[ Index ] |
PHP Cross Reference of WordPress Trunk (Updated Daily) |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes 4 * Copyright (C) 2002, 2003, 2005 Ulf Harnhammar 5 * 6 * This program is free software and open source software; you can redistribute 7 * it and/or modify it under the terms of the GNU General Public License as 8 * published by the Free Software Foundation; either version 2 of the License, 9 * or (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 14 * more details. 15 * 16 * You should have received a copy of the GNU General Public License along 17 * with this program; if not, write to the Free Software Foundation, Inc., 18 * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA 19 * http://www.gnu.org/licenses/gpl.html 20 * 21 * [kses strips evil scripts!] 22 * 23 * Added wp_ prefix to avoid conflicts with existing kses users 24 * 25 * @version 0.2.2 26 * @copyright (C) 2002, 2003, 2005 27 * @author Ulf Harnhammar <http://advogato.org/person/metaur/> 28 * 29 * @package External 30 * @subpackage KSES 31 */ 32 33 /** 34 * Specifies the default allowable HTML tags. 35 * 36 * Using `CUSTOM_TAGS` is not recommended and should be considered deprecated. The 37 * {@see 'wp_kses_allowed_html'} filter is more powerful and supplies context. 38 * 39 * @see wp_kses_allowed_html() 40 * @since 1.2.0 41 * 42 * @var array[]|false Array of default allowable HTML tags, or false to use the defaults. 43 */ 44 if ( ! defined( 'CUSTOM_TAGS' ) ) { 45 define( 'CUSTOM_TAGS', false ); 46 } 47 48 // Ensure that these variables are added to the global namespace 49 // (e.g. if using namespaces / autoload in the current PHP environment). 50 global $allowedposttags, $allowedtags, $allowedentitynames, $allowedxmlentitynames; 51 52 if ( ! CUSTOM_TAGS ) { 53 /** 54 * KSES global for default allowable HTML tags. 55 * 56 * Can be overridden with the `CUSTOM_TAGS` constant. 57 * 58 * @var array[] $allowedposttags Array of default allowable HTML tags. 59 * @since 2.0.0 60 */ 61 $allowedposttags = array( 62 'address' => array(), 63 'a' => array( 64 'href' => true, 65 'rel' => true, 66 'rev' => true, 67 'name' => true, 68 'target' => true, 69 'download' => array( 70 'valueless' => 'y', 71 ), 72 ), 73 'abbr' => array(), 74 'acronym' => array(), 75 'area' => array( 76 'alt' => true, 77 'coords' => true, 78 'href' => true, 79 'nohref' => true, 80 'shape' => true, 81 'target' => true, 82 ), 83 'article' => array( 84 'align' => true, 85 'dir' => true, 86 'lang' => true, 87 'xml:lang' => true, 88 ), 89 'aside' => array( 90 'align' => true, 91 'dir' => true, 92 'lang' => true, 93 'xml:lang' => true, 94 ), 95 'audio' => array( 96 'autoplay' => true, 97 'controls' => true, 98 'loop' => true, 99 'muted' => true, 100 'preload' => true, 101 'src' => true, 102 ), 103 'b' => array(), 104 'bdo' => array( 105 'dir' => true, 106 ), 107 'big' => array(), 108 'blockquote' => array( 109 'cite' => true, 110 'lang' => true, 111 'xml:lang' => true, 112 ), 113 'br' => array(), 114 'button' => array( 115 'disabled' => true, 116 'name' => true, 117 'type' => true, 118 'value' => true, 119 ), 120 'caption' => array( 121 'align' => true, 122 ), 123 'cite' => array( 124 'dir' => true, 125 'lang' => true, 126 ), 127 'code' => array(), 128 'col' => array( 129 'align' => true, 130 'char' => true, 131 'charoff' => true, 132 'span' => true, 133 'dir' => true, 134 'valign' => true, 135 'width' => true, 136 ), 137 'colgroup' => array( 138 'align' => true, 139 'char' => true, 140 'charoff' => true, 141 'span' => true, 142 'valign' => true, 143 'width' => true, 144 ), 145 'del' => array( 146 'datetime' => true, 147 ), 148 'dd' => array(), 149 'dfn' => array(), 150 'details' => array( 151 'align' => true, 152 'dir' => true, 153 'lang' => true, 154 'open' => true, 155 'xml:lang' => true, 156 ), 157 'div' => array( 158 'align' => true, 159 'dir' => true, 160 'lang' => true, 161 'xml:lang' => true, 162 ), 163 'dl' => array(), 164 'dt' => array(), 165 'em' => array(), 166 'fieldset' => array(), 167 'figure' => array( 168 'align' => true, 169 'dir' => true, 170 'lang' => true, 171 'xml:lang' => true, 172 ), 173 'figcaption' => array( 174 'align' => true, 175 'dir' => true, 176 'lang' => true, 177 'xml:lang' => true, 178 ), 179 'font' => array( 180 'color' => true, 181 'face' => true, 182 'size' => true, 183 ), 184 'footer' => array( 185 'align' => true, 186 'dir' => true, 187 'lang' => true, 188 'xml:lang' => true, 189 ), 190 'h1' => array( 191 'align' => true, 192 ), 193 'h2' => array( 194 'align' => true, 195 ), 196 'h3' => array( 197 'align' => true, 198 ), 199 'h4' => array( 200 'align' => true, 201 ), 202 'h5' => array( 203 'align' => true, 204 ), 205 'h6' => array( 206 'align' => true, 207 ), 208 'header' => array( 209 'align' => true, 210 'dir' => true, 211 'lang' => true, 212 'xml:lang' => true, 213 ), 214 'hgroup' => array( 215 'align' => true, 216 'dir' => true, 217 'lang' => true, 218 'xml:lang' => true, 219 ), 220 'hr' => array( 221 'align' => true, 222 'noshade' => true, 223 'size' => true, 224 'width' => true, 225 ), 226 'i' => array(), 227 'img' => array( 228 'alt' => true, 229 'align' => true, 230 'border' => true, 231 'height' => true, 232 'hspace' => true, 233 'loading' => true, 234 'longdesc' => true, 235 'vspace' => true, 236 'src' => true, 237 'usemap' => true, 238 'width' => true, 239 ), 240 'ins' => array( 241 'datetime' => true, 242 'cite' => true, 243 ), 244 'kbd' => array(), 245 'label' => array( 246 'for' => true, 247 ), 248 'legend' => array( 249 'align' => true, 250 ), 251 'li' => array( 252 'align' => true, 253 'value' => true, 254 ), 255 'map' => array( 256 'name' => true, 257 ), 258 'mark' => array(), 259 'menu' => array( 260 'type' => true, 261 ), 262 'nav' => array( 263 'align' => true, 264 'dir' => true, 265 'lang' => true, 266 'xml:lang' => true, 267 ), 268 'p' => array( 269 'align' => true, 270 'dir' => true, 271 'lang' => true, 272 'xml:lang' => true, 273 ), 274 'pre' => array( 275 'width' => true, 276 ), 277 'q' => array( 278 'cite' => true, 279 ), 280 's' => array(), 281 'samp' => array(), 282 'span' => array( 283 'dir' => true, 284 'align' => true, 285 'lang' => true, 286 'xml:lang' => true, 287 ), 288 'section' => array( 289 'align' => true, 290 'dir' => true, 291 'lang' => true, 292 'xml:lang' => true, 293 ), 294 'small' => array(), 295 'strike' => array(), 296 'strong' => array(), 297 'sub' => array(), 298 'summary' => array( 299 'align' => true, 300 'dir' => true, 301 'lang' => true, 302 'xml:lang' => true, 303 ), 304 'sup' => array(), 305 'table' => array( 306 'align' => true, 307 'bgcolor' => true, 308 'border' => true, 309 'cellpadding' => true, 310 'cellspacing' => true, 311 'dir' => true, 312 'rules' => true, 313 'summary' => true, 314 'width' => true, 315 ), 316 'tbody' => array( 317 'align' => true, 318 'char' => true, 319 'charoff' => true, 320 'valign' => true, 321 ), 322 'td' => array( 323 'abbr' => true, 324 'align' => true, 325 'axis' => true, 326 'bgcolor' => true, 327 'char' => true, 328 'charoff' => true, 329 'colspan' => true, 330 'dir' => true, 331 'headers' => true, 332 'height' => true, 333 'nowrap' => true, 334 'rowspan' => true, 335 'scope' => true, 336 'valign' => true, 337 'width' => true, 338 ), 339 'textarea' => array( 340 'cols' => true, 341 'rows' => true, 342 'disabled' => true, 343 'name' => true, 344 'readonly' => true, 345 ), 346 'tfoot' => array( 347 'align' => true, 348 'char' => true, 349 'charoff' => true, 350 'valign' => true, 351 ), 352 'th' => array( 353 'abbr' => true, 354 'align' => true, 355 'axis' => true, 356 'bgcolor' => true, 357 'char' => true, 358 'charoff' => true, 359 'colspan' => true, 360 'headers' => true, 361 'height' => true, 362 'nowrap' => true, 363 'rowspan' => true, 364 'scope' => true, 365 'valign' => true, 366 'width' => true, 367 ), 368 'thead' => array( 369 'align' => true, 370 'char' => true, 371 'charoff' => true, 372 'valign' => true, 373 ), 374 'title' => array(), 375 'tr' => array( 376 'align' => true, 377 'bgcolor' => true, 378 'char' => true, 379 'charoff' => true, 380 'valign' => true, 381 ), 382 'track' => array( 383 'default' => true, 384 'kind' => true, 385 'label' => true, 386 'src' => true, 387 'srclang' => true, 388 ), 389 'tt' => array(), 390 'u' => array(), 391 'ul' => array( 392 'type' => true, 393 ), 394 'ol' => array( 395 'start' => true, 396 'type' => true, 397 'reversed' => true, 398 ), 399 'var' => array(), 400 'video' => array( 401 'autoplay' => true, 402 'controls' => true, 403 'height' => true, 404 'loop' => true, 405 'muted' => true, 406 'playsinline' => true, 407 'poster' => true, 408 'preload' => true, 409 'src' => true, 410 'width' => true, 411 ), 412 ); 413 414 /** 415 * @var array[] $allowedtags Array of KSES allowed HTML elements. 