X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/16b9f61a8ab25bd6c9fbfd0cea00c7bda22f6a71..a6444c710cf37d7732aea76e752e43322b5036ca:/wp-includes/formatting.php diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index dc9ed2f6..3d203e6f 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -33,8 +33,8 @@ function wptexturize($text) { $curl = ''; $textarr = preg_split('/(<.*>|\[.*\])/Us', $text, -1, PREG_SPLIT_DELIM_CAPTURE); $stop = count($textarr); - - // No need to setup these variables more than once + + // No need to set up these variables more than once if (!$static_setup) { /* translators: opening curly quote */ $opening_quote = _x('“', 'opening curly quote'); @@ -53,11 +53,11 @@ function wptexturize($text) { $cockneyreplace = array("’tain’t","’twere","’twas","’tis","’twill","’til","’bout","’nuff","’round","’cause"); } - $static_characters = array_merge(array('---', ' -- ', '--', ' - ', 'xn–', '...', '``', '\'s', '\'\'', ' (tm)'), $cockney); - $static_replacements = array_merge(array('—', ' — ', '–', ' – ', 'xn--', '…', $opening_quote, '’s', $closing_quote, ' ™'), $cockneyreplace); + $static_characters = array_merge(array('---', ' -- ', '--', ' - ', 'xn–', '...', '``', '\'\'', ' (tm)'), $cockney); + $static_replacements = array_merge(array('—', ' — ', '–', ' – ', 'xn--', '…', $opening_quote, $closing_quote, ' ™'), $cockneyreplace); - $dynamic_characters = array('/\'(\d\d(?:’|\')?s)/', '/(\s|\A|[([{<]|")\'/', '/(\d+)"/', '/(\d+)\'/', '/(\S)\'([^\'\s])/', '/(\s|\A|[([{<])"(?!\s)/', '/"(\s|\S|\Z)/', '/\'([\s.]|\Z)/', '/(\d+)x(\d+)/'); - $dynamic_replacements = array('’$1','$1‘', '$1″', '$1′', '$1’$2', '$1' . $opening_quote . '$2', $closing_quote . '$1', '’$1', '$1×$2'); + $dynamic_characters = array('/\'(\d\d(?:’|\')?s)/', '/\'(\d+)/', '/(\s|\A|[([{<]|")\'/', '/(\d+)"/', '/(\d+)\'/', '/(\S)\'([^\'\s])/', '/(\s|\A|[([{<])"(?!\s)/', '/"(\s|\S|\Z)/', '/\'([\s.]|\Z)/', '/\b(\d+)x(\d+)\b/'); + $dynamic_replacements = array('’$1','’$1', '$1‘', '$1″', '$1′', '$1’$2', '$1' . $opening_quote . '$2', $closing_quote . '$1', '’$1', '$1×$2'); $static_setup = true; } @@ -74,7 +74,7 @@ function wptexturize($text) { $curl = $textarr[$i]; if ( !empty($curl) && '<' != $curl{0} && '[' != $curl{0} - && empty($no_texturize_shortcodes_stack) && empty($no_texturize_tags_stack)) { + && empty($no_texturize_shortcodes_stack) && empty($no_texturize_tags_stack)) { // This is not a tag, nor is the texturization disabled // static strings $curl = str_replace($static_characters, $static_replacements, $curl); @@ -120,7 +120,7 @@ function _wptexturize_pushpop_element($text, &$stack, $disabled_elements, $openi /* * This disables texturize until we find a closing tag of our type * (e.g.
