowedentitynames', 730 'allowedxmlentitynames', 731 ); 732 $missing_kses_globals = array(); 733 734 foreach ( $required_kses_globals as $global_name ) { 735 if ( ! isset( $GLOBALS[ $global_name ] ) || ! is_array( $GLOBALS[ $global_name ] ) ) { 736 $missing_kses_globals[] = '<code>$' . $global_name . '</code>'; 737 } 738 } 739 740 if ( $missing_kses_globals ) { 741 _doing_it_wrong( 742 'wp_kses_allowed_html', 743 sprintf( 744 /* translators: 1: CUSTOM_TAGS, 2: Global variable names. */ 745 __( 'When using the %1$s constant, make sure to set these globals to an array: %2$s.' ), 746 '<code>CUSTOM_TAGS</code>', 747 implode( ', ', $missing_kses_globals ) 748 ), 749 '6.2.0' 750 ); 751 } 752 753 $allowedtags = wp_kses_array_lc( $allowedtags ); 754 $allowedposttags = wp_kses_array_lc( $allowedposttags ); 755 } 756 757 /** 758 * Filters text content and strips out disallowed HTML. 759 * 760 * This function makes sure that only the allowed HTML element names, attribute 761 * names, attribute values, and HTML entities will occur in the given text string. 762 * 763 * This function expects unslashed data. 764 * 765 * @see wp_kses_post() for specifically filtering post content and fields. 766 * @see wp_allowed_protocols() for the default allowed protocols in link URLs. 767 * 768 * @since 1.0.0 769 * 770 * @param string $content Text content to filter. 771 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 772 * or a context name such as 'post'. See wp_kses_allowed_html() 773 * for the list of accepted context names. 774 * @param string[] $allowed_protocols Optional. Array of allowed URL protocols. 775 * Defaults to the result of wp_allowed_protocols(). 776 * @return string Filtered content containing only the allowed HTML. 777 */ 778 function wp_kses( $content, $allowed_html, $allowed_protocols = array() ) { 779 if ( empty( $allowed_protocols ) ) { 780 $allowed_protocols = wp_allowed_protocols(); 781 } 782 783 $content = wp_kses_no_null( $content, array( 'slash_zero' => 'keep' ) ); 784 $content = wp_kses_normalize_entities( $content ); 785 $content = wp_kses_hook( $content, $allowed_html, $allowed_protocols ); 786 787 return wp_kses_split( $content, $allowed_html, $allowed_protocols ); 788 } 789 790 /** 791 * Filters one HTML attribute and ensures its value is allowed. 792 * 793 * This function can escape data in some situations where `wp_kses()` must strip the whole attribute. 794 * 795 * @since 4.2.3 796 * 797 * @param string $attr The 'whole' attribute, including name and value. 798 * @param string $element The HTML element name to which the attribute belongs. 799 * @return string Filtered attribute. 800 */ 801 function wp_kses_one_attr( $attr, $element ) { 802 $uris = wp_kses_uri_attributes(); 803 $allowed_html = wp_kses_allowed_html( 'post' ); 804 $allowed_protocols = wp_allowed_protocols(); 805 $attr = wp_kses_no_null( $attr, array( 'slash_zero' => 'keep' ) ); 806 807 // Preserve leading and trailing whitespace. 808 $matches = array(); 809 preg_match( '/^\s*/', $attr, $matches ); 810 $lead = $matches[0]; 811 preg_match( '/\s*$/', $attr, $matches ); 812 $trail = $matches[0]; 813 if ( empty( $trail ) ) { 814 $attr = substr( $attr, strlen( $lead ) ); 815 } else { 816 $attr = substr( $attr, strlen( $lead ), -strlen( $trail ) ); 817 } 818 819 // Parse attribute name and value from input. 820 $split = preg_split( '/\s*=\s*/', $attr, 2 ); 821 $name = $split[0]; 822 if ( count( $split ) === 2 ) { 823 $value = $split[1]; 824 825 /* 826 * Remove quotes surrounding $value. 827 * Also guarantee correct quoting in $attr for this one attribute. 828 */ 829 if ( '' === $value ) { 830 $quote = ''; 831 } else { 832 $quote = $value[0]; 833 } 834 if ( '"' === $quote || "'" === $quote ) { 835 if ( ! str_ends_with( $value, $quote ) ) { 836 return ''; 837 } 838 $value = substr( $value, 1, -1 ); 839 } else { 840 $quote = '"'; 841 } 842 843 // Sanitize quotes, angle braces, and entities. 844 $value = esc_attr( $value ); 845 846 // Sanitize URI values. 847 if ( in_array( strtolower( $name ), $uris, true ) ) { 848 $value = wp_kses_bad_protocol( $value, $allowed_protocols ); 849 } 850 851 $attr = "$name=$quote$value$quote"; 852 $vless = 'n'; 853 } else { 854 $value = ''; 855 $vless = 'y'; 856 } 857 858 // Sanitize attribute by name. 859 wp_kses_attr_check( $name, $value, $attr, $vless, $element, $allowed_html ); 860 861 // Restore whitespace. 862 return $lead . $attr . $trail; 863 } 864 865 /** 866 * Returns an array of allowed HTML tags and attributes for a given context. 867 * 868 * @since 3.5.0 869 * @since 5.0.1 `form` removed as allowable HTML tag. 870 * 871 * @global array $allowedposttags 872 * @global array $allowedtags 873 * @global array $allowedentitynames 874 * 875 * @param string|array $context The context for which to retrieve tags. Allowed values are 'post', 876 * 'strip', 'data', 'entities', or the name of a field filter such as 877 * 'pre_user_description', or an array of allowed HTML elements and attributes. 878 * @return array Array of allowed HTML tags and their allowed attributes. 879 */ 880 function wp_kses_allowed_html( $context = '' ) { 881 global $allowedposttags, $allowedtags, $allowedentitynames; 882 883 if ( is_array( $context ) ) { 884 // When `$context` is an array it's actually an array of allowed HTML elements and attributes. 885 $html = $context; 886 $context = 'explicit'; 887 888 /** 889 * Filters the HTML tags that are allowed for a given context. 890 * 891 * HTML tags and attribute names are case-insensitive in HTML but must be 892 * added to the KSES allow list in lowercase. An item added to the allow list 893 * in upper or mixed case will not recognized as permitted by KSES. 894 * 895 * @since 3.5.0 896 * 897 * @param array[] $html Allowed HTML tags. 898 * @param string $context Context name. 899 */ 900 return apply_filters( 'wp_kses_allowed_html', $html, $context ); 901 } 902 903 switch ( $context ) { 904 case 'post': 905 /** This filter is documented in wp-includes/kses.php */ 906 $tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context ); 907 908 // 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`. 909 if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) { 910 $tags = $allowedposttags; 911 912 $tags['form'] = array( 913 'action' => true, 914 'accept' => true, 915 'accept-charset' => true, 916 'enctype' => true, 917 'method' => true, 918 'name' => true, 919 'target' => true, 920 ); 921 922 /** This filter is documented in wp-includes/kses.php */ 923 $tags = apply_filters( 'wp_kses_allowed_html', $tags, $context ); 924 } 925 926 return $tags; 927 928 case 'user_description': 929 case 'pre_term_description': 930 case 'pre_user_description': 931 $tags = $allowedtags; 932 $tags['a']['rel'] = true; 933 $tags['a']['target'] = true; 934 /** This filter is documented in wp-includes/kses.php */ 935 return apply_filters( 'wp_kses_allowed_html', $tags, $context ); 936 937 case 'strip': 938 /** This filter is documented in wp-includes/kses.php */ 939 return apply_filters( 'wp_kses_allowed_html', array(), $context ); 940 941 case 'entities': 942 /** This filter is documented in wp-includes/kses.php */ 943 return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context ); 944 945 case 'data': 946 default: 947 /** This filter is documented in wp-includes/kses.php */ 948 return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context ); 949 } 950 } 951 952 /** 953 * You add any KSES hooks here. 954 * 955 * There is currently only one KSES WordPress hook, {@see 'pre_kses'}, and it is called here. 956 * All parameters are passed to the hooks and expected to receive a string. 957 * 958 * @since 1.0.0 959 * 960 * @param string $content Content to filter through KSES. 961 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 962 * or a context name such as 'post'. See wp_kses_allowed_html() 963 * for the list of accepted context names. 964 * @param string[] $allowed_protocols Array of allowed URL protocols. 965 * @return string Filtered content through {@see 'pre_kses'} hook. 966 */ 967 function wp_kses_hook( $content, $allowed_html, $allowed_protocols ) { 968 /** 969 * Filters content to be run through KSES. 970 * 971 * @since 2.3.0 972 * 973 * @param string $content Content to filter through KSES. 974 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 975 * or a context name such as 'post'. See wp_kses_allowed_html() 976 * for the list of accepted context names. 977 * @param string[] $allowed_protocols Array of allowed URL protocols. 