416 * @since 1.0.0 417 */ 418 $allowedtags = array( 419 'a' => array( 420 'href' => true, 421 'title' => true, 422 ), 423 'abbr' => array( 424 'title' => true, 425 ), 426 'acronym' => array( 427 'title' => true, 428 ), 429 'b' => array(), 430 'blockquote' => array( 431 'cite' => true, 432 ), 433 'cite' => array(), 434 'code' => array(), 435 'del' => array( 436 'datetime' => true, 437 ), 438 'em' => array(), 439 'i' => array(), 440 'q' => array( 441 'cite' => true, 442 ), 443 's' => array(), 444 'strike' => array(), 445 'strong' => array(), 446 ); 447 448 /** 449 * @var string[] $allowedentitynames Array of KSES allowed HTML entitity names. 450 * @since 1.0.0 451 */ 452 $allowedentitynames = array( 453 'nbsp', 454 'iexcl', 455 'cent', 456 'pound', 457 'curren', 458 'yen', 459 'brvbar', 460 'sect', 461 'uml', 462 'copy', 463 'ordf', 464 'laquo', 465 'not', 466 'shy', 467 'reg', 468 'macr', 469 'deg', 470 'plusmn', 471 'acute', 472 'micro', 473 'para', 474 'middot', 475 'cedil', 476 'ordm', 477 'raquo', 478 'iquest', 479 'Agrave', 480 'Aacute', 481 'Acirc', 482 'Atilde', 483 'Auml', 484 'Aring', 485 'AElig', 486 'Ccedil', 487 'Egrave', 488 'Eacute', 489 'Ecirc', 490 'Euml', 491 'Igrave', 492 'Iacute', 493 'Icirc', 494 'Iuml', 495 'ETH', 496 'Ntilde', 497 'Ograve', 498 'Oacute', 499 'Ocirc', 500 'Otilde', 501 'Ouml', 502 'times', 503 'Oslash', 504 'Ugrave', 505 'Uacute', 506 'Ucirc', 507 'Uuml', 508 'Yacute', 509 'THORN', 510 'szlig', 511 'agrave', 512 'aacute', 513 'acirc', 514 'atilde', 515 'auml', 516 'aring', 517 'aelig', 518 'ccedil', 519 'egrave', 520 'eacute', 521 'ecirc', 522 'euml', 523 'igrave', 524 'iacute', 525 'icirc', 526 'iuml', 527 'eth', 528 'ntilde', 529 'ograve', 530 'oacute', 531 'ocirc', 532 'otilde', 533 'ouml', 534 'divide', 535 'oslash', 536 'ugrave', 537 'uacute', 538 'ucirc', 539 'uuml', 540 'yacute', 541 'thorn', 542 'yuml', 543 'quot', 544 'amp', 545 'lt', 546 'gt', 547 'apos', 548 'OElig', 549 'oelig', 550 'Scaron', 551 'scaron', 552 'Yuml', 553 'circ', 554 'tilde', 555 'ensp', 556 'emsp', 557 'thinsp', 558 'zwnj', 559 'zwj', 560 'lrm', 561 'rlm', 562 'ndash', 563 'mdash', 564 'lsquo', 565 'rsquo', 566 'sbquo', 567 'ldquo', 568 'rdquo', 569 'bdquo', 570 'dagger', 571 'Dagger', 572 'permil', 573 'lsaquo', 574 'rsaquo', 575 'euro', 576 'fnof', 577 'Alpha', 578 'Beta', 579 'Gamma', 580 'Delta', 581 'Epsilon', 582 'Zeta', 583 'Eta', 584 'Theta', 585 'Iota', 586 'Kappa', 587 'Lambda', 588 'Mu', 589 'Nu', 590 'Xi', 591 'Omicron', 592 'Pi', 593 'Rho', 594 'Sigma', 595 'Tau', 596 'Upsilon', 597 'Phi', 598 'Chi', 599 'Psi', 600 'Omega', 601 'alpha', 602 'beta', 603 'gamma', 604 'delta', 605 'epsilon', 606 'zeta', 607 'eta', 608 'theta', 609 'iota', 610 'kappa', 611 'lambda', 612 'mu', 613 'nu', 614 'xi', 615 'omicron', 616 'pi', 617 'rho', 618 'sigmaf', 619 'sigma', 620 'tau', 621 'upsilon', 622 'phi', 623 'chi', 624 'psi', 625 'omega', 626 'thetasym', 627 'upsih', 628 'piv', 629 'bull', 630 'hellip', 631 'prime', 632 'Prime', 633 'oline', 634 'frasl', 635 'weierp', 636 'image', 637 'real', 638 'trade', 639 'alefsym', 640 'larr', 641 'uarr', 642 'rarr', 643 'darr', 644 'harr', 645 'crarr', 646 'lArr', 647 'uArr', 648 'rArr', 649 'dArr', 650 'hArr', 651 'forall', 652 'part', 653 'exist', 654 'empty', 655 'nabla', 656 'isin', 657 'notin', 658 'ni', 659 'prod', 660 'sum', 661 'minus', 662 'lowast', 663 'radic', 664 'prop', 665 'infin', 666 'ang', 667 'and', 668 'or', 669 'cap', 670 'cup', 671 'int', 672 'sim', 673 'cong', 674 'asymp', 675 'ne', 676 'equiv', 677 'le', 678 'ge', 679 'sub', 680 'sup', 681 'nsub', 682 'sube', 683 'supe', 684 'oplus', 685 'otimes', 686 'perp', 687 'sdot', 688 'lceil', 689 'rceil', 690 'lfloor', 691 'rfloor', 692 'lang', 693 'rang', 694 'loz', 695 'spades', 696 'clubs', 697 'hearts', 698 'diams', 699 'sup1', 700 'sup2', 701 'sup3', 702 'frac14', 703 'frac12', 704 'frac34', 705 'there4', 706 ); 707 708 /** 709 * @var string[] $allowedxmlentitynames Array of KSES allowed XML entitity names. 710 * @since 5.5.0 711 */ 712 $allowedxmlnamedentities = array( 713 'amp', 714 'lt', 715 'gt', 716 'apos', 717 'quot', 718 ); 719 720 $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags ); 721 } else { 722 $allowedtags = wp_kses_array_lc( $allowedtags ); 723 $allowedposttags = wp_kses_array_lc( $allowedposttags ); 724 } 725 726 /** 727 * Filters text content and strips out disallowed HTML. 728 * 729 * This function makes sure that only the allowed HTML element names, attribute 730 * names, attribute values, and HTML entities will occur in the given text string. 731 * 732 * This function expects unslashed data. 733 * 734 * @see wp_kses_post() for specifically filtering post content and fields. 735 * @see wp_allowed_protocols() for the default allowed protocols in link URLs. 736 * 737 * @since 1.0.0 738 * 739 * @param string $string Text content to filter. 740 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 741 * or a context name such as 'post'. See wp_kses_allowed_html() 742 * for the list of accepted context names. 743 * @param string[] $allowed_protocols Array of allowed URL protocols. 744 * @return string Filtered content containing only the allowed HTML. 745 */ 746 function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { 747 if ( empty( $allowed_protocols ) ) { 748 $allowed_protocols = wp_allowed_protocols(); 749 } 750 751 $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 752 $string = wp_kses_normalize_entities( $string ); 753 $string = wp_kses_hook( $string, $allowed_html, $allowed_protocols ); 754 755 return wp_kses_split( $string, $allowed_html, $allowed_protocols ); 756 } 757 758 /** 759 * Filters one HTML attribute and ensures its value is allowed. 760 * 761 * This function can escape data in some situations where `wp_kses()` must strip the whole attribute. 762 * 763 * @since 4.2.3 764 * 765 * @param string $string The 'whole' attribute, including name and value. 766 * @param string $element The HTML element name to which the attribute belongs. 767 * @return string Filtered attribute. 768 */ 769 function wp_kses_one_attr( $string, $element ) { 770 $uris = wp_kses_uri_attributes(); 771 $allowed_html = wp_kses_allowed_html( 'post' ); 772 $allowed_protocols = wp_allowed_protocols(); 773 $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 774 775 // Preserve leading and trailing whitespace. 776 $matches = array(); 777 preg_match( '/^\s*/', $string, $matches ); 778 $lead = $matches[0]; 779 preg_match( '/\s*$/', $string, $matches ); 780 $trail = $matches[0]; 781 if ( empty( $trail ) ) { 782 $string = substr( $string, strlen( $lead ) ); 783 } else { 784 $string = substr( $string, strlen( $lead ), -strlen( $trail ) ); 785 } 786 787 // Parse attribute name and value from input. 788 $split = preg_split( '/\s*=\s*/', $string, 2 ); 789 $name = $split[0]; 790 if ( count( $split ) == 2 ) { 791 $value = $split[1]; 792 793 // Remove quotes surrounding $value. 794 // Also guarantee correct quoting in $string for this one attribute. 795 if ( '' === $value ) { 796 $quote = ''; 797 } else { 798 $quote = $value[0]; 799 } 800 if ( '"' === $quote || "'" === $quote ) { 801 if ( substr( $value, -1 ) != $quote ) { 802 return ''; 803 } 804 $value = substr( $value, 1, -1 ); 805 } else { 806 $quote = '"'; 807 } 808 809 // Sanitize quotes, angle braces, and entities. 810 $value = esc_attr( $value ); 811 812 // Sanitize URI values. 813 if ( in_array( strtolower( $name ), $uris, true ) ) { 814 $value = wp_kses_bad_protocol( $value, $allowed_protocols ); 815 } 816 817 $string = "$name=$quote$value$quote"; 818 $vless = 'n'; 819 } else { 820 $value = ''; 821 $vless = 'y'; 822 } 823 824 // Sanitize attribute by name. 825 wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html ); 826 827 // Restore whitespace. 