) even if there was invalid nesting before that
-			 * 
+			 *
 			 * Example: in the case 
sadsadasd"baba"
* "baba" won't be texturize */ @@ -185,7 +185,7 @@ function wpautop($pee, $br = 1) { $pee = $pee . "\n"; // just to make things a little easier, pad the end $pee = preg_replace('|
\s*
|', "\n\n", $pee); // Space things out a little - $allblocks = '(?:table|thead|tfoot|caption|col|colgroup|tbody|tr|td|th|div|dl|dd|dt|ul|ol|li|pre|select|form|map|area|blockquote|address|math|style|input|p|h[1-6]|hr|fieldset|legend)'; + $allblocks = '(?:table|thead|tfoot|caption|col|colgroup|tbody|tr|td|th|div|dl|dd|dt|ul|ol|li|pre|select|option|form|map|area|blockquote|address|math|style|input|p|h[1-6]|hr|fieldset|legend|section|article|aside|hgroup|header|footer|nav|figure|figcaption|details|menu|summary)'; $pee = preg_replace('!(<' . $allblocks . '[^>]*>)!', "\n$1", $pee); $pee = preg_replace('!()!', "$1\n\n", $pee); $pee = str_replace(array("\r\n", "\r"), "\n", $pee); // cross-platform newlines @@ -287,7 +287,7 @@ function seems_utf8($str) { * @param string $string The text which is to be encoded. * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES. * @param string $charset Optional. The character encoding of the string. Default is false. - * @param boolean $double_encode Optional. Whether or not to encode existing html entities. Default is false. + * @param boolean $double_encode Optional. Whether to encode existing html entities. Default is false. * @return string The encoded text with HTML entities. */ function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) { @@ -334,6 +334,12 @@ function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = fals // Handle double encoding ourselves if ( !$double_encode ) { $string = wp_specialchars_decode( $string, $_quote_style ); + + /* Critical */ + // The previous line decodes &phrase; into &phrase; We must guarantee that &phrase; is valid before proceeding. + $string = wp_kses_normalize_entities($string); + + // Now proceed with custom double-encoding silliness $string = preg_replace( '/&(#?x?[0-9a-z]+);/i', '|wp_entity|$1|/wp_entity|', $string ); } @@ -690,7 +696,7 @@ function sanitize_file_name( $filename ) { // long alpha string not in the extension whitelist. foreach ( (array) $parts as $part) { $filename .= '.' . $part; - + if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) { $allowed = false; foreach ( $mimes as $ext_preg => $mime_match ) { @@ -729,19 +735,45 @@ function sanitize_file_name( $filename ) { */ function sanitize_user( $username, $strict = false ) { $raw_username = $username; - $username = wp_strip_all_tags($username); + $username = wp_strip_all_tags( $username ); + $username = remove_accents( $username ); // Kill octets - $username = preg_replace('|%([a-fA-F0-9][a-fA-F0-9])|', '', $username); - $username = preg_replace('/&.+?;/', '', $username); // Kill entities + $username = preg_replace( '|%([a-fA-F0-9][a-fA-F0-9])|', '', $username ); + $username = preg_replace( '/&.+?;/', '', $username ); // Kill entities // If strict, reduce to ASCII for max portability. if ( $strict ) - $username = preg_replace('|[^a-z0-9 _.\-@]|i', '', $username); + $username = preg_replace( '|[^a-z0-9 _.\-@]|i', '', $username ); // Consolidate contiguous whitespace - $username = preg_replace('|\s+|', ' ', $username); + $username = preg_replace( '|\s+|', ' ', $username ); - return apply_filters('sanitize_user', $username, $raw_username, $strict); + return apply_filters( 'sanitize_user', $username, $raw_username, $strict ); +} + +/** + * Sanitize a string key. + * + * Keys are used as internal identifiers. They should be lowercase ASCII. Dashes and underscores are allowed. + * + * @since 3.0.0 + * + * @param string $key String key + * @return string Sanitized key + */ +function sanitize_key( $key ) { + $raw_key = $key; + $key = wp_strip_all_tags($key); + // Kill octets + $key = preg_replace('|%([a-fA-F0-9][a-fA-F0-9])|', '', $key); + $key = preg_replace('/&.+?;/', '', $key); // Kill entities + + $key = preg_replace('|[^a-z0-9 _.