978 */ 979 return apply_filters( 'pre_kses', $content, $allowed_html, $allowed_protocols ); 980 } 981 982 /** 983 * Returns the version number of KSES. 984 * 985 * @since 1.0.0 986 * 987 * @return string KSES version number. 988 */ 989 function wp_kses_version() { 990 return '0.2.2'; 991 } 992 993 /** 994 * Searches for HTML tags, no matter how malformed. 995 * 996 * It also matches stray `>` characters. 997 * 998 * @since 1.0.0 999 * @since 6.6.0 Recognize additional forms of invalid HTML which convert into comments. 1000 * 1001 * @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes, 1002 * or a context name such as 'post'. 1003 * @global string[] $pass_allowed_protocols Array of allowed URL protocols. 1004 * 1005 * @param string $content Content to filter. 1006 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 1007 * or a context name such as 'post'. See wp_kses_allowed_html() 1008 * for the list of accepted context names. 1009 * @param string[] $allowed_protocols Array of allowed URL protocols. 1010 * @return string Content with fixed HTML tags 1011 */ 1012 function wp_kses_split( $content, $allowed_html, $allowed_protocols ) { 1013 global $pass_allowed_html, $pass_allowed_protocols; 1014 1015 $pass_allowed_html = $allowed_html; 1016 $pass_allowed_protocols = $allowed_protocols; 1017 1018 $token_pattern = <<<REGEX 1019 ~ 1020 ( # Detect comments of various flavors before attempting to find tags. 1021 (<!--.*?(-->|$)) # - Normative HTML comments. 1022 | 1023 </[^a-zA-Z][^>]*> # - Closing tags with invalid tag names. 1024 | 1025 <![^>]*> # - Invalid markup declaration nodes. Not all invalid nodes 1026 # are matched so as to avoid breaking legacy behaviors. 1027 ) 1028 | 1029 (<[^>]*(>|$)|>) # Tag-like spans of text. 1030 ~x 1031 REGEX; 1032 return preg_replace_callback( $token_pattern, '_wp_kses_split_callback', $content ); 1033 } 1034 1035 /** 1036 * Returns an array of HTML attribute names whose value contains a URL. 1037 * 1038 * This function returns a list of all HTML attributes that must contain 1039 * a URL according to the HTML specification. 1040 * 1041 * This list includes URI attributes both allowed and disallowed by KSES. 1042 * 1043 * @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes 1044 * 1045 * @since 5.0.1 1046 * 1047 * @return string[] HTML attribute names whose value contains a URL. 1048 */ 1049 function wp_kses_uri_attributes() { 1050 $uri_attributes = array( 1051 'action', 1052 'archive', 1053 'background', 1054 'cite', 1055 'classid', 1056 'codebase', 1057 'data', 1058 'formaction', 1059 'href', 1060 'icon', 1061 'longdesc', 1062 'manifest', 1063 'poster', 1064 'profile', 1065 'src', 1066 'usemap', 1067 'xmlns', 1068 ); 1069 1070 /** 1071 * Filters the list of attributes that are required to contain a URL. 1072 * 1073 * Use this filter to add any `data-` attributes that are required to be 1074 * validated as a URL. 1075 * 1076 * @since 5.0.1 1077 * 1078 * @param string[] $uri_attributes HTML attribute names whose value contains a URL. 1079 */ 1080 $uri_attributes = apply_filters( 'wp_kses_uri_attributes', $uri_attributes ); 1081 1082 return $uri_attributes; 1083 } 1084 1085 /** 1086 * Callback for `wp_kses_split()`. 1087 * 1088 * @since 3.1.0 1089 * @access private 1090 * @ignore 1091 * 1092 * @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes, 1093 * or a context name such as 'post'. 1094 * @global string[] $pass_allowed_protocols Array of allowed URL protocols. 1095 * 1096 * @param array $matches preg_replace regexp matches 1097 * @return string 1098 */ 1099 function _wp_kses_split_callback( $matches ) { 1100 global $pass_allowed_html, $pass_allowed_protocols; 1101 1102 return wp_kses_split2( $matches[0], $pass_allowed_html, $pass_allowed_protocols ); 1103 } 1104 1105 /** 1106 * Callback for `wp_kses_split()` for fixing malformed HTML tags. 1107 * 1108 * This function does a lot of work. It rejects some very malformed things like 1109 * `<:::>`. It returns an empty string, if the element isn't allowed (look ma, no 1110 * `strip_tags()`!). Otherwise it splits the tag into an element and an attribute 1111 * list. 1112 * 1113 * After the tag is split into an element and an attribute list, it is run 1114 * through another filter which will remove illegal attributes and once that is 1115 * completed, will be returned. 1116 * 1117 * @access private 1118 * @ignore 1119 * @since 1.0.0 1120 * @since 6.6.0 Recognize additional forms of invalid HTML which convert into comments. 1121 * 1122 * @param string $content Content to filter. 1123 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 1124 * or a context name such as 'post'. See wp_kses_allowed_html() 1125 * for the list of accepted context names. 1126 * @param string[] $allowed_protocols Array of allowed URL protocols. 1127 * 1128 * @return string Fixed HTML element 1129 */ 1130 function wp_kses_split2( $content, $allowed_html, $allowed_protocols ) { 1131 $content = wp_kses_stripslashes( $content ); 1132 1133 /* 1134 * The regex pattern used to split HTML into chunks attempts 1135 * to split on HTML token boundaries. This function should 1136 * thus receive chunks that _either_ start with meaningful 1137 * syntax tokens, like a tag `<div>` or a comment `<!-- ... -->`. 1138 * 1139 * If the first character of the `$content` chunk _isn't_ one 1140 * of these syntax elements, which always starts with `<`, then 1141 * the match had to be for the final alternation of `>`. In such 1142 * case, it's probably standing on its own and could be encoded 1143 * with a character reference to remove ambiguity. 1144 * 1145 * In other words, if this chunk isn't from a match of a syntax 1146 * token, it's just a plaintext greater-than (`>`) sign. 1147 */ 1148 if ( ! str_starts_with( $content, '<' ) ) { 1149 return '>'; 1150 } 1151 1152 /* 1153 * When certain invalid syntax constructs appear, the HTML parser 1154 * shifts into what's called the "bogus comment state." This is a 1155 * plaintext state that consumes everything until the nearest `>` 1156 * and then transforms the entire span into an HTML comment. 1157 * 1158 * Preserve these comments and do not treat them like tags. 1159 * 1160 * @see https://html.spec.whatwg.org/#bogus-comment-state 1161 */ 1162 if ( 1 === preg_match( '~^(?:</[^a-zA-Z][^>]*>|<![a-z][^>]*>)$~', $content ) ) { 1163 /** 1164 * Since the pattern matches `</…>` and also `<!…>`, this will 1165 * preserve the type of the cleaned-up token in the output. 1166 */ 1167 $opener = $content[1]; 1168 $content = substr( $content, 2, -1 ); 1169 1170 do { 1171 $prev = $content; 1172 $content = wp_kses( $content, $allowed_html, $allowed_protocols ); 1173 } while ( $prev !== $content ); 1174 1175 // Recombine the modified inner content with the original token structure. 1176 return "<{$opener}{$content}>"; 1177 } 1178 1179 /* 1180 * Normative HTML comments should be handled separately as their 1181 * parsing rules differ from those for tags and text nodes. 1182 */ 1183 if ( str_starts_with( $content, '<!--' ) ) { 1184 $content = str_replace( array( '<!--', '-->' ), '', $content ); 1185 1186 while ( ( $newstring = wp_kses( $content, $allowed_html, $allowed_protocols ) ) !== $content ) { 1187 $content = $newstring; 1188 } 1189 1190 if ( '' === $content ) { 1191 return ''; 1192 } 1193 1194 // Prevent multiple dashes in comments. 1195 $content = preg_replace( '/--+/', '-', $content ); 1196 // Prevent three dashes closing a comment. 1197 $content = preg_replace( '/-$/', '', $content ); 1198 1199 return "<!--{$content}-->"; 1200 } 1201 1202 // It's seriously malformed. 1203 if ( ! preg_match( '%^<\s*(/\s*)?([a-zA-Z0-9-]+)([^>]*)>?$%', $content, $matches ) ) { 1204 return ''; 1205 } 1206 1207 $slash = trim( $matches[1] ); 1208 $elem = $matches[2]; 1209 $attrlist = $matches[3]; 1210 1211 if ( ! is_array( $allowed_html ) ) { 1212 $allowed_html = wp_kses_allowed_html( $allowed_html ); 1213 } 1214 1215 // They are using a not allowed HTML element. 1216 if ( ! isset( $allowed_html[ strtolower( $elem ) ] ) ) { 1217 return ''; 1218 } 1219 1220 // No attributes are allowed for closing elements. 1221 if ( '' !== $slash ) { 1222 return "</$elem>"; 1223 } 1224 1225 return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols ); 1226 } 1227 1228 /** 1229 * Removes all attributes, if none are allowed for this element. 