828 return $lead . $string . $trail; 829 } 830 831 /** 832 * Returns an array of allowed HTML tags and attributes for a given context. 833 * 834 * @since 3.5.0 835 * @since 5.0.1 `form` removed as allowable HTML tag. 836 * 837 * @global array $allowedposttags 838 * @global array $allowedtags 839 * @global array $allowedentitynames 840 * 841 * @param string|array $context The context for which to retrieve tags. Allowed values are 'post', 842 * 'strip', 'data', 'entities', or the name of a field filter such as 843 * 'pre_user_description'. 844 * @return array Array of allowed HTML tags and their allowed attributes. 845 */ 846 function wp_kses_allowed_html( $context = '' ) { 847 global $allowedposttags, $allowedtags, $allowedentitynames; 848 849 if ( is_array( $context ) ) { 850 /** 851 * Filters the HTML that is allowed for a given context. 852 * 853 * @since 3.5.0 854 * 855 * @param array[]|string $context Context to judge allowed tags by. 856 * @param string $context_type Context name. 857 */ 858 return apply_filters( 'wp_kses_allowed_html', $context, 'explicit' ); 859 } 860 861 switch ( $context ) { 862 case 'post': 863 /** This filter is documented in wp-includes/kses.php */ 864 $tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context ); 865 866 // 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`. 867 if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) { 868 $tags = $allowedposttags; 869 870 $tags['form'] = array( 871 'action' => true, 872 'accept' => true, 873 'accept-charset' => true, 874 'enctype' => true, 875 'method' => true, 876 'name' => true, 877 'target' => true, 878 ); 879 880 /** This filter is documented in wp-includes/kses.php */ 881 $tags = apply_filters( 'wp_kses_allowed_html', $tags, $context ); 882 } 883 884 return $tags; 885 886 case 'user_description': 887 case 'pre_user_description': 888 $tags = $allowedtags; 889 $tags['a']['rel'] = true; 890 /** This filter is documented in wp-includes/kses.php */ 891 return apply_filters( 'wp_kses_allowed_html', $tags, $context ); 892 893 case 'strip': 894 /** This filter is documented in wp-includes/kses.php */ 895 return apply_filters( 'wp_kses_allowed_html', array(), $context ); 896 897 case 'entities': 898 /** This filter is documented in wp-includes/kses.php */ 899 return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context ); 900 901 case 'data': 902 default: 903 /** This filter is documented in wp-includes/kses.php */ 904 return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context ); 905 } 906 } 907 908 /** 909 * You add any KSES hooks here. 910 * 911 * There is currently only one KSES WordPress hook, {@see 'pre_kses'}, and it is called here. 912 * All parameters are passed to the hooks and expected to receive a string. 913 * 914 * @since 1.0.0 915 * 916 * @param string $string Content to filter through KSES. 917 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 918 * or a context name such as 'post'. See wp_kses_allowed_html() 919 * for the list of accepted context names. 920 * @param string[] $allowed_protocols Array of allowed URL protocols. 921 * @return string Filtered content through {@see 'pre_kses'} hook. 922 */ 923 function wp_kses_hook( $string, $allowed_html, $allowed_protocols ) { 924 /** 925 * Filters content to be run through KSES. 926 * 927 * @since 2.3.0 928 * 929 * @param string $string Content to filter through KSES. 930 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 931 * or a context name such as 'post'. See wp_kses_allowed_html() 932 * for the list of accepted context names. 933 * @param string[] $allowed_protocols Array of allowed URL protocols. 934 */ 935 return apply_filters( 'pre_kses', $string, $allowed_html, $allowed_protocols ); 936 } 937 938 /** 939 * Returns the version number of KSES. 940 * 941 * @since 1.0.0 942 * 943 * @return string KSES version number. 944 */ 945 function wp_kses_version() { 946 return '0.2.2'; 947 } 948 949 /** 950 * Searches for HTML tags, no matter how malformed. 951 * 952 * It also matches stray `>` characters. 953 * 954 * @since 1.0.0 955 * 956 * @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes, 957 * or a context name such as 'post'. 958 * @global string[] $pass_allowed_protocols Array of allowed URL protocols. 959 * 960 * @param string $string Content to filter. 961 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 962 * or a context name such as 'post'. See wp_kses_allowed_html() 963 * for the list of accepted context names. 964 * @param string[] $allowed_protocols Array of allowed URL protocols. 965 * @return string Content with fixed HTML tags 966 */ 967 function wp_kses_split( $string, $allowed_html, $allowed_protocols ) { 968 global $pass_allowed_html, $pass_allowed_protocols; 969 970 $pass_allowed_html = $allowed_html; 971 $pass_allowed_protocols = $allowed_protocols; 972 973 return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string ); 974 } 975 976 /** 977 * Returns an array of HTML attribute names whose value contains a URL. 978 * 979 * This function returns a list of all HTML attributes that must contain 980 * a URL according to the HTML specification. 981 * 982 * This list includes URI attributes both allowed and disallowed by KSES. 983 * 984 * @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes 985 * 986 * @since 5.0.1 987 * 988 * @return string[] HTML attribute names whose value contains a URL. 989 */ 990 function wp_kses_uri_attributes() { 991 $uri_attributes = array( 992 'action', 993 'archive', 994 'background', 995 'cite', 996 'classid', 997 'codebase', 998 'data', 999 'formaction', 1000 'href', 1001 'icon', 1002 'longdesc', 1003 'manifest', 1004 'poster', 1005 'profile', 1006 'src', 1007 'usemap', 1008 'xmlns', 1009 ); 1010 1011 /** 1012 * Filters the list of attributes that are required to contain a URL. 1013 * 1014 * Use this filter to add any `data-` attributes that are required to be 1015 * validated as a URL. 1016 * 1017 * @since 5.0.1 1018 * 1019 * @param string[] $uri_attributes HTML attribute names whose value contains a URL. 1020 */ 1021 $uri_attributes = apply_filters( 'wp_kses_uri_attributes', $uri_attributes ); 1022 1023 return $uri_attributes; 1024 } 1025 1026 /** 1027 * Callback for `wp_kses_split()`. 1028 * 1029 * @since 3.1.0 1030 * @access private 1031 * @ignore 1032 * 1033 * @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes, 1034 * or a context name such as 'post'. 1035 * @global string[] $pass_allowed_protocols Array of allowed URL protocols. 1036 * 1037 * @param array $matches preg_replace regexp matches 1038 * @return string 1039 */ 1040 function _wp_kses_split_callback( $match ) { 1041 global $pass_allowed_html, $pass_allowed_protocols; 1042 1043 return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols ); 1044 } 1045 1046 /** 1047 * Callback for `wp_kses_split()` for fixing malformed HTML tags. 1048 * 1049 * This function does a lot of work. It rejects some very malformed things like 1050 * `<:::>`. It returns an empty string, if the element isn't allowed (look ma, no 1051 * `strip_tags()`!). Otherwise it splits the tag into an element and an attribute 1052 * list. 1053 * 1054 * After the tag is split into an element and an attribute list, it is run 1055 * through another filter which will remove illegal attributes and once that is 1056 * completed, will be returned. 1057 * 1058 * @access private 1059 * @ignore 1060 * @since 1.0.0 1061 * 1062 * @param string $string Content to filter. 1063 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 1064 * or a context name such as 'post'. See wp_kses_allowed_html() 1065 * for the list of accepted context names. 1066 * @param string[] $allowed_protocols Array of allowed URL protocols. 1067 * @return string Fixed HTML element 1068 */ 1069 function wp_kses_split2( $string, $allowed_html, $allowed_protocols ) { 1070 $string = wp_kses_stripslashes( $string ); 1071 1072 // It matched a ">" character. 1073 if ( '<' !== substr( $string, 0, 1 ) ) { 1074 return '>'; 1075 } 1076 1077 // Allow HTML comments. 1078 if ( '<!--' === substr( $string, 0, 4 ) ) { 1079 $string = str_replace( array( '<!--', '-->' ), '', $string ); 1080 while ( ( $newstring = wp_kses( $string, $allowed_html, $allowed_protocols ) ) != $string ) { 1081 $string = $newstring; 1082 } 1083 if ( '' === $string ) { 1084 return ''; 1085 } 1086 // Prevent multiple dashes in comments. 