+ $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook
+ return wp_kses_split($string, $allowed_html, $allowed_protocols);
+}
+
+/**
+ * Filters one attribute only and ensures its value is allowed.
+ *
+ * This function has the advantage of being more secure than esc_attr() and can
+ * escape data in some situations where wp_kses() must strip the whole attribute.
+ *
+ * @since 4.2.3
+ *
+ * @param string $string The 'whole' attribute, including name and value.
+ * @param string $element The element name to which the attribute belongs.
+ * @return string Filtered attribute.
+ */
+function wp_kses_one_attr( $string, $element ) {
+ $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
+ $allowed_html = wp_kses_allowed_html( 'post' );
+ $allowed_protocols = wp_allowed_protocols();
+ $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
+ $string = wp_kses_js_entities( $string );
+
+ // Preserve leading and trailing whitespace.
+ $matches = array();
+ preg_match('/^\s*/', $string, $matches);
+ $lead = $matches[0];
+ preg_match('/\s*$/', $string, $matches);
+ $trail = $matches[0];
+ if ( empty( $trail ) ) {
+ $string = substr( $string, strlen( $lead ) );
+ } else {
+ $string = substr( $string, strlen( $lead ), -strlen( $trail ) );
+ }
+
+ // Parse attribute name and value from input.
+ $split = preg_split( '/\s*=\s*/', $string, 2 );
+ $name = $split[0];
+ if ( count( $split ) == 2 ) {
+ $value = $split[1];
+
+ // Remove quotes surrounding $value.
+ // Also guarantee correct quoting in $string for this one attribute.
+ if ( '' == $value ) {
+ $quote = '';
+ } else {
+ $quote = $value[0];
+ }
+ if ( '"' == $quote || "'" == $quote ) {
+ if ( substr( $value, -1 ) != $quote ) {
+ return '';
+ }
+ $value = substr( $value, 1, -1 );
+ } else {
+ $quote = '"';
+ }
+
+ // Sanitize quotes, angle braces, and entities.
+ $value = esc_attr( $value );
+
+ // Sanitize URI values.
+ if ( in_array( strtolower( $name ), $uris ) ) {
+ $value = wp_kses_bad_protocol( $value, $allowed_protocols );
+ }
+
+ $string = "$name=$quote$value$quote";
+ $vless = 'n';
+ } else {
+ $value = '';
+ $vless = 'y';
+ }
+
+ // Sanitize attribute by name.
+ wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html );
+
+ // Restore whitespace.
+ return $lead . $string . $trail;
+}
+
+/**
+ * Return a list of allowed tags and attributes for a given context.
+ *
+ * @since 3.5.0
+ *
+ * @global array $allowedposttags
+ * @global array $allowedtags
+ * @global array $allowedentitynames
+ *
+ * @param string $context The context for which to retrieve tags.
+ * Allowed values are post, strip, data,entities, or
+ * the name of a field filter such as pre_user_description.
+ * @return array List of allowed tags and their allowed attributes.
+ */
+function wp_kses_allowed_html( $context = '' ) {
+ global $allowedposttags, $allowedtags, $allowedentitynames;
+
+ if ( is_array( $context ) ) {
+ /**
+ * Filter HTML elements allowed for a given context.
+ *
+ * @since 3.5.0
+ *
+ * @param string $tags Allowed tags, attributes, and/or entities.
+ * @param string $context Context to judge allowed tags by. Allowed values are 'post',
+ * 'data', 'strip', 'entities', 'explicit', or the name of a filter.
+ */
+ return apply_filters( 'wp_kses_allowed_html', $context, 'explicit' );
+ }
+
+ switch ( $context ) {
+ case 'post':
+ /** This filter is documented in wp-includes/kses.php */
+ return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
+
+ case 'user_description':
+ case 'pre_user_description':
+ $tags = $allowedtags;
+ $tags['a']['rel'] = true;
+ /** This filter is documented in wp-includes/kses.php */
+ return apply_filters( 'wp_kses_allowed_html', $tags, $context );
+
+ case 'strip':
+ /** This filter is documented in wp-includes/kses.php */
+ return apply_filters( 'wp_kses_allowed_html', array(), $context );
+
+ case 'entities':
+ /** This filter is documented in wp-includes/kses.php */
+ return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context);
+
+ case 'data':
+ default:
+ /** This filter is documented in wp-includes/kses.php */
+ return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context );
+ }