1230 * 1231 * If some are allowed it calls `wp_kses_hair()` to split them further, and then 1232 * it builds up new HTML code from the data that `wp_kses_hair()` returns. It also 1233 * removes `<` and `>` characters, if there are any left. One more thing it does 1234 * is to check if the tag has a closing XHTML slash, and if it does, it puts one 1235 * in the returned code as well. 1236 * 1237 * An array of allowed values can be defined for attributes. If the attribute value 1238 * doesn't fall into the list, the attribute will be removed from the tag. 1239 * 1240 * Attributes can be marked as required. If a required attribute is not present, 1241 * KSES will remove all attributes from the tag. As KSES doesn't match opening and 1242 * closing tags, it's not possible to safely remove the tag itself, the safest 1243 * fallback is to strip all attributes from the tag, instead. 1244 * 1245 * @since 1.0.0 1246 * @since 5.9.0 Added support for an array of allowed values for attributes. 1247 * Added support for required attributes. 1248 * 1249 * @param string $element HTML element/tag. 1250 * @param string $attr HTML attributes from HTML element to closing HTML element tag. 1251 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 1252 * or a context name such as 'post'. See wp_kses_allowed_html() 1253 * for the list of accepted context names. 1254 * @param string[] $allowed_protocols Array of allowed URL protocols. 1255 * @return string Sanitized HTML element. 1256 */ 1257 function wp_kses_attr( $element, $attr, $allowed_html, $allowed_protocols ) { 1258 if ( ! is_array( $allowed_html ) ) { 1259 $allowed_html = wp_kses_allowed_html( $allowed_html ); 1260 } 1261 1262 // Is there a closing XHTML slash at the end of the attributes? 1263 $xhtml_slash = ''; 1264 if ( preg_match( '%\s*/\s*$%', $attr ) ) { 1265 $xhtml_slash = ' /'; 1266 } 1267 1268 // Are any attributes allowed at all for this element? 1269 $element_low = strtolower( $element ); 1270 if ( empty( $allowed_html[ $element_low ] ) || true === $allowed_html[ $element_low ] ) { 1271 return "<$element$xhtml_slash>"; 1272 } 1273 1274 // Split it. 1275 $attrarr = wp_kses_hair( $attr, $allowed_protocols ); 1276 1277 // Check if there are attributes that are required. 1278 $required_attrs = array_filter( 1279 $allowed_html[ $element_low ], 1280 static function ( $required_attr_limits ) { 1281 return isset( $required_attr_limits['required'] ) && true === $required_attr_limits['required']; 1282 } 1283 ); 1284 1285 /* 1286 * If a required attribute check fails, we can return nothing for a self-closing tag, 1287 * but for a non-self-closing tag the best option is to return the element with attributes, 1288 * as KSES doesn't handle matching the relevant closing tag. 1289 */ 1290 $stripped_tag = ''; 1291 if ( empty( $xhtml_slash ) ) { 1292 $stripped_tag = "<$element>"; 1293 } 1294 1295 // Go through $attrarr, and save the allowed attributes for this element in $attr2. 1296 $attr2 = ''; 1297 foreach ( $attrarr as $arreach ) { 1298 // Check if this attribute is required. 1299 $required = isset( $required_attrs[ strtolower( $arreach['name'] ) ] ); 1300 1301 if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) { 1302 $attr2 .= ' ' . $arreach['whole']; 1303 1304 // If this was a required attribute, we can mark it as found. 1305 if ( $required ) { 1306 unset( $required_attrs[ strtolower( $arreach['name'] ) ] ); 1307 } 1308 } elseif ( $required ) { 1309 // This attribute was required, but didn't pass the check. The entire tag is not allowed. 1310 return $stripped_tag; 1311 } 1312 } 1313 1314 // If some required attributes weren't set, the entire tag is not allowed. 1315 if ( ! empty( $required_attrs ) ) { 1316 return $stripped_tag; 1317 } 1318 1319 // Remove any "<" or ">" characters. 1320 $attr2 = preg_replace( '/[<>]/', '', $attr2 ); 1321 1322 return "<$element$attr2$xhtml_slash>"; 1323 } 1324 1325 /** 1326 * Determines whether an attribute is allowed. 1327 * 1328 * @since 4.2.3 1329 * @since 5.0.0 Added support for `data-*` wildcard attributes. 1330 * 1331 * @param string $name The attribute name. Passed by reference. Returns empty string when not allowed. 1332 * @param string $value The attribute value. Passed by reference. Returns a filtered value. 1333 * @param string $whole The `name=value` input. Passed by reference. Returns filtered input. 1334 * @param string $vless Whether the attribute is valueless. Use 'y' or 'n'. 1335 * @param string $element The name of the element to which this attribute belongs. 1336 * @param array $allowed_html The full list of allowed elements and attributes. 1337 * @return bool Whether or not the attribute is allowed. 1338 */ 1339 function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) { 1340 $name_low = strtolower( $name ); 1341 $element_low = strtolower( $element ); 1342 1343 if ( ! isset( $allowed_html[ $element_low ] ) ) { 1344 $name = ''; 1345 $value = ''; 1346 $whole = ''; 1347 return false; 1348 } 1349 1350 $allowed_attr = $allowed_html[ $element_low ]; 1351 1352 if ( ! isset( $allowed_attr[ $name_low ] ) || '' === $allowed_attr[ $name_low ] ) { 1353 /* 1354 * Allow `data-*` attributes. 1355 * 1356 * When specifying `$allowed_html`, the attribute name should be set as 1357 * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see 1358 * https://www.w3.org/TR/html40/struct/objects.html#adef-data). 1359 * 1360 * Note: the attribute name should only contain `A-Za-z0-9_-` chars. 1361 */ 1362 if ( str_starts_with( $name_low, 'data-' ) && ! empty( $allowed_attr['data-*'] ) 1363 && preg_match( '/^data-[a-z0-9_-]+$/', $name_low, $match ) 1364 ) { 1365 /* 1366 * Add the whole attribute name to the allowed attributes and set any restrictions 1367 * for the `data-*` attribute values for the current element. 1368 */ 1369 $allowed_attr[ $match[0] ] = $allowed_attr['data-*']; 1370 } else { 1371 $name = ''; 1372 $value = ''; 1373 $whole = ''; 1374 return false; 1375 } 1376 } 1377 1378 if ( 'style' === $name_low ) { 1379 $new_value = safecss_filter_attr( $value ); 1380 1381 if ( empty( $new_value ) ) { 1382 $name = ''; 1383 $value = ''; 1384 $whole = ''; 1385 return false; 1386 } 1387 1388 $whole = str_replace( $value, $new_value, $whole ); 1389 $value = $new_value; 1390 } 1391 1392 if ( is_array( $allowed_attr[ $name_low ] ) ) { 1393 // There are some checks. 1394 foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) { 1395 if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) { 1396 $name = ''; 1397 $value = ''; 1398 $whole = ''; 1399 return false; 1400 } 1401 } 1402 } 1403 1404 return true; 1405 } 1406 1407 /** 1408 * Builds an attribute list from string containing attributes. 1409 * 1410 * This function does a lot of work. It parses an attribute list into an array 1411 * with attribute data, and tries to do the right thing even if it gets weird 1412 * input. It will add quotes around attribute values that don't have any quotes 1413 * or apostrophes around them, to make it easier to produce HTML code that will 1414 * conform to W3C's HTML specification. It will also remove bad URL protocols 1415 * from attribute values. It also reduces duplicate attributes by using the 1416 * attribute defined first (`foo='bar' foo='baz'` will result in `foo='bar'`). 1417 * 1418 * @since 1.0.0 1419 * 1420 * @param string $attr Attribute list from HTML element to closing HTML element tag. 1421 * @param string[] $allowed_protocols Array of allowed URL protocols. 1422 * @return array[] Array of attribute information after parsing. 1423 */ 1424 function wp_kses_hair( $attr, $allowed_protocols ) { 1425 $attrarr = array(); 1426 $mode = 0; 1427 $attrname = ''; 1428 $uris = wp_kses_uri_attributes(); 1429 1430 // Loop through the whole attribute list. 1431 1432 while ( strlen( $attr ) !== 0 ) { 1433 $working = 0; // Was the last operation successful? 1434 1435 switch ( $mode ) { 1436 case 0: 1437 if ( preg_match( '/^([_a-zA-Z][-_a-zA-Z0-9:.]*)/', $attr, $match ) ) { 1438 $attrname = $match[1]; 1439 $working = 1; 1440 $mode = 1; 1441 $attr = preg_replace( '/^[_a-zA-Z][-_a-zA-Z0-9:.]*/', '', $attr ); 1442 } 1443 1444 break; 1445 1446 case 1: 1447 if ( preg_match( '/^\s*=\s*/', $attr ) ) { // Equals sign. 1448 $working = 1; 1449 $mode = 2; 1450 $attr = preg_replace( '/^\s*=\s*/', '', $attr ); 1451 break; 1452 } 1453 1454 if ( preg_match( '/^\s+/', $attr ) ) { // Valueless. 1455 $working = 1; 1456 $mode = 0; 1457 1458 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1459 $attrarr[ $attrname ] = array( 1460 'name' => $attrname, 1461 'value' => '', 1462 'whole' => $attrname, 1463 'vless' => 'y', 1464 ); 1465 } 1466 1467 $attr = preg_replace( '/^\s+/', '', $attr ); 1468 } 1469 1470 break; 1471 1472 case 2: 1473 if ( preg_match( '%^"([^"]*)"(\s+|/?