1087 $string = preg_replace( '/--+/', '-', $string ); 1088 // Prevent three dashes closing a comment. 1089 $string = preg_replace( '/-$/', '', $string ); 1090 return "<!--{$string}-->"; 1091 } 1092 1093 // It's seriously malformed. 1094 if ( ! preg_match( '%^<\s*(/\s*)?([a-zA-Z0-9-]+)([^>]*)>?$%', $string, $matches ) ) { 1095 return ''; 1096 } 1097 1098 $slash = trim( $matches[1] ); 1099 $elem = $matches[2]; 1100 $attrlist = $matches[3]; 1101 1102 if ( ! is_array( $allowed_html ) ) { 1103 $allowed_html = wp_kses_allowed_html( $allowed_html ); 1104 } 1105 1106 // They are using a not allowed HTML element. 1107 if ( ! isset( $allowed_html[ strtolower( $elem ) ] ) ) { 1108 return ''; 1109 } 1110 1111 // No attributes are allowed for closing elements. 1112 if ( '' !== $slash ) { 1113 return "</$elem>"; 1114 } 1115 1116 return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols ); 1117 } 1118 1119 /** 1120 * Removes all attributes, if none are allowed for this element. 1121 * 1122 * If some are allowed it calls `wp_kses_hair()` to split them further, and then 1123 * it builds up new HTML code from the data that `kses_hair()` returns. It also 1124 * removes `<` and `>` characters, if there are any left. One more thing it does 1125 * is to check if the tag has a closing XHTML slash, and if it does, it puts one 1126 * in the returned code as well. 1127 * 1128 * @since 1.0.0 1129 * 1130 * @param string $element HTML element/tag. 1131 * @param string $attr HTML attributes from HTML element to closing HTML element tag. 1132 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 1133 * or a context name such as 'post'. See wp_kses_allowed_html() 1134 * for the list of accepted context names. 1135 * @param string[] $allowed_protocols Array of allowed URL protocols. 1136 * @return string Sanitized HTML element. 1137 */ 1138 function wp_kses_attr( $element, $attr, $allowed_html, $allowed_protocols ) { 1139 if ( ! is_array( $allowed_html ) ) { 1140 $allowed_html = wp_kses_allowed_html( $allowed_html ); 1141 } 1142 1143 // Is there a closing XHTML slash at the end of the attributes? 1144 $xhtml_slash = ''; 1145 if ( preg_match( '%\s*/\s*$%', $attr ) ) { 1146 $xhtml_slash = ' /'; 1147 } 1148 1149 // Are any attributes allowed at all for this element? 1150 $element_low = strtolower( $element ); 1151 if ( empty( $allowed_html[ $element_low ] ) || true === $allowed_html[ $element_low ] ) { 1152 return "<$element$xhtml_slash>"; 1153 } 1154 1155 // Split it. 1156 $attrarr = wp_kses_hair( $attr, $allowed_protocols ); 1157 1158 // Go through $attrarr, and save the allowed attributes for this element 1159 // in $attr2. 1160 $attr2 = ''; 1161 foreach ( $attrarr as $arreach ) { 1162 if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) { 1163 $attr2 .= ' ' . $arreach['whole']; 1164 } 1165 } 1166 1167 // Remove any "<" or ">" characters. 1168 $attr2 = preg_replace( '/[<>]/', '', $attr2 ); 1169 1170 return "<$element$attr2$xhtml_slash>"; 1171 } 1172 1173 /** 1174 * Determines whether an attribute is allowed. 1175 * 1176 * @since 4.2.3 1177 * @since 5.0.0 Add support for `data-*` wildcard attributes. 1178 * 1179 * @param string $name The attribute name. Passed by reference. Returns empty string when not allowed. 1180 * @param string $value The attribute value. Passed by reference. Returns a filtered value. 1181 * @param string $whole The `name=value` input. Passed by reference. Returns filtered input. 1182 * @param string $vless Whether the attribute is valueless. Use 'y' or 'n'. 1183 * @param string $element The name of the element to which this attribute belongs. 1184 * @param array $allowed_html The full list of allowed elements and attributes. 1185 * @return bool Whether or not the attribute is allowed. 1186 */ 1187 function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) { 1188 $name_low = strtolower( $name ); 1189 $element_low = strtolower( $element ); 1190 1191 if ( ! isset( $allowed_html[ $element_low ] ) ) { 1192 $name = ''; 1193 $value = ''; 1194 $whole = ''; 1195 return false; 1196 } 1197 1198 $allowed_attr = $allowed_html[ $element_low ]; 1199 1200 if ( ! isset( $allowed_attr[ $name_low ] ) || '' === $allowed_attr[ $name_low ] ) { 1201 /* 1202 * Allow `data-*` attributes. 1203 * 1204 * When specifying `$allowed_html`, the attribute name should be set as 1205 * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see 1206 * https://www.w3.org/TR/html40/struct/objects.html#adef-data). 1207 * 1208 * Note: the attribute name should only contain `A-Za-z0-9_-` chars, 1209 * double hyphens `--` are not accepted by WordPress. 1210 */ 1211 if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] ) && preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match ) ) { 1212 /* 1213 * Add the whole attribute name to the allowed attributes and set any restrictions 1214 * for the `data-*` attribute values for the current element. 1215 */ 1216 $allowed_attr[ $match[0] ] = $allowed_attr['data-*']; 1217 } else { 1218 $name = ''; 1219 $value = ''; 1220 $whole = ''; 1221 return false; 1222 } 1223 } 1224 1225 if ( 'style' === $name_low ) { 1226 $new_value = safecss_filter_attr( $value ); 1227 1228 if ( empty( $new_value ) ) { 1229 $name = ''; 1230 $value = ''; 1231 $whole = ''; 1232 return false; 1233 } 1234 1235 $whole = str_replace( $value, $new_value, $whole ); 1236 $value = $new_value; 1237 } 1238 1239 if ( is_array( $allowed_attr[ $name_low ] ) ) { 1240 // There are some checks. 1241 foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) { 1242 if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) { 1243 $name = ''; 1244 $value = ''; 1245 $whole = ''; 1246 return false; 1247 } 1248 } 1249 } 1250 1251 return true; 1252 } 1253 1254 /** 1255 * Builds an attribute list from string containing attributes. 1256 * 1257 * This function does a lot of work. It parses an attribute list into an array 1258 * with attribute data, and tries to do the right thing even if it gets weird 1259 * input. It will add quotes around attribute values that don't have any quotes 1260 * or apostrophes around them, to make it easier to produce HTML code that will 1261 * conform to W3C's HTML specification. It will also remove bad URL protocols 1262 * from attribute values. It also reduces duplicate attributes by using the 1263 * attribute defined first (`foo='bar' foo='baz'` will result in `foo='bar'`). 1264 * 1265 * @since 1.0.0 1266 * 1267 * @param string $attr Attribute list from HTML element to closing HTML element tag. 1268 * @param string[] $allowed_protocols Array of allowed URL protocols. 1269 * @return array[] Array of attribute information after parsing. 1270 */ 1271 function wp_kses_hair( $attr, $allowed_protocols ) { 1272 $attrarr = array(); 1273 $mode = 0; 1274 $attrname = ''; 1275 $uris = wp_kses_uri_attributes(); 1276 1277 // Loop through the whole attribute list. 1278 1279 while ( strlen( $attr ) != 0 ) { 1280 $working = 0; // Was the last operation successful? 1281 1282 switch ( $mode ) { 1283 case 0: 1284 if ( preg_match( '/^([_a-zA-Z][-_a-zA-Z0-9:.]*)/', $attr, $match ) ) { 1285 $attrname = $match[1]; 1286 $working = 1; 1287 $mode = 1; 1288 $attr = preg_replace( '/^[_a-zA-Z][-_a-zA-Z0-9:.]*/', '', $attr ); 1289 } 1290 1291 break; 1292 1293 case 1: 1294 if ( preg_match( '/^\s*=\s*/', $attr ) ) { // Equals sign. 1295 $working = 1; 1296 $mode = 2; 1297 $attr = preg_replace( '/^\s*=\s*/', '', $attr ); 1298 break; 1299 } 1300 1301 if ( preg_match( '/^\s+/', $attr ) ) { // Valueless. 1302 $working = 1; 1303 $mode = 0; 1304 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1305 $attrarr[ $attrname ] = array( 1306 'name' => $attrname, 1307 'value' => '', 1308 'whole' => $attrname, 1309 'vless' => 'y', 1310 ); 1311 } 1312 $attr = preg_replace( '/^\s+/', '', $attr ); 1313 } 1314 1315 break; 1316 1317 case 2: 1318 if ( preg_match( '%^"([^"]*)"(\s+|/?$)%', $attr, $match ) ) { 1319 // "value" 1320 $thisval = $match[1]; 1321 if ( in_array( strtolower( $attrname ), $uris, true ) ) { 1322 $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols ); 1323 } 1324 1325 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1326 $attrarr[ $attrname ] = array( 1327 'name' => $attrname, 1328 'value' => $thisval, 1329 'whole' => "$attrname=\"$thisval\"", 1330 'vless' => 'n', 1331 ); 1332 } 1333 $working = 1; 1334 $mode = 0; 1335 $attr = preg_replace( '/^"[^"]*"(\s+|$)/', '', $attr ); 1336 break; 1337 } 1338 1339 if ( preg_match( "%^'([^']*)'(\s+|/?