*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA or visit
+ * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
* http://www.gnu.org/licenses/gpl.html
- *
+ *
* [kses strips evil scripts!]
*
* Added wp_ prefix to avoid conflicts with existing kses users
*
* @package External
* @subpackage KSES
+ *
*/
/**
* @return string Filtered content with only allowed HTML elements
*/
function wp_kses($string, $allowed_html, $allowed_protocols = array ()) {
- $allowed_protocols = wp_parse_args( $allowed_protocols, apply_filters('kses_allowed_protocols', array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn') ));
+ if ( empty( $allowed_protocols ) )
+ $allowed_protocols = wp_allowed_protocols();
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
* You add any kses hooks here.
*
* There is currently only one kses WordPress hook and it is called here. All
- * parameters are passed to the hooks and expected to recieve a string.
+ * parameters are passed to the hooks and expected to receive a string.
*
* @since 1.0.0
*
global $pass_allowed_html, $pass_allowed_protocols;
$pass_allowed_html = $allowed_html;
$pass_allowed_protocols = $allowed_protocols;
- return preg_replace_callback('%((<!--.*?(-->|$))|(<[^>]*(>|$)|>))%',
- create_function('$match', 'global $pass_allowed_html, $pass_allowed_protocols; return wp_kses_split2($match[1], $pass_allowed_html, $pass_allowed_protocols);'), $string);
+ return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
+}
+
+/**
+ * Callback for wp_kses_split.
+ *
+ * @since 3.1.0
+ * @access private
+ */
+function _wp_kses_split_callback( $match ) {
+ global $pass_allowed_html, $pass_allowed_protocols;
+ return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
}
/**
return '>';
# It matched a ">" character
- if (preg_match('%^<!--(.*?)(-->)?$%', $string, $matches)) {
- $string = str_replace(array('<!--', '-->'), '', $matches[1]);
- while ( $string != $newstring = wp_kses($string, $allowed_html, $allowed_protocols) )
+ if ( '<!--' == substr( $string, 0, 4 ) ) {
+ $string = str_replace( array('<!--', '-->'), '', $string );
+ while ( $string != ($newstring = wp_kses($string, $allowed_html, $allowed_protocols)) )
$string = $newstring;
if ( $string == '' )
return '';
$elem = $matches[2];
$attrlist = $matches[3];
- if (!@isset($allowed_html[strtolower($elem)]))
+ if ( ! isset($allowed_html[strtolower($elem)]) )
return '';
# They are using a not allowed HTML element
if ($slash != '')
- return "<$slash$elem>";
+ return "</$elem>";
# No attributes are allowed for closing elements
- return wp_kses_attr("$slash$elem", $attrlist, $allowed_html, $allowed_protocols);
+ return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols );
}
/**
$xhtml_slash = ' /';
# Are any attributes allowed at all for this element?
-
- if (@ count($allowed_html[strtolower($element)]) == 0)
+ if ( ! isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0 )
return "<$element$xhtml_slash>";
# Split it
-
$attrarr = wp_kses_hair($attr, $allowed_protocols);
# Go through $attrarr, and save the allowed attributes for this element
# in $attr2
-
$attr2 = '';
+ $allowed_attr = $allowed_html[strtolower($element)];
foreach ($attrarr as $arreach) {
- if (!@ isset ($allowed_html[strtolower($element)][strtolower($arreach['name'])]))
+ if ( ! isset( $allowed_attr[strtolower($arreach['name'])] ) )
continue; # the attribute is not allowed
- $current = $allowed_html[strtolower($element)][strtolower($arreach['name'])];
- if ($current == '')
+ $current = $allowed_attr[strtolower($arreach['name'])];
+ if ( $current == '' )
continue; # the attribute is not allowed
- if (!is_array($current))
+ if ( ! is_array($current) ) {
$attr2 .= ' '.$arreach['whole'];
# there are no checks
- else {
+ } else {
# there are some checks
$ok = true;
- foreach ($current as $currkey => $currval)
- if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) {
+ foreach ($current as $currkey => $currval) {
+ if ( ! wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval) ) {
$ok = false;
break;
}
+ }
if ( strtolower($arreach['name']) == 'style' ) {
$orig_value = $arreach['value'];
-
$value = safecss_filter_attr($orig_value);
if ( empty($value) )
continue;
$arreach['value'] = $value;
-
$arreach['whole'] = str_replace($orig_value, $value, $arreach['whole']);
}
} # foreach
# Remove any "<" or ">" characters
-
$attr2 = preg_replace('/[<>]/', '', $attr2);
return "<$element$attr2$xhtml_slash>";
* Performs different checks for attribute values.