$)%', $attr, $match ) ) { 1474 // "value" 1475 $thisval = $match[1]; 1476 if ( in_array( strtolower( $attrname ), $uris, true ) ) { 1477 $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols ); 1478 } 1479 1480 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1481 $attrarr[ $attrname ] = array( 1482 'name' => $attrname, 1483 'value' => $thisval, 1484 'whole' => "$attrname=\"$thisval\"", 1485 'vless' => 'n', 1486 ); 1487 } 1488 1489 $working = 1; 1490 $mode = 0; 1491 $attr = preg_replace( '/^"[^"]*"(\s+|$)/', '', $attr ); 1492 break; 1493 } 1494 1495 if ( preg_match( "%^'([^']*)'(\s+|/?$)%", $attr, $match ) ) { 1496 // 'value' 1497 $thisval = $match[1]; 1498 if ( in_array( strtolower( $attrname ), $uris, true ) ) { 1499 $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols ); 1500 } 1501 1502 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1503 $attrarr[ $attrname ] = array( 1504 'name' => $attrname, 1505 'value' => $thisval, 1506 'whole' => "$attrname='$thisval'", 1507 'vless' => 'n', 1508 ); 1509 } 1510 1511 $working = 1; 1512 $mode = 0; 1513 $attr = preg_replace( "/^'[^']*'(\s+|$)/", '', $attr ); 1514 break; 1515 } 1516 1517 if ( preg_match( "%^([^\s\"']+)(\s+|/?$)%", $attr, $match ) ) { 1518 // value 1519 $thisval = $match[1]; 1520 if ( in_array( strtolower( $attrname ), $uris, true ) ) { 1521 $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols ); 1522 } 1523 1524 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1525 $attrarr[ $attrname ] = array( 1526 'name' => $attrname, 1527 'value' => $thisval, 1528 'whole' => "$attrname=\"$thisval\"", 1529 'vless' => 'n', 1530 ); 1531 } 1532 1533 // We add quotes to conform to W3C's HTML spec. 1534 $working = 1; 1535 $mode = 0; 1536 $attr = preg_replace( "%^[^\s\"']+(\s+|$)%", '', $attr ); 1537 } 1538 1539 break; 1540 } // End switch. 1541 1542 if ( 0 === $working ) { // Not well-formed, remove and try again. 1543 $attr = wp_kses_html_error( $attr ); 1544 $mode = 0; 1545 } 1546 } // End while. 1547 1548 if ( 1 === $mode && false === array_key_exists( $attrname, $attrarr ) ) { 1549 /* 1550 * Special case, for when the attribute list ends with a valueless 1551 * attribute like "selected". 1552 */ 1553 $attrarr[ $attrname ] = array( 1554 'name' => $attrname, 1555 'value' => '', 1556 'whole' => $attrname, 1557 'vless' => 'y', 1558 ); 1559 } 1560 1561 return $attrarr; 1562 } 1563 1564 /** 1565 * Finds all attributes of an HTML element. 1566 * 1567 * Does not modify input. May return "evil" output. 1568 * 1569 * Based on `wp_kses_split2()` and `wp_kses_attr()`. 1570 * 1571 * @since 4.2.3 1572 * 1573 * @param string $element HTML element. 1574 * @return array|false List of attributes found in the element. Returns false on failure. 1575 */ 1576 function wp_kses_attr_parse( $element ) { 1577 $valid = preg_match( '%^(<\s*)(/\s*)?([a-zA-Z0-9]+\s*)([^>]*)(>?)$%', $element, $matches ); 1578 if ( 1 !== $valid ) { 1579 return false; 1580 } 1581 1582 $begin = $matches[1]; 1583 $slash = $matches[2]; 1584 $elname = $matches[3]; 1585 $attr = $matches[4]; 1586 $end = $matches[5]; 1587 1588 if ( '' !== $slash ) { 1589 // Closing elements do not get parsed. 1590 return false; 1591 } 1592 1593 // Is there a closing XHTML slash at the end of the attributes? 1594 if ( 1 === preg_match( '%\s*/\s*$%', $attr, $matches ) ) { 1595 $xhtml_slash = $matches[0]; 1596 $attr = substr( $attr, 0, -strlen( $xhtml_slash ) ); 1597 } else { 1598 $xhtml_slash = ''; 1599 } 1600 1601 // Split it. 1602 $attrarr = wp_kses_hair_parse( $attr ); 1603 if ( false === $attrarr ) { 1604 return false; 1605 } 1606 1607 // Make sure all input is returned by adding front and back matter. 1608 array_unshift( $attrarr, $begin . $slash . $elname ); 1609 array_push( $attrarr, $xhtml_slash . $end ); 1610 1611 return $attrarr; 1612 } 1613 1614 /** 1615 * Builds an attribute list from string containing attributes. 1616 * 1617 * Does not modify input. May return "evil" output. 1618 * In case of unexpected input, returns false instead of stripping things. 1619 * 1620 * Based on `wp_kses_hair()` but does not return a multi-dimensional array. 1621 * 1622 * @since 4.2.3 1623 * 1624 * @param string $attr Attribute list from HTML element to closing HTML element tag. 1625 * @return array|false List of attributes found in $attr. Returns false on failure. 1626 */ 1627 function wp_kses_hair_parse( $attr ) { 1628 if ( '' === $attr ) { 1629 return array(); 1630 } 1631 1632 $regex = 1633 '(?: 1634 [_a-zA-Z][-_a-zA-Z0-9:.]* # Attribute name. 1635 | 1636 \[\[?[^\[\]]+\]\]? # Shortcode in the name position implies unfiltered_html. 1637 ) 1638 (?: # Attribute value. 1639 \s*=\s* # All values begin with "=". 1640 (?: 1641 "[^"]*" # Double-quoted. 1642 | 1643 \'[^\']*\' # Single-quoted. 1644 | 1645 [^\s"\']+ # Non-quoted. 1646 (?:\s|$) # Must have a space. 1647 ) 1648 | 1649 (?:\s|$) # If attribute has no value, space is required. 1650 ) 1651 \s* # Trailing space is optional except as mentioned above. 1652 '; 1653 1654 /* 1655 * Although it is possible to reduce this procedure to a single regexp, 1656 * we must run that regexp twice to get exactly the expected result. 1657 * 1658 * Note: do NOT remove the `x` modifiers as they are essential for the above regex! 1659 */ 1660 1661 $validation = "/^($regex)+$/x"; 1662 $extraction = "/$regex/x"; 1663 1664 if ( 1 === preg_match( $validation, $attr ) ) { 1665 preg_match_all( $extraction, $attr, $attrarr ); 1666 return $attrarr[0]; 1667 } else { 1668 return false; 1669 } 1670 } 1671 1672 /** 1673 * Performs different checks for attribute values. 1674 * 1675 * The currently implemented checks are "maxlen", "minlen", "maxval", "minval", 1676 * and "valueless". 1677 * 1678 * @since 1.0.0 1679 * 1680 * @param string $value Attribute value. 1681 * @param string $vless Whether the attribute is valueless. Use 'y' or 'n'. 1682 * @param string $checkname What $checkvalue is checking for. 1683 * @param mixed $checkvalue What constraint the value should pass. 1684 * @return bool Whether check passes. 1685 */ 1686 function wp_kses_check_attr_val( $value, $vless, $checkname, $checkvalue ) { 1687 $ok = true; 1688 1689 switch ( strtolower( $checkname ) ) { 1690 case 'maxlen': 1691 /* 1692 * The maxlen check makes sure that the attribute value has a length not 1693 * greater than the given value. This can be used to avoid Buffer Overflows 1694 * in WWW clients and various Internet servers. 1695 */ 1696 1697 if ( strlen( $value ) > $checkvalue ) { 1698 $ok = false; 1699 } 1700 break; 1701 1702 case 'minlen': 1703 /* 1704 * The minlen check makes sure that the attribute value has a length not 1705 * smaller than the given value. 1706 */ 1707 1708 if ( strlen( $value ) < $checkvalue ) { 1709 $ok = false; 1710 } 1711 break; 1712 1713 case 'maxval': 1714 /* 1715 * The maxval check does two things: it checks that the attribute value is 1716 * an integer from 0 and up, without an excessive amount of zeroes or 1717 * whitespace (to avoid Buffer Overflows). It also checks that the attribute 1718 * value is not greater than the given value. 1719 * This check can be used to avoid Denial of Service attacks. 1720 */ 1721 1722 if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) { 1723 $ok = false; 1724 } 1725 if ( $value > $checkvalue ) { 1726 $ok = false; 1727 } 1728 break; 1729 1730 case 'minval': 1731 /* 1732 * The minval check makes sure that the attribute value is a positive integer, 1733 * and that it is not smaller than the given value. 1734 */ 1735 1736 if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) { 1737 $ok = false; 1738 } 1739 if ( $value < $checkvalue ) { 1740 $ok = false; 1741 } 1742 break; 1743 1744 case 'valueless': 1745 /* 1746 * The valueless check makes sure if the attribute has a value 1747 * (like `<a href="blah">`) or not (`<option selected>`). If the given value 1748 * is a "y" or a "Y", the attribute must not have a value. 1749 * If the given value is an "n" or an "N", the attribute must have a value. 1750 */ 1751 1752 if ( strtolower( $checkvalue ) !== $vless ) { 1753 $ok = false; 1754 } 1755 break; 1756 1757 case 'values': 1758 /* 1759 * The values check is used when you want to make sure that the attribute 1760 * has one of the given values. 1761 */ 1762 1763 if ( false === array_search( strtolower( $value ), $checkvalue, true ) ) { 1764 $ok = false; 1765 } 1766 break; 1767 1768 case 'value_callback': 1769 /* 1770 * The value_callback check is used when you want to make sure that the attribute 1771 * value is accepted by the callback function. 