$)%", $attr, $match ) ) { 1340 // 'value' 1341 $thisval = $match[1]; 1342 if ( in_array( strtolower( $attrname ), $uris, true ) ) { 1343 $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols ); 1344 } 1345 1346 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1347 $attrarr[ $attrname ] = array( 1348 'name' => $attrname, 1349 'value' => $thisval, 1350 'whole' => "$attrname='$thisval'", 1351 'vless' => 'n', 1352 ); 1353 } 1354 $working = 1; 1355 $mode = 0; 1356 $attr = preg_replace( "/^'[^']*'(\s+|$)/", '', $attr ); 1357 break; 1358 } 1359 1360 if ( preg_match( "%^([^\s\"']+)(\s+|/?$)%", $attr, $match ) ) { 1361 // value 1362 $thisval = $match[1]; 1363 if ( in_array( strtolower( $attrname ), $uris, true ) ) { 1364 $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols ); 1365 } 1366 1367 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1368 $attrarr[ $attrname ] = array( 1369 'name' => $attrname, 1370 'value' => $thisval, 1371 'whole' => "$attrname=\"$thisval\"", 1372 'vless' => 'n', 1373 ); 1374 } 1375 // We add quotes to conform to W3C's HTML spec. 1376 $working = 1; 1377 $mode = 0; 1378 $attr = preg_replace( "%^[^\s\"']+(\s+|$)%", '', $attr ); 1379 } 1380 1381 break; 1382 } // End switch. 1383 1384 if ( 0 == $working ) { // Not well-formed, remove and try again. 1385 $attr = wp_kses_html_error( $attr ); 1386 $mode = 0; 1387 } 1388 } // End while. 1389 1390 if ( 1 == $mode && false === array_key_exists( $attrname, $attrarr ) ) { 1391 // Special case, for when the attribute list ends with a valueless 1392 // attribute like "selected". 1393 $attrarr[ $attrname ] = array( 1394 'name' => $attrname, 1395 'value' => '', 1396 'whole' => $attrname, 1397 'vless' => 'y', 1398 ); 1399 } 1400 1401 return $attrarr; 1402 } 1403 1404 /** 1405 * Finds all attributes of an HTML element. 1406 * 1407 * Does not modify input. May return "evil" output. 1408 * 1409 * Based on `wp_kses_split2()` and `wp_kses_attr()`. 1410 * 1411 * @since 4.2.3 1412 * 1413 * @param string $element HTML element. 1414 * @return array|false List of attributes found in the element. Returns false on failure. 1415 */ 1416 function wp_kses_attr_parse( $element ) { 1417 $valid = preg_match( '%^(<\s*)(/\s*)?([a-zA-Z0-9]+\s*)([^>]*)(>?)$%', $element, $matches ); 1418 if ( 1 !== $valid ) { 1419 return false; 1420 } 1421 1422 $begin = $matches[1]; 1423 $slash = $matches[2]; 1424 $elname = $matches[3]; 1425 $attr = $matches[4]; 1426 $end = $matches[5]; 1427 1428 if ( '' !== $slash ) { 1429 // Closing elements do not get parsed. 1430 return false; 1431 } 1432 1433 // Is there a closing XHTML slash at the end of the attributes? 1434 if ( 1 === preg_match( '%\s*/\s*$%', $attr, $matches ) ) { 1435 $xhtml_slash = $matches[0]; 1436 $attr = substr( $attr, 0, -strlen( $xhtml_slash ) ); 1437 } else { 1438 $xhtml_slash = ''; 1439 } 1440 1441 // Split it. 1442 $attrarr = wp_kses_hair_parse( $attr ); 1443 if ( false === $attrarr ) { 1444 return false; 1445 } 1446 1447 // Make sure all input is returned by adding front and back matter. 1448 array_unshift( $attrarr, $begin . $slash . $elname ); 1449 array_push( $attrarr, $xhtml_slash . $end ); 1450 1451 return $attrarr; 1452 } 1453 1454 /** 1455 * Builds an attribute list from string containing attributes. 1456 * 1457 * Does not modify input. May return "evil" output. 1458 * In case of unexpected input, returns false instead of stripping things. 1459 * 1460 * Based on `wp_kses_hair()` but does not return a multi-dimensional array. 1461 * 1462 * @since 4.2.3 1463 * 1464 * @param string $attr Attribute list from HTML element to closing HTML element tag. 1465 * @return array|false List of attributes found in $attr. Returns false on failure. 1466 */ 1467 function wp_kses_hair_parse( $attr ) { 1468 if ( '' === $attr ) { 1469 return array(); 1470 } 1471 1472 // phpcs:disable Squiz.Strings.ConcatenationSpacing.PaddingFound -- don't remove regex indentation 1473 $regex = 1474 '(?:' 1475 . '[_a-zA-Z][-_a-zA-Z0-9:.]*' // Attribute name. 1476 . '|' 1477 . '\[\[?[^\[\]]+\]\]?' // Shortcode in the name position implies unfiltered_html. 1478 . ')' 1479 . '(?:' // Attribute value. 1480 . '\s*=\s*' // All values begin with '='. 1481 . '(?:' 1482 . '"[^"]*"' // Double-quoted. 1483 . '|' 1484 . "'[^']*'" // Single-quoted. 1485 . '|' 1486 . '[^\s"\']+' // Non-quoted. 1487 . '(?:\s|$)' // Must have a space. 1488 . ')' 1489 . '|' 1490 . '(?:\s|$)' // If attribute has no value, space is required. 1491 . ')' 1492 . '\s*'; // Trailing space is optional except as mentioned above. 1493 // phpcs:enable 1494 1495 // Although it is possible to reduce this procedure to a single regexp, 1496 // we must run that regexp twice to get exactly the expected result. 1497 1498 $validation = "%^($regex)+$%"; 1499 $extraction = "%$regex%"; 1500 1501 if ( 1 === preg_match( $validation, $attr ) ) { 1502 preg_match_all( $extraction, $attr, $attrarr ); 1503 return $attrarr[0]; 1504 } else { 1505 return false; 1506 } 1507 } 1508 1509 /** 1510 * Performs different checks for attribute values. 1511 * 1512 * The currently implemented checks are "maxlen", "minlen", "maxval", "minval", 1513 * and "valueless". 1514 * 1515 * @since 1.0.0 1516 * 1517 * @param string $value Attribute value. 1518 * @param string $vless Whether the attribute is valueless. Use 'y' or 'n'. 1519 * @param string $checkname What $checkvalue is checking for. 1520 * @param mixed $checkvalue What constraint the value should pass. 1521 * @return bool Whether check passes. 1522 */ 1523 function wp_kses_check_attr_val( $value, $vless, $checkname, $checkvalue ) { 1524 $ok = true; 1525 1526 switch ( strtolower( $checkname ) ) { 1527 case 'maxlen': 1528 /* 1529 * The maxlen check makes sure that the attribute value has a length not 1530 * greater than the given value. This can be used to avoid Buffer Overflows 1531 * in WWW clients and various Internet servers. 1532 */ 1533 1534 if ( strlen( $value ) > $checkvalue ) { 1535 $ok = false; 1536 } 1537 break; 1538 1539 case 'minlen': 1540 /* 1541 * The minlen check makes sure that the attribute value has a length not 1542 * smaller than the given value. 1543 */ 1544 1545 if ( strlen( $value ) < $checkvalue ) { 1546 $ok = false; 1547 } 1548 break; 1549 1550 case 'maxval': 1551 /* 1552 * The maxval check does two things: it checks that the attribute value is 1553 * an integer from 0 and up, without an excessive amount of zeroes or 1554 * whitespace (to avoid Buffer Overflows). It also checks that the attribute 1555 * value is not greater than the given value. 1556 * This check can be used to avoid Denial of Service attacks. 1557 */ 1558 1559 if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) { 1560 $ok = false; 1561 } 1562 if ( $value > $checkvalue ) { 1563 $ok = false; 1564 } 1565 break; 1566 1567 case 'minval': 1568 /* 1569 * The minval check makes sure that the attribute value is a positive integer, 1570 * and that it is not smaller than the given value. 1571 */ 1572 1573 if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) { 1574 $ok = false; 1575 } 1576 if ( $value < $checkvalue ) { 1577 $ok = false; 1578 } 1579 break; 1580 1581 case 'valueless': 1582 /* 1583 * The valueless check makes sure if the attribute has a value 1584 * (like `<a href="blah">`) or not (`<option selected>`). If the given value 1585 * is a "y" or a "Y", the attribute must not have a value. 1586 * If the given value is an "n" or an "N", the attribute must have a value. 1587 */ 1588 1589 if ( strtolower( $checkvalue ) != $vless ) { 1590 $ok = false; 1591 } 1592 break; 1593 } // End switch. 1594 1595 return $ok; 1596 } 1597 1598 /** 1599 * Sanitizes a string and removed disallowed URL protocols. 1600 * 1601 * This function removes all non-allowed protocols from the beginning of the 1602 * string. It ignores whitespace and the case of the letters, and it does 1603 * understand HTML entities. It does its work recursively, so it won't be 1604 * fooled by a string like `javascript:javascript:alert(57)`. 