*
* The currently implemented checks are "maxlen", "minlen", "maxval", "minval"
- * and "valueless" with even more checks to come soon.
+ * and "valueless".
*
* @since 1.0.0
*
break;
case 'minval' :
- # The minval check checks that the attribute value is a positive integer,
+ # The minval check makes sure that the attribute value is a positive integer,
# and that it is not smaller than the given value.
if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))
break;
case 'valueless' :
- # The valueless check checks if the attribute has a value
+ # The valueless check makes sure if the attribute has a value
# (like <a href="blah">) or not (<option selected>). If the given value
# is a "y" or a "Y", the attribute must not have a value.
# If the given value is an "n" or an "N", the attribute must have one.
*/
function wp_kses_bad_protocol($string, $allowed_protocols) {
$string = wp_kses_no_null($string);
- $string2 = $string.'a';
+ $iterations = 0;
- while ($string != $string2) {
- $string2 = $string;
+ do {
+ $original_string = $string;
$string = wp_kses_bad_protocol_once($string, $allowed_protocols);
- } # while
+ } while ( $original_string != $string && ++$iterations < 6 );
+
+ if ( $original_string != $string )
+ return '';
return $string;
}
/**
* Strips slashes from in front of quotes.
*
- * This function changes the character sequence \" to just ". It leaves all
+ * This function changes the character sequence \" to just ". It leaves all
* other slashes alone. It's really weird, but the quoting from
* preg_replace(//e) seems to require this.
*
* @since 1.0.0
*
* @param string $string String to strip slashes
- * @return string Fixed strings with quoted slashes
+ * @return string Fixed string with quoted slashes
*/
function wp_kses_stripslashes($string) {
return preg_replace('%\\\\"%', '"', $string);
* @param string $allowed_protocols Allowed protocols
* @return string Sanitized content
*/
-function wp_kses_bad_protocol_once($string, $allowed_protocols) {
+function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) {
$string2 = preg_split( '/:|�*58;|�*3a;/i', $string, 2 );
- if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) )
- $string = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ) . trim( $string2[1] );
+ if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {
+ $string = trim( $string2[1] );
+ $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );
+ if ( 'feed:' == $protocol ) {
+ if ( $count > 2 )
+ return '';
+ $string = wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count );
+ if ( empty( $string ) )
+ return $string;
+ }
+ $string = $protocol . $string;
+ }
return $string;
}
* Callback for wp_kses_bad_protocol_once() regular expression.
*
* This function processes URL protocols, checks to see if they're in the
- * white-list or not, and returns different data depending on the answer.
+ * whitelist or not, and returns different data depending on the answer.
*
* @access private
* @since 1.0.0
/**
* Callback for wp_kses_normalize_entities() regular expression.
*
- * This function helps wp_kses_normalize_entities() to only accept 16 bit values
+ * This function helps wp_kses_normalize_entities() to only accept 16-bit values
* and nothing more for &#number; entities.
*
* @access private
* Helper function to determine if a Unicode value is valid.
*
* @param int $i Unicode value
- * @return bool true if the value was a valid Unicode number
+ * @return bool True if the value was a valid Unicode number
*/
function valid_unicode($i) {
return ( $i == 0x9 || $i == 0xa || $i == 0xd ||
* will be added.
*
* First removes all of the Kses filters in case the current user does not need
- * to have Kses filter the content. If the user does not have unfiltered html
+ * to have Kses filter the content. If the user does not have unfiltered_html
* capability, then Kses filters are added.
*
* @uses kses_remove_filters() Removes the Kses filters