1772 */ 1773 1774 if ( ! call_user_func( $checkvalue, $value ) ) { 1775 $ok = false; 1776 } 1777 break; 1778 } // End switch. 1779 1780 return $ok; 1781 } 1782 1783 /** 1784 * Sanitizes a string and removed disallowed URL protocols. 1785 * 1786 * This function removes all non-allowed protocols from the beginning of the 1787 * string. It ignores whitespace and the case of the letters, and it does 1788 * understand HTML entities. It does its work recursively, so it won't be 1789 * fooled by a string like `javascript:javascript:alert(57)`. 1790 * 1791 * @since 1.0.0 1792 * 1793 * @param string $content Content to filter bad protocols from. 1794 * @param string[] $allowed_protocols Array of allowed URL protocols. 1795 * @return string Filtered content. 1796 */ 1797 function wp_kses_bad_protocol( $content, $allowed_protocols ) { 1798 $content = wp_kses_no_null( $content ); 1799 1800 // Short-circuit if the string starts with `https://` or `http://`. Most common cases. 1801 if ( 1802 ( str_starts_with( $content, 'https://' ) && in_array( 'https', $allowed_protocols, true ) ) || 1803 ( str_starts_with( $content, 'http://' ) && in_array( 'http', $allowed_protocols, true ) ) 1804 ) { 1805 return $content; 1806 } 1807 1808 $iterations = 0; 1809 1810 do { 1811 $original_content = $content; 1812 $content = wp_kses_bad_protocol_once( $content, $allowed_protocols ); 1813 } while ( $original_content !== $content && ++$iterations < 6 ); 1814 1815 if ( $original_content !== $content ) { 1816 return ''; 1817 } 1818 1819 return $content; 1820 } 1821 1822 /** 1823 * Removes any invalid control characters in a text string. 1824 * 1825 * Also removes any instance of the `\0` string. 1826 * 1827 * @since 1.0.0 1828 * 1829 * @param string $content Content to filter null characters from. 1830 * @param array $options Set 'slash_zero' => 'keep' when '\0' is allowed. Default is 'remove'. 1831 * @return string Filtered content. 1832 */ 1833 function wp_kses_no_null( $content, $options = null ) { 1834 if ( ! isset( $options['slash_zero'] ) ) { 1835 $options = array( 'slash_zero' => 'remove' ); 1836 } 1837 1838 $content = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $content ); 1839 if ( 'remove' === $options['slash_zero'] ) { 1840 $content = preg_replace( '/\\\\+0+/', '', $content ); 1841 } 1842 1843 return $content; 1844 } 1845 1846 /** 1847 * Strips slashes from in front of quotes. 1848 * 1849 * This function changes the character sequence `\"` to just `"`. It leaves all other 1850 * slashes alone. The quoting from `preg_replace(//e)` requires this. 1851 * 1852 * @since 1.0.0 1853 * 1854 * @param string $content String to strip slashes from. 1855 * @return string Fixed string with quoted slashes. 1856 */ 1857 function wp_kses_stripslashes( $content ) { 1858 return preg_replace( '%\\\\"%', '"', $content ); 1859 } 1860 1861 /** 1862 * Converts the keys of an array to lowercase. 1863 * 1864 * @since 1.0.0 1865 * 1866 * @param array $inarray Unfiltered array. 1867 * @return array Fixed array with all lowercase keys. 1868 */ 1869 function wp_kses_array_lc( $inarray ) { 1870 $outarray = array(); 1871 1872 foreach ( (array) $inarray as $inkey => $inval ) { 1873 $outkey = strtolower( $inkey ); 1874 $outarray[ $outkey ] = array(); 1875 1876 foreach ( (array) $inval as $inkey2 => $inval2 ) { 1877 $outkey2 = strtolower( $inkey2 ); 1878 $outarray[ $outkey ][ $outkey2 ] = $inval2; 1879 } 1880 } 1881 1882 return $outarray; 1883 } 1884 1885 /** 1886 * Handles parsing errors in `wp_kses_hair()`. 1887 * 1888 * The general plan is to remove everything to and including some whitespace, 1889 * but it deals with quotes and apostrophes as well. 1890 * 1891 * @since 1.0.0 1892 * 1893 * @param string $attr 1894 * @return string 1895 */ 1896 function wp_kses_html_error( $attr ) { 1897 return preg_replace( '/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $attr ); 1898 } 1899 1900 /** 1901 * Sanitizes content from bad protocols and other characters. 1902 * 1903 * This function searches for URL protocols at the beginning of the string, while 1904 * handling whitespace and HTML entities. 1905 * 1906 * @since 1.0.0 1907 * 1908 * @param string $content Content to check for bad protocols. 1909 * @param string[] $allowed_protocols Array of allowed URL protocols. 1910 * @param int $count Depth of call recursion to this function. 1911 * @return string Sanitized content. 1912 */ 1913 function wp_kses_bad_protocol_once( $content, $allowed_protocols, $count = 1 ) { 1914 $content = preg_replace( '/(�*58(?![;0-9])|�*3a(?![;a-f0-9]))/i', '$1;', $content ); 1915 $content2 = preg_split( '/:|�*58;|�*3a;|:/i', $content, 2 ); 1916 1917 if ( isset( $content2[1] ) && ! preg_match( '%/\?%', $content2[0] ) ) { 1918 $content = trim( $content2[1] ); 1919 $protocol = wp_kses_bad_protocol_once2( $content2[0], $allowed_protocols ); 1920 if ( 'feed:' === $protocol ) { 1921 if ( $count > 2 ) { 1922 return ''; 1923 } 1924 $content = wp_kses_bad_protocol_once( $content, $allowed_protocols, ++$count ); 1925 if ( empty( $content ) ) { 1926 return $content; 1927 } 1928 } 1929 $content = $protocol . $content; 1930 } 1931 1932 return $content; 1933 } 1934 1935 /** 1936 * Callback for `wp_kses_bad_protocol_once()` regular expression. 1937 * 1938 * This function processes URL protocols, checks to see if they're in the 1939 * list of allowed protocols or not, and returns different data depending 1940 * on the answer. 1941 * 1942 * @access private 1943 * @ignore 1944 * @since 1.0.0 1945 * 1946 * @param string $scheme URI scheme to check against the list of allowed protocols. 1947 * @param string[] $allowed_protocols Array of allowed URL protocols. 1948 * @return string Sanitized content. 1949 */ 1950 function wp_kses_bad_protocol_once2( $scheme, $allowed_protocols ) { 1951 $scheme = wp_kses_decode_entities( $scheme ); 1952 $scheme = preg_replace( '/\s/', '', $scheme ); 1953 $scheme = wp_kses_no_null( $scheme ); 1954 $scheme = strtolower( $scheme ); 1955 1956 $allowed = false; 1957 foreach ( (array) $allowed_protocols as $one_protocol ) { 1958 if ( strtolower( $one_protocol ) === $scheme ) { 1959 $allowed = true; 1960 break; 1961 } 1962 } 1963 1964 if ( $allowed ) { 1965 return "$scheme:"; 1966 } else { 1967 return ''; 1968 } 1969 } 1970 1971 /** 1972 * Converts and fixes HTML entities. 1973 * 1974 * This function normalizes HTML entities. It will convert `AT&T` to the correct 1975 * `AT&T`, `:` to `:`, `&#XYZZY;` to `&#XYZZY;` and so on. 1976 * 1977 * When `$context` is set to 'xml', HTML entities are converted to their code points. For 1978 * example, `AT&T…&#XYZZY;` is converted to `AT&T…&#XYZZY;`. 1979 * 1980 * @since 1.0.0 1981 * @since 5.5.0 Added `$context` parameter. 1982 * 1983 * @param string $content Content to normalize entities. 1984 * @param string $context Context for normalization. Can be either 'html' or 'xml'. 1985 * Default 'html'. 1986 * @return string Content with normalized entities. 1987 */ 1988 function wp_kses_normalize_entities( $content, $context = 'html' ) { 1989 // Disarm all entities by converting & to & 1990 $content = str_replace( '&', '&', $content ); 1991 1992 /* 1993 * Decode any character references that are now double-encoded. 1994 * 1995 * It's important that the following normalizations happen in the correct order. 1996 * 1997 * At this point, all `&` have been transformed to `&`. Double-encoded named character 1998 * references like `&amp;` will be decoded back to their single-encoded form `&`. 1999 * 2000 * First, numeric (decimal and hexadecimal) character references must be handled so that 2001 * `&#09;` becomes `	`. If the named character references were handled first, there 2002 * would be no way to know whether the double-encoded character reference had been produced 2003 * in this function or was the original input. 2004 * 2005 * Consider the two examples, first with named entity decoding followed by numeric 2006 * entity decoding. We'll use U+002E FULL STOP (.) in our example, this table follows the 2007 * string processing from left to right: 2008 * 2009 * | Input | &-encoded | Named ref double-decoded | Numeric ref double-decoded | 2010 * | ------------ | ---------------- | ------------------------- | -------------------------- | 2011 * | `.` | `&#x2E;` | `&#x2E;` | `.` | 2012 * | `&#x2E;` | `&amp;#x2E;` | `&#x2E;` | `.` | 2013 * 2014 * Notice in the example above that different inputs result in the same result. The second case 2015 * was not normalized and produced HTML that is semantically different from the input. 