1605 * 1606 * @since 1.0.0 1607 * 1608 * @param string $string Content to filter bad protocols from. 1609 * @param string[] $allowed_protocols Array of allowed URL protocols. 1610 * @return string Filtered content. 1611 */ 1612 function wp_kses_bad_protocol( $string, $allowed_protocols ) { 1613 $string = wp_kses_no_null( $string ); 1614 $iterations = 0; 1615 1616 do { 1617 $original_string = $string; 1618 $string = wp_kses_bad_protocol_once( $string, $allowed_protocols ); 1619 } while ( $original_string != $string && ++$iterations < 6 ); 1620 1621 if ( $original_string != $string ) { 1622 return ''; 1623 } 1624 1625 return $string; 1626 } 1627 1628 /** 1629 * Removes any invalid control characters in a text string. 1630 * 1631 * Also removes any instance of the `\0` string. 1632 * 1633 * @since 1.0.0 1634 * 1635 * @param string $string Content to filter null characters from. 1636 * @param array $options Set 'slash_zero' => 'keep' when '\0' is allowed. Default is 'remove'. 1637 * @return string Filtered content. 1638 */ 1639 function wp_kses_no_null( $string, $options = null ) { 1640 if ( ! isset( $options['slash_zero'] ) ) { 1641 $options = array( 'slash_zero' => 'remove' ); 1642 } 1643 1644 $string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string ); 1645 if ( 'remove' === $options['slash_zero'] ) { 1646 $string = preg_replace( '/\\\\+0+/', '', $string ); 1647 } 1648 1649 return $string; 1650 } 1651 1652 /** 1653 * Strips slashes from in front of quotes. 1654 * 1655 * This function changes the character sequence `\"` to just `"`. It leaves all other 1656 * slashes alone. The quoting from `preg_replace(//e)` requires this. 1657 * 1658 * @since 1.0.0 1659 * 1660 * @param string $string String to strip slashes from. 1661 * @return string Fixed string with quoted slashes. 1662 */ 1663 function wp_kses_stripslashes( $string ) { 1664 return preg_replace( '%\\\\"%', '"', $string ); 1665 } 1666 1667 /** 1668 * Converts the keys of an array to lowercase. 1669 * 1670 * @since 1.0.0 1671 * 1672 * @param array $inarray Unfiltered array. 1673 * @return array Fixed array with all lowercase keys. 1674 */ 1675 function wp_kses_array_lc( $inarray ) { 1676 $outarray = array(); 1677 1678 foreach ( (array) $inarray as $inkey => $inval ) { 1679 $outkey = strtolower( $inkey ); 1680 $outarray[ $outkey ] = array(); 1681 1682 foreach ( (array) $inval as $inkey2 => $inval2 ) { 1683 $outkey2 = strtolower( $inkey2 ); 1684 $outarray[ $outkey ][ $outkey2 ] = $inval2; 1685 } 1686 } 1687 1688 return $outarray; 1689 } 1690 1691 /** 1692 * Handles parsing errors in `wp_kses_hair()`. 1693 * 1694 * The general plan is to remove everything to and including some whitespace, 1695 * but it deals with quotes and apostrophes as well. 1696 * 1697 * @since 1.0.0 1698 * 1699 * @param string $string 1700 * @return string 1701 */ 1702 function wp_kses_html_error( $string ) { 1703 return preg_replace( '/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string ); 1704 } 1705 1706 /** 1707 * Sanitizes content from bad protocols and other characters. 1708 * 1709 * This function searches for URL protocols at the beginning of the string, while 1710 * handling whitespace and HTML entities. 1711 * 1712 * @since 1.0.0 1713 * 1714 * @param string $string Content to check for bad protocols. 1715 * @param string[] $allowed_protocols Array of allowed URL protocols. 1716 * @param int $count Depth of call recursion to this function. 1717 * @return string Sanitized content. 1718 */ 1719 function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) { 1720 $string = preg_replace( '/(�*58(?![;0-9])|�*3a(?![;a-f0-9]))/i', '$1;', $string ); 1721 $string2 = preg_split( '/:|�*58;|�*3a;|:/i', $string, 2 ); 1722 if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) { 1723 $string = trim( $string2[1] ); 1724 $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ); 1725 if ( 'feed:' === $protocol ) { 1726 if ( $count > 2 ) { 1727 return ''; 1728 } 1729 $string = wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count ); 1730 if ( empty( $string ) ) { 1731 return $string; 1732 } 1733 } 1734 $string = $protocol . $string; 1735 } 1736 1737 return $string; 1738 } 1739 1740 /** 1741 * Callback for `wp_kses_bad_protocol_once()` regular expression. 1742 * 1743 * This function processes URL protocols, checks to see if they're in the 1744 * list of allowed protocols or not, and returns different data depending 1745 * on the answer. 1746 * 1747 * @access private 1748 * @ignore 1749 * @since 1.0.0 1750 * 1751 * @param string $string URI scheme to check against the list of allowed protocols. 1752 * @param string[] $allowed_protocols Array of allowed URL protocols. 1753 * @return string Sanitized content. 1754 */ 1755 function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) { 1756 $string2 = wp_kses_decode_entities( $string ); 1757 $string2 = preg_replace( '/\s/', '', $string2 ); 1758 $string2 = wp_kses_no_null( $string2 ); 1759 $string2 = strtolower( $string2 ); 1760 1761 $allowed = false; 1762 foreach ( (array) $allowed_protocols as $one_protocol ) { 1763 if ( strtolower( $one_protocol ) == $string2 ) { 1764 $allowed = true; 1765 break; 1766 } 1767 } 1768 1769 if ( $allowed ) { 1770 return "$string2:"; 1771 } else { 1772 return ''; 1773 } 1774 } 1775 1776 /** 1777 * Converts and fixes HTML entities. 1778 * 1779 * This function normalizes HTML entities. It will convert `AT&T` to the correct 1780 * `AT&T`, `:` to `:`, `&#XYZZY;` to `&#XYZZY;` and so on. 1781 * 1782 * When `$context` is set to 'xml', HTML entities are converted to their code points. For 1783 * example, `AT&T…&#XYZZY;` is converted to `AT&T…&#XYZZY;`. 1784 * 1785 * @since 1.0.0 1786 * @since 5.5.0 Added `$context` parameter. 1787 * 1788 * @param string $string Content to normalize entities. 1789 * @param string $context Context for normalization. Can be either 'html' or 'xml'. 1790 * Default 'html'. 1791 * @return string Content with normalized entities. 1792 */ 1793 function wp_kses_normalize_entities( $string, $context = 'html' ) { 1794 // Disarm all entities by converting & to & 1795 $string = str_replace( '&', '&', $string ); 1796 1797 // Change back the allowed entities in our list of allowed entities. 1798 if ( 'xml' === $context ) { 1799 $string = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_xml_named_entities', $string ); 1800 } else { 1801 $string = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string ); 1802 } 1803 $string = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string ); 1804 $string = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string ); 1805 1806 return $string; 1807 } 1808 1809 /** 1810 * Callback for `wp_kses_normalize_entities()` regular expression. 1811 * 1812 * This function only accepts valid named entity references, which are finite, 1813 * case-sensitive, and highly scrutinized by HTML and XML validators. 1814 * 1815 * @since 3.0.0 1816 * 1817 * @global array $allowedentitynames 1818 * 1819 * @param array $matches preg_replace_callback() matches array. 1820 * @return string Correctly encoded entity. 1821 */ 1822 function wp_kses_named_entities( $matches ) { 1823 global $allowedentitynames; 1824 1825 if ( empty( $matches[1] ) ) { 1826 return ''; 1827 } 1828 1829 $i = $matches[1]; 1830 return ( ! in_array( $i, $allowedentitynames, true ) ) ? "&$i;" : "&$i;"; 1831 } 1832 1833 /** 1834 * Callback for `wp_kses_normalize_entities()` regular expression. 1835 * 1836 * This function only accepts valid named entity references, which are finite, 1837 * case-sensitive, and highly scrutinized by XML validators. HTML named entity 1838 * references are converted to their code points. 1839 * 1840 * @since 5.5.0 1841 * 1842 * @global array $allowedentitynames 1843 * @global array $allowedxmlnamedentities 1844 * 1845 * @param array $matches preg_replace_callback() matches array. 1846 * @return string Correctly encoded entity. 1847 */ 1848 function wp_kses_xml_named_entities( $matches ) { 1849 global $allowedentitynames, $allowedxmlnamedentities; 1850 1851 if ( empty( $matches[1] ) ) { 1852 return ''; 1853 } 1854 1855 $i = $matches[1]; 1856 1857 if ( in_array( $i, $allowedxmlnamedentities, true ) ) { 1858 return "&$i;"; 1859 } elseif ( in_array( $i, $allowedentitynames, true ) ) { 1860 return html_entity_decode( "&$i;", ENT_HTML5 ); 1861 } 1862 1863 return "&$i;"; 1864 } 1865 1866 /** 1867 * Callback for `wp_kses_normalize_entities()` regular expression. 