2016 * 2017 * | Input | &-encoded | Numeric ref double-decoded | Named ref double-decoded | 2018 * | ------------ | ---------------- | --------------------------- | ------------------------ | 2019 * | `.` | `&#x2E;` | `.` | `.` | 2020 * | `&#x2E;` | `&amp;#x2E;` | `&amp;#x2E;` | `&#x2E;` | 2021 * 2022 * Here, each input is normalized to an appropriate output. 2023 */ 2024 $content = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $content ); 2025 $content = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $content ); 2026 if ( 'xml' === $context ) { 2027 $content = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_xml_named_entities', $content ); 2028 } else { 2029 $content = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $content ); 2030 } 2031 2032 return $content; 2033 } 2034 2035 /** 2036 * Callback for `wp_kses_normalize_entities()` regular expression. 2037 * 2038 * This function only accepts valid named entity references, which are finite, 2039 * case-sensitive, and highly scrutinized by HTML and XML validators. 2040 * 2041 * @since 3.0.0 2042 * 2043 * @global array $allowedentitynames 2044 * 2045 * @param array $matches preg_replace_callback() matches array. 2046 * @return string Correctly encoded entity. 2047 */ 2048 function wp_kses_named_entities( $matches ) { 2049 global $allowedentitynames; 2050 2051 if ( empty( $matches[1] ) ) { 2052 return ''; 2053 } 2054 2055 $i = $matches[1]; 2056 return ( ! in_array( $i, $allowedentitynames, true ) ) ? "&$i;" : "&$i;"; 2057 } 2058 2059 /** 2060 * Callback for `wp_kses_normalize_entities()` regular expression. 2061 * 2062 * This function only accepts valid named entity references, which are finite, 2063 * case-sensitive, and highly scrutinized by XML validators. HTML named entity 2064 * references are converted to their code points. 2065 * 2066 * @since 5.5.0 2067 * 2068 * @global array $allowedentitynames 2069 * @global array $allowedxmlentitynames 2070 * 2071 * @param array $matches preg_replace_callback() matches array. 2072 * @return string Correctly encoded entity. 2073 */ 2074 function wp_kses_xml_named_entities( $matches ) { 2075 global $allowedentitynames, $allowedxmlentitynames; 2076 2077 if ( empty( $matches[1] ) ) { 2078 return ''; 2079 } 2080 2081 $i = $matches[1]; 2082 2083 if ( in_array( $i, $allowedxmlentitynames, true ) ) { 2084 return "&$i;"; 2085 } elseif ( in_array( $i, $allowedentitynames, true ) ) { 2086 return html_entity_decode( "&$i;", ENT_HTML5 ); 2087 } 2088 2089 return "&$i;"; 2090 } 2091 2092 /** 2093 * Callback for `wp_kses_normalize_entities()` regular expression. 2094 * 2095 * This function helps `wp_kses_normalize_entities()` to only accept 16-bit 2096 * values and nothing more for `&#number;` entities. 2097 * 2098 * @access private 2099 * @ignore 2100 * @since 1.0.0 2101 * 2102 * @param array $matches `preg_replace_callback()` matches array. 2103 * @return string Correctly encoded entity. 2104 */ 2105 function wp_kses_normalize_entities2( $matches ) { 2106 if ( empty( $matches[1] ) ) { 2107 return ''; 2108 } 2109 2110 $i = $matches[1]; 2111 2112 if ( valid_unicode( $i ) ) { 2113 $i = str_pad( ltrim( $i, '0' ), 3, '0', STR_PAD_LEFT ); 2114 $i = "&#$i;"; 2115 } else { 2116 $i = "&#$i;"; 2117 } 2118 2119 return $i; 2120 } 2121 2122 /** 2123 * Callback for `wp_kses_normalize_entities()` for regular expression. 2124 * 2125 * This function helps `wp_kses_normalize_entities()` to only accept valid Unicode 2126 * numeric entities in hex form. 2127 * 2128 * @since 2.7.0 2129 * @access private 2130 * @ignore 2131 * 2132 * @param array $matches `preg_replace_callback()` matches array. 2133 * @return string Correctly encoded entity. 2134 */ 2135 function wp_kses_normalize_entities3( $matches ) { 2136 if ( empty( $matches[1] ) ) { 2137 return ''; 2138 } 2139 2140 $hexchars = $matches[1]; 2141 2142 return ( ! valid_unicode( hexdec( $hexchars ) ) ) ? "&#x$hexchars;" : '&#x' . ltrim( $hexchars, '0' ) . ';'; 2143 } 2144 2145 /** 2146 * Determines if a Unicode codepoint is valid. 2147 * 2148 * The definition of a valid Unicode codepoint is taken from the XML definition: 2149 * 2150 * > Characters 2151 * > 2152 * > … 2153 * > Legal characters are tab, carriage return, line feed, and the legal characters of 2154 * > Unicode and ISO/IEC 10646. 2155 * > … 2156 * > Char ::= #x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF] 2157 * 2158 * @since 2.7.0 2159 * 2160 * @see https://www.w3.org/TR/xml/#charsets 2161 * 2162 * @param int $i Unicode codepoint. 2163 * @return bool Whether or not the codepoint is a valid Unicode codepoint. 2164 */ 2165 function valid_unicode( $i ) { 2166 $i = (int) $i; 2167 2168 return ( 2169 0x9 === $i || // U+0009 HORIZONTAL TABULATION (HT) 2170 0xA === $i || // U+000A LINE FEED (LF) 2171 0xD === $i || // U+000D CARRIAGE RETURN (CR) 2172 /* 2173 * The valid Unicode characters according to the XML specification: 2174 * 2175 * > any Unicode character, excluding the surrogate blocks, FFFE, and FFFF. 2176 */ 2177 ( 0x20 <= $i && $i <= 0xD7FF ) || 2178 ( 0xE000 <= $i && $i <= 0xFFFD ) || 2179 ( 0x10000 <= $i && $i <= 0x10FFFF ) 2180 ); 2181 } 2182 2183 /** 2184 * Converts all numeric HTML entities to their named counterparts. 2185 * 2186 * This function decodes numeric HTML entities (`A` and `A`). 2187 * It doesn't do anything with named entities like `ä`, but we don't 2188 * need them in the allowed URL protocols system anyway. 2189 * 2190 * @since 1.0.0 2191 * 2192 * @param string $content Content to change entities. 2193 * @return string Content after decoded entities. 2194 */ 2195 function wp_kses_decode_entities( $content ) { 2196 $content = preg_replace_callback( '/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $content ); 2197 $content = preg_replace_callback( '/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $content ); 2198 2199 return $content; 2200 } 2201 2202 /** 2203 * Regex callback for `wp_kses_decode_entities()`. 2204 * 2205 * @since 2.9.0 2206 * @access private 2207 * @ignore 2208 * 2209 * @param array $matches preg match 2210 * @return string 2211 */ 2212 function _wp_kses_decode_entities_chr( $matches ) { 2213 return chr( $matches[1] ); 2214 } 2215 2216 /** 2217 * Regex callback for `wp_kses_decode_entities()`. 2218 * 2219 * @since 2.9.0 2220 * @access private 2221 * @ignore 2222 * 2223 * @param array $matches preg match 2224 * @return string 2225 */ 2226 function _wp_kses_decode_entities_chr_hexdec( $matches ) { 2227 return chr( hexdec( $matches[1] ) ); 2228 } 2229 2230 /** 2231 * Sanitize content with allowed HTML KSES rules. 2232 * 2233 * This function expects slashed data. 2234 * 2235 * @since 1.0.0 2236 * 2237 * @param string $data Content to filter, expected to be escaped with slashes. 2238 * @return string Filtered content. 2239 */ 2240 function wp_filter_kses( $data ) { 2241 return addslashes( wp_kses( stripslashes( $data ), current_filter() ) ); 2242 } 2243 2244 /** 2245 * Sanitize content with allowed HTML KSES rules. 2246 * 2247 * This function expects unslashed data. 2248 * 2249 * @since 2.9.0 2250 * 2251 * @param string $data Content to filter, expected to not be escaped. 2252 * @return string Filtered content. 2253 */ 2254 function wp_kses_data( $data ) { 2255 return wp_kses( $data, current_filter() ); 2256 } 2257 2258 /** 2259 * Sanitizes content for allowed HTML tags for post content. 2260 * 2261 * Post content refers to the page contents of the 'post' type and not `$_POST` 2262 * data from forms. 2263 * 2264 * This function expects slashed data. 2265 * 2266 * @since 2.0.0 2267 * 2268 * @param string $data Post content to filter, expected to be escaped with slashes. 2269 * @return string Filtered post content with allowed HTML tags and attributes intact. 2270 */ 2271 function wp_filter_post_kses( $data ) { 2272 return addslashes( wp_kses( stripslashes( $data ), 'post' ) ); 2273 } 2274 2275 /** 2276 * Sanitizes global styles user content removing unsafe rules. 2277 * 2278 * @since 5.9.0 2279 * 2280 * @param string $data Post content to filter. 2281 * @return string Filtered post content with unsafe rules removed. 2282 */ 2283 function wp_filter_global_styles_post( $data ) { 2284 $decoded_data = json_decode( wp_unslash( $data ), true ); 2285 $json_decoding_error = json_last_error(); 2286 if ( 2287 JSON_ERROR_NONE === $json_decoding_error && 2288 is_array( $decoded_data ) && 2289 isset( $decoded_data['isGlobalStylesUserThemeJSON'] ) && 2290 $decoded_data['isGlobalStylesUserThemeJSON'] 2291 ) { 2292 unset( $decoded_data['isGlobalStylesUserThemeJSON'] ); 2293 2294 $data_to_encode = WP_Theme_JSON::remove_insecure_properties( $decoded_data, 'custom' ); 2295 2296 $data_to_encode['isGlobalStylesUserThemeJSON'] = true; 2297 return wp_slash( wp_json_encode( $data_to_encode ) ); 2298 } 2299 return $data; 2300 } 2301 2302 /** 2303 * Sanitizes content for allowed HTML tags for post content. 2304 * 2305 * Post content refers to the page contents of the 'post' type and not `$_POST` 2306 * data from forms. 2307 * 2308 * This function expects unslashed data. 2309 * 2310 * @since 2.9.0 2311 * 2312 * @param string $data Post content to filter. 2313 * @return string Filtered post content with allowed HTML tags and attributes intact. 2314 */ 2315 function wp_kses_post( $data ) { 2316 return wp_kses( $data, 'post' ); 2317 } 2318 2319 /** 2320 * Navigates through an array, object, or scalar, and sanitizes content for 2321 * allowed HTML tags for post content. 2322 * 2323 * @since 4.4.2 2324 * 2325 * @see map_deep() 2326 * 2327 * @param mixed $data The array, object, or scalar value to inspect. 2328 * @return mixed The filtered content. 2329 */ 2330 function wp_kses_post_deep( $data ) { 2331 return map_deep( $data, 'wp_kses_post' ); 2332 } 2333 2334 /** 2335 * Strips all HTML from a text string. 2336 * 2337 * This function expects slashed data. 2338 * 2339 * @since 2.1.0 2340 * 2341 * @param string $data Content to strip all HTML from. 2342 * @return string Filtered content without any HTML. 2343 */ 2344 function wp_filter_nohtml_kses( $data ) { 2345 return addslashes( wp_kses( stripslashes( $data ), 'strip' ) ); 2346 } 2347 2348 /** 2349 * Adds all KSES input form content filters. 2350 * 2351 * All hooks have default priority. The `wp_filter_kses()` function is added to 2352 * the 'pre_comment_content' and 'title_save_pre' hooks. 2353 * 2354 * The `wp_filter_post_kses()` function is added to the 'content_save_pre', 2355 * 'excerpt_save_pre', and 'content_filtered_save_pre' hooks. 2356 * 2357 * @since 2.0.0 2358 */ 2359 function kses_init_filters() { 2360 // Normal filtering. 2361 add_filter( 'title_save_pre', 'wp_filter_kses' ); 2362 2363 // Comment filtering. 2364 if ( current_user_can( 'unfiltered_html' ) ) { 2365 add_filter( 'pre_comment_content', 'wp_filter_post_kses' ); 2366 } else { 2367 add_filter( 'pre_comment_content', 'wp_filter_kses' ); 2368 } 2369 2370 // Global Styles filtering: Global Styles filters should be executed before normal post_kses HTML filters. 2371 add_filter( 'content_save_pre', 'wp_filter_global_styles_post', 9 ); 2372 add_filter( 'content_filtered_save_pre', 'wp_filter_global_styles_post', 9 ); 2373 2374 // Post filtering. 2375 add_filter( 'content_save_pre', 'wp_filter_post_kses' ); 2376 add_filter( 'excerpt_save_pre', 'wp_filter_post_kses' ); 2377 add_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' ); 2378 } 2379 2380 /** 2381 * Removes all KSES input form content filters. 2382 * 2383 * A quick procedural method to removing all of the filters that KSES uses for 2384 * content in WordPress Loop. 2385 * 2386 * Does not remove the `kses_init()` function from {@see 'init'} hook (priority is 2387 * default). Also does not remove `kses_init()` function from {@see 'set_current_user'} 2388 * hook (priority is also default). 2389 * 2390 * @since 2.0.6 2391 */ 2392 function kses_remove_filters() { 2393 // Normal filtering. 2394 remove_filter( 'title_save_pre', 'wp_filter_kses' ); 2395 2396 // Comment filtering. 2397 remove_filter( 'pre_comment_content', 'wp_filter_post_kses' ); 2398 remove_filter( 'pre_comment_content', 'wp_filter_kses' ); 2399 2400 // Global Styles filtering. 2401 remove_filter( 'content_save_pre', 'wp_filter_global_styles_post', 9 ); 2402 remove_filter( 'content_filtered_save_pre', 'wp_filter_global_styles_post', 9 ); 2403 2404 // Post filtering. 2405 remove_filter( 'content_save_pre', 'wp_filter_post_kses' ); 2406 remove_filter( 'excerpt_save_pre', 'wp_filter_post_kses' ); 2407 remove_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' ); 2408 } 2409 2410 /** 2411 * Sets up most of the KSES filters for input form content. 2412 * 2413 * First removes all of the KSES filters in case the current user does not need 2414 * to have KSES filter the content. If the user does not have `unfiltered_html` 2415 * capability, then KSES filters are added. 2416 * 2417 * @since 2.0.0 2418 */ 2419 function kses_init() { 2420 kses_remove_filters(); 2421 2422 if ( ! current_user_can( 'unfiltered_html' ) ) { 2423 kses_init_filters(); 2424 } 2425 } 2426 2427 /** 2428 * Filters an inline style attribute and removes disallowed rules. 2429 * 2430 * @since 2.8.1 2431 * @since 4.4.0 Added support for `min-height`, `max-height`, `min-width`, and `max-width`. 2432 * @since 4.6.0 Added support for `list-style-type`. 2433 * @since 5.0.0 Added support for `background-image`. 2434 * @since 5.1.0 Added support for `text-transform`. 2435 * @since 5.2.0 Added support for `background-position` and `grid-template-columns`. 2436 * @since 5.3.0 Added support for `grid`, `flex` and `column` layout properties. 2437 * Extended `background-*` support for individual properties. 2438 * @since 5.3.1 Added support for gradient backgrounds. 2439 * @since 5.7.1 Added support for `object-position`. 2440 * @since 5.8.0 Added support for `calc()` and `var()` values. 2441 * @since 6.1.0 Added support for `min()`, `max()`, `minmax()`, `clamp()`, 2442 * nested `var()` values, and assigning values to CSS variables. 2443 * Added support for `object-fit`, `gap`, `column-gap`, `row-gap`, and `flex-wrap`. 2444 * Extended `margin-*` and `padding-*` support for logical properties. 2445 * @since 6.2.0 Added support for `aspect-ratio`, `position`, `top`, `right`, `bottom`, `left`, 2446 * and `z-index` CSS properties. 2447 * @since 6.3.0 Extended support for `filter` to accept a URL and added support for repeat(). 2448 * Added support for `box-shadow`. 2449 * @since 6.4.0 Added support for `writing-mode`. 2450 * @since 6.5.0 Added support for `background-repeat`. 2451 * @since 6.6.0 Added support for `grid-column`, `grid-row`, and `container-type`. 2452 * @since 6.9.0 Added support for `white-space`. 2453 * 2454 * @param string $css A string of CSS rules. 2455 * @param string $deprecated Not used. 2456 * @return string Filtered string of CSS rules. 2457 */ 2458 function safecss_filter_attr( $css, $deprecated = '' ) { 2459 if ( ! empty( $deprecated ) ) { 2460 _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented. 2461 } 2462 2463 $css = wp_kses_no_null( $css ); 2464 $css = str_replace( array( "\n", "\r", "\t" ), '', $css ); 2465 2466 $allowed_protocols = wp_allowed_protocols(); 2467 2468 $css_array = explode( ';', trim( $css ) ); 2469 2470 /** 2471 * Filters the list of allowed CSS attributes. 2472 * 2473 * @since 2.8.1 2474 * 2475 * @param string[] $attr Array of allowed CSS attributes. 2476 */ 2477 $allowed_attr = apply_filters( 2478 'safe_style_css', 2479 array( 2480 'background', 2481 'background-color', 2482 'background-image', 2483 'background-position', 2484 'background-repeat', 2485 'background-size', 2486 'background-attachment', 2487 'background-blend-mode', 2488 2489 'border', 2490 'border-radius', 2491 'border-width', 2492 'border-color', 2493 'border-style', 2494 'border-right', 2495 'border-right-color', 2496 'border-right-style', 2497 'border-right-width', 2498 'border-bottom', 2499 'border-bottom-color', 2500 'border-bottom-left-radius', 2501 'border-bottom-right-radius', 2502 'border-bottom-style', 2503 'border-bottom-width', 2504 'border-bottom-right-radius', 2505 'border-bottom-left-radius', 2506 'border-left', 2507 'border-left-color', 2508 'border-left-style', 2509 'border-left-width', 2510 'border-top', 2511 'border-top-color', 2512 'border-top-left-radius', 2513 'border-top-right-radius', 2514 'border-top-style', 2515 'border-top-width', 2516 'border-top-left-radius', 2517 'border-top-right-radius', 2518 2519 'border-spacing', 2520 'border-collapse', 2521 'caption-side', 2522 2523 'columns', 2524 'column-count', 2525 'column-fill', 2526 'column-gap', 2527 'column-rule', 2528 'column-span', 2529 'column-width', 2530 2531 'color', 2532 'filter', 2533 'font', 2534 'font-family', 2535 'font-size', 2536 'font-style', 2537 'font-variant', 2538 'font-weight', 2539 'letter-spacing', 2540 'line-height', 2541 'text-align', 2542 'text-decoration', 2543 'text-indent', 2544 'text-transform', 2545 'white-space', 2546 2547 'height', 2548 'min-height', 2549 'max-height', 2550 2551 'width', 2552 'min-width', 2553 'max-width', 2554 2555 'margin', 2556 'margin-right', 