1868 * 1869 * This function helps `wp_kses_normalize_entities()` to only accept 16-bit 1870 * values and nothing more for `&#number;` entities. 1871 * 1872 * @access private 1873 * @ignore 1874 * @since 1.0.0 1875 * 1876 * @param array $matches `preg_replace_callback()` matches array. 1877 * @return string Correctly encoded entity. 1878 */ 1879 function wp_kses_normalize_entities2( $matches ) { 1880 if ( empty( $matches[1] ) ) { 1881 return ''; 1882 } 1883 1884 $i = $matches[1]; 1885 if ( valid_unicode( $i ) ) { 1886 $i = str_pad( ltrim( $i, '0' ), 3, '0', STR_PAD_LEFT ); 1887 $i = "&#$i;"; 1888 } else { 1889 $i = "&#$i;"; 1890 } 1891 1892 return $i; 1893 } 1894 1895 /** 1896 * Callback for `wp_kses_normalize_entities()` for regular expression. 1897 * 1898 * This function helps `wp_kses_normalize_entities()` to only accept valid Unicode 1899 * numeric entities in hex form. 1900 * 1901 * @since 2.7.0 1902 * @access private 1903 * @ignore 1904 * 1905 * @param array $matches `preg_replace_callback()` matches array. 1906 * @return string Correctly encoded entity. 1907 */ 1908 function wp_kses_normalize_entities3( $matches ) { 1909 if ( empty( $matches[1] ) ) { 1910 return ''; 1911 } 1912 1913 $hexchars = $matches[1]; 1914 return ( ! valid_unicode( hexdec( $hexchars ) ) ) ? "&#x$hexchars;" : '&#x' . ltrim( $hexchars, '0' ) . ';'; 1915 } 1916 1917 /** 1918 * Determines if a Unicode codepoint is valid. 1919 * 1920 * @since 2.7.0 1921 * 1922 * @param int $i Unicode codepoint. 1923 * @return bool Whether or not the codepoint is a valid Unicode codepoint. 1924 */ 1925 function valid_unicode( $i ) { 1926 return ( 0x9 == $i || 0xa == $i || 0xd == $i || 1927 ( 0x20 <= $i && $i <= 0xd7ff ) || 1928 ( 0xe000 <= $i && $i <= 0xfffd ) || 1929 ( 0x10000 <= $i && $i <= 0x10ffff ) ); 1930 } 1931 1932 /** 1933 * Converts all numeric HTML entities to their named counterparts. 1934 * 1935 * This function decodes numeric HTML entities (`A` and `A`). 1936 * It doesn't do anything with named entities like `ä`, but we don't 1937 * need them in the allowed URL protocols system anyway. 1938 * 1939 * @since 1.0.0 1940 * 1941 * @param string $string Content to change entities. 1942 * @return string Content after decoded entities. 1943 */ 1944 function wp_kses_decode_entities( $string ) { 1945 $string = preg_replace_callback( '/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string ); 1946 $string = preg_replace_callback( '/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string ); 1947 1948 return $string; 1949 } 1950 1951 /** 1952 * Regex callback for `wp_kses_decode_entities()`. 1953 * 1954 * @since 2.9.0 1955 * @access private 1956 * @ignore 1957 * 1958 * @param array $match preg match 1959 * @return string 1960 */ 1961 function _wp_kses_decode_entities_chr( $match ) { 1962 return chr( $match[1] ); 1963 } 1964 1965 /** 1966 * Regex callback for `wp_kses_decode_entities()`. 1967 * 1968 * @since 2.9.0 1969 * @access private 1970 * @ignore 1971 * 1972 * @param array $match preg match 1973 * @return string 1974 */ 1975 function _wp_kses_decode_entities_chr_hexdec( $match ) { 1976 return chr( hexdec( $match[1] ) ); 1977 } 1978 1979 /** 1980 * Sanitize content with allowed HTML KSES rules. 1981 * 1982 * This function expects slashed data. 1983 * 1984 * @since 1.0.0 1985 * 1986 * @param string $data Content to filter, expected to be escaped with slashes. 1987 * @return string Filtered content. 1988 */ 1989 function wp_filter_kses( $data ) { 1990 return addslashes( wp_kses( stripslashes( $data ), current_filter() ) ); 1991 } 1992 1993 /** 1994 * Sanitize content with allowed HTML KSES rules. 1995 * 1996 * This function expects unslashed data. 1997 * 1998 * @since 2.9.0 1999 * 2000 * @param string $data Content to filter, expected to not be escaped. 2001 * @return string Filtered content. 2002 */ 2003 function wp_kses_data( $data ) { 2004 return wp_kses( $data, current_filter() ); 2005 } 2006 2007 /** 2008 * Sanitizes content for allowed HTML tags for post content. 2009 * 2010 * Post content refers to the page contents of the 'post' type and not `$_POST` 2011 * data from forms. 2012 * 2013 * This function expects slashed data. 2014 * 2015 * @since 2.0.0 2016 * 2017 * @param string $data Post content to filter, expected to be escaped with slashes. 2018 * @return string Filtered post content with allowed HTML tags and attributes intact. 2019 */ 2020 function wp_filter_post_kses( $data ) { 2021 return addslashes( wp_kses( stripslashes( $data ), 'post' ) ); 2022 } 2023 2024 /** 2025 * Sanitizes content for allowed HTML tags for post content. 2026 * 2027 * Post content refers to the page contents of the 'post' type and not `$_POST` 2028 * data from forms. 2029 * 2030 * This function expects unslashed data. 2031 * 2032 * @since 2.9.0 2033 * 2034 * @param string $data Post content to filter. 2035 * @return string Filtered post content with allowed HTML tags and attributes intact. 2036 */ 2037 function wp_kses_post( $data ) { 2038 return wp_kses( $data, 'post' ); 2039 } 2040 2041 /** 2042 * Navigates through an array, object, or scalar, and sanitizes content for 2043 * allowed HTML tags for post content. 2044 * 2045 * @since 4.4.2 2046 * 2047 * @see map_deep() 2048 * 2049 * @param mixed $data The array, object, or scalar value to inspect. 2050 * @return mixed The filtered content. 2051 */ 2052 function wp_kses_post_deep( $data ) { 2053 return map_deep( $data, 'wp_kses_post' ); 2054 } 2055 2056 /** 2057 * Strips all HTML from a text string. 2058 * 2059 * This function expects slashed data. 2060 * 2061 * @since 2.1.0 2062 * 2063 * @param string $data Content to strip all HTML from. 2064 * @return string Filtered content without any HTML. 2065 */ 2066 function wp_filter_nohtml_kses( $data ) { 2067 return addslashes( wp_kses( stripslashes( $data ), 'strip' ) ); 2068 } 2069 2070 /** 2071 * Adds all KSES input form content filters. 2072 * 2073 * All hooks have default priority. The `wp_filter_kses()` function is added to 2074 * the 'pre_comment_content' and 'title_save_pre' hooks. 2075 * 2076 * The `wp_filter_post_kses()` function is added to the 'content_save_pre', 2077 * 'excerpt_save_pre', and 'content_filtered_save_pre' hooks. 2078 * 2079 * @since 2.0.0 2080 */ 2081 function kses_init_filters() { 2082 // Normal filtering. 2083 add_filter( 'title_save_pre', 'wp_filter_kses' ); 2084 2085 // Comment filtering. 2086 if ( current_user_can( 'unfiltered_html' ) ) { 2087 add_filter( 'pre_comment_content', 'wp_filter_post_kses' ); 2088 } else { 2089 add_filter( 'pre_comment_content', 'wp_filter_kses' ); 2090 } 2091 2092 // Post filtering. 2093 add_filter( 'content_save_pre', 'wp_filter_post_kses' ); 2094 add_filter( 'excerpt_save_pre', 'wp_filter_post_kses' ); 2095 add_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' ); 2096 } 2097 2098 /** 2099 * Removes all KSES input form content filters. 2100 * 2101 * A quick procedural method to removing all of the filters that KSES uses for 2102 * content in WordPress Loop. 2103 * 2104 * Does not remove the `kses_init()` function from {@see 'init'} hook (priority is 2105 * default). Also does not remove `kses_init()` function from {@see 'set_current_user'} 2106 * hook (priority is also default). 2107 * 2108 * @since 2.0.6 2109 */ 2110 function kses_remove_filters() { 2111 // Normal filtering. 2112 remove_filter( 'title_save_pre', 'wp_filter_kses' ); 2113 2114 // Comment filtering. 2115 remove_filter( 'pre_comment_content', 'wp_filter_post_kses' ); 2116 remove_filter( 'pre_comment_content', 'wp_filter_kses' ); 2117 2118 // Post filtering. 2119 remove_filter( 'content_save_pre', 'wp_filter_post_kses' ); 2120 remove_filter( 'excerpt_save_pre', 'wp_filter_post_kses' ); 2121 remove_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' ); 2122 } 2123 2124 /** 2125 * Sets up most of the KSES filters for input form content. 2126 * 2127 * First removes all of the KSES filters in case the current user does not need 2128 * to have KSES filter the content. If the user does not have `unfiltered_html` 2129 * capability, then KSES filters are added. 2130 * 2131 * @since 2.0.0 2132 */ 2133 function kses_init() { 2134 kses_remove_filters(); 2135 2136 if ( ! current_user_can( 'unfiltered_html' ) ) { 2137 kses_init_filters(); 2138 } 2139 } 2140 2141 /** 2142 * Filters an inline style attribute and removes disallowed rules. 2143 * 2144 * @since 2.8.1 2145 * 2146 * @param string $css A string of CSS rules. 2147 * @param string $deprecated Not used. 2148 * @return string Filtered string of CSS rules. 2149 */ 2150 function safecss_filter_attr( $css, $deprecated = '' ) { 2151 if ( ! empty( $deprecated ) ) { 2152 _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented. 2153 } 2154 2155 $css = wp_kses_no_null( $css ); 2156 $css = str_replace( array( "\n", "\r", "\t" ), '', $css ); 2157 2158 $allowed_protocols = wp_allowed_protocols(); 2159 2160 $css_array = explode( ';', trim( $css ) ); 2161 2162 /** 2163 * Filters list of allowed CSS attributes. 2164 * 2165 * @since 2.8.1 2166 * @since 4.4.0 Added support for `min-height`, `max-height`, `min-width`, and `max-width`. 2167 * @since 4.6.0 Added support for `list-style-type`. 2168 * @since 5.0.0 Added support for `background-image`. 2169 * @since 5.1.0 Added support for `text-transform`. 2170 * @since 5.2.0 Added support for `background-position` and `grid-template-columns`. 2171 * @since 5.3.0 Added support for `grid`, `flex` and `column` layout properties. 2172 * Extend `background-*` support of individual properties. 2173 * @since 5.3.1 Added support for gradient backgrounds. 2174 * 2175 * @param string[] $attr Array of allowed CSS attributes. 2176 */ 2177 $allowed_attr = apply_filters( 2178 'safe_style_css', 2179 array( 2180 'background', 2181 'background-color', 2182 'background-image', 2183 'background-position', 2184 'background-size', 2185 'background-attachment', 2186 'background-blend-mode', 2187 2188 'border', 2189 'border-radius', 2190 'border-width', 2191 'border-color', 2192 'border-style', 2193 'border-right', 2194 'border-right-color', 2195 'border-right-style', 2196 'border-right-width', 2197 'border-bottom', 2198 'border-bottom-color', 2199 'border-bottom-style', 2200 'border-bottom-width', 2201 'border-left', 2202 'border-left-color', 2203 'border-left-style', 2204 'border-left-width', 2205 'border-top', 2206 'border-top-color', 2207 'border-top-style', 2208 'border-top-width', 2209 2210 'border-spacing', 2211 'border-collapse', 2212 'caption-side', 2213 2214 'columns', 2215 'column-count', 2216 'column-fill', 2217 'column-gap', 2218 'column-rule', 2219 'column-span', 2220 'column-width', 2221 2222 'color', 2223 'font', 2224 'font-family', 2225 'font-size', 2226 'font-style', 2227 'font-variant', 2228 'font-weight', 2229 'letter-spacing', 2230 'line-height', 2231 'text-align', 2232 'text-decoration', 2233 'text-indent', 2234 'text-transform', 2235 2236 'height', 2237 'min-height', 2238 'max-height', 2239 2240 'width', 2241 'min-width', 2242 'max-width', 2243 2244 'margin', 2245 'margin-right', 2246 'margin-bottom', 2247 'margin-left', 2248 'margin-top', 2249 2250 'padding', 2251 'padding-right', 2252 'padding-bottom', 2253 'padding-left', 2254 'padding-top', 2255 2256 'flex', 2257 'flex-basis', 2258 'flex-direction', 2259 'flex-flow', 2260 'flex-grow', 2261 'flex-shrink', 2262 2263 'grid-template-columns', 2264 'grid-auto-columns', 2265 'grid-column-start', 2266 'grid-column-end', 2267 'grid-column-gap', 2268 'grid-template-rows', 2269 'grid-auto-rows', 2270 'grid-row-start', 2271 'grid-row-end', 2272 'grid-row-gap', 2273 'grid-gap', 2274 2275 'justify-content', 2276 'justify-items', 2277 'justify-self', 2278 'align-content', 2279 'align-items', 2280 'align-self', 2281 2282 'clear', 2283 'cursor', 2284 'direction', 2285 'float', 2286 'list-style-type', 2287 'overflow', 2288 'vertical-align', 2289 ) 2290 ); 2291 2292 /* 2293 * CSS attributes that accept URL data types. 2294 * 2295 * This is in accordance to the CSS spec and unrelated to 2296 * the sub-set of supported attributes above. 2297 * 2298 * See: https://developer.mozilla.org/en-US/docs/Web/CSS/url 2299 */ 2300 $css_url_data_types = array( 2301 'background', 2302 'background-image', 2303 2304 'cursor', 2305 2306 'list-style', 2307 'list-style-image', 2308 ); 2309 2310 /* 2311 * CSS attributes that accept gradient data types. 2312 * 2313 */ 2314 $css_gradient_data_types = array( 2315 'background', 2316 'background-image', 2317 ); 2318 2319 if ( empty( $allowed_attr ) ) { 2320 return $css; 2321 } 2322 2323 $css = ''; 2324 foreach ( $css_array as $css_item ) { 2325 if ( '' === $css_item ) { 2326 continue; 2327 } 2328 2329 $css_item = trim( $css_item ); 2330 $css_test_string = $css_item; 2331 $found = false; 2332 $url_attr = false; 2333 $gradient_attr = false; 2334 2335 if ( strpos( $css_item, ':' ) === false ) { 2336 $found = true; 2337 } else { 2338 $parts = explode( ':', $css_item, 2 ); 2339 $css_selector = trim( $parts[0] ); 2340 2341 if ( in_array( $css_selector, $allowed_attr, true ) ) { 2342 $found = true; 2343 $url_attr = in_array( $css_selector, $css_url_data_types, true ); 2344 $gradient_attr = in_array( $css_selector, $css_gradient_data_types, true ); 2345 } 2346 } 2347 2348 if ( $found && $url_attr ) { 2349 // Simplified: matches the sequence `url(*)`. 2350 preg_match_all( '/url\([^)]+\)/', $parts[1], $url_matches ); 2351 2352 foreach ( $url_matches[0] as $url_match ) { 2353 // Clean up the URL from each of the matches above. 2354 preg_match( '/^url\(\s*([\'\"]?)(.*)(\g1)\s*\)$/', $url_match, $url_pieces ); 2355 2356 if ( empty( $url_pieces[2] ) ) { 2357 $found = false; 2358 break; 2359 } 2360 2361 $url = trim( $url_pieces[2] ); 2362 2363 if ( empty( $url ) || wp_kses_bad_protocol( $url, $allowed_protocols ) !== $url ) { 2364 $found = false; 2365 break; 2366 } else { 2367 // Remove the whole `url(*)` bit that was matched above from the CSS. 2368 $css_test_string = str_replace( $url_match, '', $css_test_string ); 2369 } 2370 } 2371 } 2372 2373 if ( $found && $gradient_attr ) { 2374 $css_value = trim( $parts[1] ); 2375 if ( preg_match( '/^(repeating-)?(linear|radial|conic)-gradient\(([^()]|rgb[a]?\([^()]*\))*\)$/', $css_value ) ) { 2376 // Remove the whole `gradient` bit that was matched above from the CSS. 2377 $css_test_string = str_replace( $css_value, '', $css_test_string ); 2378 } 2379 } 2380 2381 if ( $found ) { 2382 // Check for any CSS containing \ ( & } = or comments, except for url() usage checked above. 2383 $allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ); 2384 2385 /** 2386 * Filters the check for unsafe CSS in `safecss_filter_attr`. 2387 * 2388 * Enables developers to determine whether a section of CSS should be allowed or discarded. 2389 * By default, the value will be false if the part contains \ ( & } = or comments. 2390 * Return true to allow the CSS part to be included in the output. 2391 * 2392 * @since 5.5.0 2393 * 2394 * @param bool $allow_css Whether the CSS in the test string is considered safe. 2395 * @param string $css_test_string The CSS string to test. 2396 */ 2397 $allow_css = apply_filters( 'safecss_filter_attr_allow_css', $allow_css, $css_test_string ); 2398 2399 // Only add the CSS part if it passes the regex check. 2400 if ( $allow_css ) { 2401 if ( '' !== $css ) { 2402 $css .= ';'; 2403 } 2404 2405 $css .= $css_item; 2406 } 2407 } 2408 } 2409 2410 return $css; 2411 } 2412 2413 /** 2414 * Helper function to add global attributes to a tag in the allowed HTML list. 2415 * 2416 * @since 3.5.0 2417 * @since 5.0.0 Add support for `data-*` wildcard attributes. 2418 * @access private 2419 * @ignore 2420 * 2421 * @param array $value An array of attributes. 2422 * @return array The array of attributes with global attributes added. 2423 */ 2424 function _wp_add_global_attributes( $value ) { 2425 $global_attributes = array( 2426 'aria-describedby' => true, 2427 'aria-details' => true, 2428 'aria-label' => true, 2429 'aria-labelledby' => true, 2430 'aria-hidden' => true, 2431 'class' => true, 2432 'id' => true, 2433 'style' => true, 2434 'title' => true, 2435 'role' => true, 2436 'data-*' => true, 2437 ); 2438 2439 if ( true === $value ) { 2440 $value = array(); 2441 } 2442 2443 if ( is_array( $value ) ) { 2444 return array_merge( $value, $global_attributes ); 2445 } 2446 2447 return $value; 2448 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
Generated : Tue Jan 26 08:20:01 2021 | Cross-referenced by PHPXref |