2557 'margin-bottom', 2558 'margin-left', 2559 'margin-top', 2560 'margin-block-start', 2561 'margin-block-end', 2562 'margin-inline-start', 2563 'margin-inline-end', 2564 2565 'padding', 2566 'padding-right', 2567 'padding-bottom', 2568 'padding-left', 2569 'padding-top', 2570 'padding-block-start', 2571 'padding-block-end', 2572 'padding-inline-start', 2573 'padding-inline-end', 2574 2575 'flex', 2576 'flex-basis', 2577 'flex-direction', 2578 'flex-flow', 2579 'flex-grow', 2580 'flex-shrink', 2581 'flex-wrap', 2582 2583 'gap', 2584 'column-gap', 2585 'row-gap', 2586 2587 'grid-template-columns', 2588 'grid-auto-columns', 2589 'grid-column-start', 2590 'grid-column-end', 2591 'grid-column', 2592 'grid-column-gap', 2593 'grid-template-rows', 2594 'grid-auto-rows', 2595 'grid-row-start', 2596 'grid-row-end', 2597 'grid-row', 2598 'grid-row-gap', 2599 'grid-gap', 2600 2601 'justify-content', 2602 'justify-items', 2603 'justify-self', 2604 'align-content', 2605 'align-items', 2606 'align-self', 2607 2608 'clear', 2609 'cursor', 2610 'direction', 2611 'float', 2612 'list-style-type', 2613 'object-fit', 2614 'object-position', 2615 'opacity', 2616 'overflow', 2617 'vertical-align', 2618 'writing-mode', 2619 2620 'position', 2621 'top', 2622 'right', 2623 'bottom', 2624 'left', 2625 'z-index', 2626 'box-shadow', 2627 'aspect-ratio', 2628 'container-type', 2629 2630 // Custom CSS properties. 2631 '--*', 2632 ) 2633 ); 2634 2635 /* 2636 * CSS attributes that accept URL data types. 2637 * 2638 * This is in accordance to the CSS spec and unrelated to 2639 * the sub-set of supported attributes above. 2640 * 2641 * See: https://developer.mozilla.org/en-US/docs/Web/CSS/url 2642 */ 2643 $css_url_data_types = array( 2644 'background', 2645 'background-image', 2646 2647 'cursor', 2648 'filter', 2649 2650 'list-style', 2651 'list-style-image', 2652 ); 2653 2654 /* 2655 * CSS attributes that accept gradient data types. 2656 * 2657 */ 2658 $css_gradient_data_types = array( 2659 'background', 2660 'background-image', 2661 ); 2662 2663 if ( empty( $allowed_attr ) ) { 2664 return $css; 2665 } 2666 2667 $css = ''; 2668 foreach ( $css_array as $css_item ) { 2669 if ( '' === $css_item ) { 2670 continue; 2671 } 2672 2673 $css_item = trim( $css_item ); 2674 $css_test_string = $css_item; 2675 $found = false; 2676 $url_attr = false; 2677 $gradient_attr = false; 2678 $is_custom_var = false; 2679 2680 if ( ! str_contains( $css_item, ':' ) ) { 2681 $found = true; 2682 } else { 2683 $parts = explode( ':', $css_item, 2 ); 2684 $css_selector = trim( $parts[0] ); 2685 2686 // Allow assigning values to CSS variables. 2687 if ( in_array( '--*', $allowed_attr, true ) && preg_match( '/^--[a-zA-Z0-9-_]+$/', $css_selector ) ) { 2688 $allowed_attr[] = $css_selector; 2689 $is_custom_var = true; 2690 } 2691 2692 if ( in_array( $css_selector, $allowed_attr, true ) ) { 2693 $found = true; 2694 $url_attr = in_array( $css_selector, $css_url_data_types, true ); 2695 $gradient_attr = in_array( $css_selector, $css_gradient_data_types, true ); 2696 } 2697 2698 if ( $is_custom_var ) { 2699 $css_value = trim( $parts[1] ); 2700 $url_attr = str_starts_with( $css_value, 'url(' ); 2701 $gradient_attr = str_contains( $css_value, '-gradient(' ); 2702 } 2703 } 2704 2705 if ( $found && $url_attr ) { 2706 // Simplified: matches the sequence `url(*)`. 2707 preg_match_all( '/url\([^)]+\)/', $parts[1], $url_matches ); 2708 2709 foreach ( $url_matches[0] as $url_match ) { 2710 // Clean up the URL from each of the matches above. 2711 preg_match( '/^url\(\s*([\'\"]?)(.*)(\g1)\s*\)$/', $url_match, $url_pieces ); 2712 2713 if ( empty( $url_pieces[2] ) ) { 2714 $found = false; 2715 break; 2716 } 2717 2718 $url = trim( $url_pieces[2] ); 2719 2720 if ( empty( $url ) || wp_kses_bad_protocol( $url, $allowed_protocols ) !== $url ) { 2721 $found = false; 2722 break; 2723 } else { 2724 // Remove the whole `url(*)` bit that was matched above from the CSS. 2725 $css_test_string = str_replace( $url_match, '', $css_test_string ); 2726 } 2727 } 2728 } 2729 2730 if ( $found && $gradient_attr ) { 2731 $css_value = trim( $parts[1] ); 2732 if ( preg_match( '/^(repeating-)?(linear|radial|conic)-gradient\(([^()]|rgb[a]?\([^()]*\))*\)$/', $css_value ) ) { 2733 // Remove the whole `gradient` bit that was matched above from the CSS. 2734 $css_test_string = str_replace( $css_value, '', $css_test_string ); 2735 } 2736 } 2737 2738 if ( $found ) { 2739 /* 2740 * Allow CSS functions like var(), calc(), etc. by removing them from the test string. 2741 * Nested functions and parentheses are also removed, so long as the parentheses are balanced. 2742 */ 2743 $css_test_string = preg_replace( 2744 '/\b(?:var|calc|min|max|minmax|clamp|repeat)(\((?:[^()]|(?1))*\))/', 2745 '', 2746 $css_test_string 2747 ); 2748 2749 /* 2750 * Disallow CSS containing \ ( & } = or comments, except for within url(), var(), calc(), etc. 2751 * which were removed from the test string above. 2752 */ 2753 $allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ); 2754 2755 /** 2756 * Filters the check for unsafe CSS in `safecss_filter_attr`. 2757 * 2758 * Enables developers to determine whether a section of CSS should be allowed or discarded. 2759 * By default, the value will be false if the part contains \ ( & } = or comments. 2760 * Return true to allow the CSS part to be included in the output. 2761 * 2762 * @since 5.5.0 2763 * 2764 * @param bool $allow_css Whether the CSS in the test string is considered safe. 2765 * @param string $css_test_string The CSS string to test. 2766 */ 2767 $allow_css = apply_filters( 'safecss_filter_attr_allow_css', $allow_css, $css_test_string ); 2768 2769 // Only add the CSS part if it passes the regex check. 2770 if ( $allow_css ) { 2771 if ( '' !== $css ) { 2772 $css .= ';'; 2773 } 2774 2775 $css .= $css_item; 2776 } 2777 } 2778 } 2779 2780 return $css; 2781 } 2782 2783 /** 2784 * Helper function to add global attributes to a tag in the allowed HTML list. 2785 * 2786 * @since 3.5.0 2787 * @since 5.0.0 Added support for `data-*` wildcard attributes. 2788 * @since 6.0.0 Added `dir`, `lang`, and `xml:lang` to global attributes. 2789 * @since 6.3.0 Added `aria-controls`, `aria-current`, and `aria-expanded` attributes. 2790 * @since 6.4.0 Added `aria-live` and `hidden` attributes. 2791 * 2792 * @access private 2793 * @ignore 2794 * 2795 * @param array $value An array of attributes. 2796 * @return array The array of attributes with global attributes added. 2797 */ 2798 function _wp_add_global_attributes( $value ) { 2799 $global_attributes = array( 2800 'aria-controls' => true, 2801 'aria-current' => true, 2802 'aria-describedby' => true, 2803 'aria-details' => true, 2804 'aria-expanded' => true, 2805 'aria-hidden' => true, 2806 'aria-label' => true, 2807 'aria-labelledby' => true, 2808 'aria-live' => true, 2809 'class' => true, 2810 'data-*' => true, 2811 'dir' => true, 2812 'hidden' => true, 2813 'id' => true, 2814 'lang' => true, 2815 'style' => true, 2816 'title' => true, 2817 'role' => true, 2818 'xml:lang' => true, 2819 ); 2820 2821 if ( true === $value ) { 2822 $value = array(); 2823 } 2824 2825 if ( is_array( $value ) ) { 2826 return array_merge( $value, $global_attributes ); 2827 } 2828 2829 return $value; 2830 } 2831 2832 /** 2833 * Helper function to check if this is a safe PDF URL. 2834 * 2835 * @since 5.9.0 2836 * @access private 2837 * @ignore 2838 * 2839 * @param string $url The URL to check. 2840 * @return bool True if the URL is safe, false otherwise. 2841 */ 2842 function _wp_kses_allow_pdf_objects( $url ) { 2843 // We're not interested in URLs that contain query strings or fragments. 2844 if ( str_contains( $url, '?' ) || str_contains( $url, '#' ) ) { 2845 return false; 2846 } 2847 2848 // If it doesn't have a PDF extension, it's not safe. 2849 if ( ! str_ends_with( $url, '.pdf' ) ) { 2850 return false; 2851 } 2852 2853 // If the URL host matches the current site's media URL, it's safe. 2854 $upload_info = wp_upload_dir( null, false ); 2855 $parsed_url = wp_parse_url( $upload_info['url'] ); 2856 $upload_host = isset( $parsed_url['host'] ) ? $parsed_url['host'] : ''; 2857 $upload_port = isset( $parsed_url['port'] ) ? ':' . $parsed_url['port'] : ''; 2858 2859 if ( str_starts_with( $url, "http://$upload_host$upload_port/" ) 2860 || str_starts_with( $url, "https://$upload_host$upload_port/" ) 2861 ) { 2862 return true; 2863 } 2864 2865 return false; 2866 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated : Thu Oct 2 08:20:03 2025 | Cross-referenced by PHPXref |