\-@]|i', '', $key); + + // Consolidate contiguous whitespace + $key = preg_replace('|\s+|', ' ', $key); + + return apply_filters('sanitize_key', $key, $raw_key); } /** @@ -836,20 +868,21 @@ function sanitize_sql_orderby( $orderby ){ * @since 2.8.0 * * @param string $class The classname to be sanitized - * @param string $fallback The value to return if the sanitization end's up as an empty string. + * @param string $fallback Optional. The value to return if the sanitization end's up as an empty string. + * Defaults to an empty string. * @return string The sanitized value */ -function sanitize_html_class($class, $fallback){ +function sanitize_html_class( $class, $fallback = '' ) { //Strip out any % encoded octets $sanitized = preg_replace('|%[a-fA-F0-9][a-fA-F0-9]|', '', $class); //Limit to A-Z,a-z,0-9,'-' $sanitized = preg_replace('/[^A-Za-z0-9-]/', '', $sanitized); - if ('' == $sanitized) + if ( '' == $sanitized ) $sanitized = $fallback; - return apply_filters('sanitize_html_class',$sanitized, $class, $fallback); + return apply_filters( 'sanitize_html_class', $sanitized, $class, $fallback ); } /** @@ -866,6 +899,9 @@ function sanitize_html_class($class, $fallback){ * @return string Converted string. */ function convert_chars($content, $deprecated = '') { + if ( !empty( $deprecated ) ) + _deprecated_argument( __FUNCTION__, '0.71' ); + // Translation of invalid Unicode references range to valid range $wp_htmltranswinuni = array( '€' => '€', // the Euro sign @@ -919,42 +955,6 @@ function convert_chars($content, $deprecated = '') { return $content; } -/** - * Callback used to change %uXXXX to &#YYY; syntax - * - * @since 2.8? - * - * @param array $matches Single Match - * @return string An HTML entity - */ -function funky_javascript_callback($matches) { - return "&#".base_convert($matches[1],16,10).";"; -} - -/** - * Fixes javascript bugs in browsers. - * - * Converts unicode characters to HTML numbered entities. - * - * @since 1.5.0 - * @uses $is_macIE - * @uses $is_winIE - * - * @param string $text Text to be made safe. - * @return string Fixed text. - */ -function funky_javascript_fix($text) { - // Fixes for browsers' javascript bugs - global $is_macIE, $is_winIE; - - if ( $is_winIE || $is_macIE ) - $text = preg_replace_callback("/\%u([0-9A-F]{4,4})/", - "funky_javascript_callback", - $text); - - return $text; -} - /** * Will only balance the tags if forced to and the option is set to balance tags. * @@ -993,19 +993,22 @@ function balanceTags( $text, $force = false ) { * @return string Balanced text. */ function force_balance_tags( $text ) { - $tagstack = array(); $stacksize = 0; $tagqueue = ''; $newtext = ''; - $single_tags = array('br', 'hr', 'img', 'input'); //Known single-entity/self-closing tags - $nestable_tags = array('blockquote', 'div', 'span'); //Tags that can be immediately nested within themselves - - # WP bug fix for comments - in case you REALLY meant to type '< !--' + $tagstack = array(); + $stacksize = 0; + $tagqueue = ''; + $newtext = ''; + $single_tags = array('br', 'hr', 'img', 'input'); // Known single-entity/self-closing tags + $nestable_tags = array('blockquote', 'div', 'span'); // Tags that can be immediately nested within themselves + + // WP bug fix for comments - in case you REALLY meant to type '< !--' $text = str_replace('< !--', '< !--', $text); - # WP bug fix for LOVE <3 (and other situations with '<' before a number) + // WP bug fix for LOVE <3 (and other situations with '<' before a number) $text = preg_replace('#<([0-9]{1})#', '<$1', $text); - while (preg_match("/<(\/?\w*)\s*([^>]*)>/",$text,$regex)) { + while ( preg_match("/<(\/?[\w:]*)\s*([^>]*)>/", $text, $regex) ) { $newtext .= $tagqueue; - $i = strpos($text,$regex[0]); + $i = strpos($text, $regex[0]); $l = strlen($regex[0]); // clear the shifter @@ -1014,22 +1017,22 @@ function force_balance_tags( $text ) { if ( isset($regex[1][0]) && '/' == $regex[1][0] ) { // End Tag $tag = strtolower(substr($regex[1],1)); // if too many closing tags - if($stacksize <= 0) { + if( $stacksize <= 0 ) { $tag = ''; - //or close to be safe $tag = '/' . $tag; + // or close to be safe $tag = '/' . $tag; } // if stacktop value = tag close value then pop - else if ($tagstack[$stacksize - 1] == $tag) { // found closing tag + else if ( $tagstack[$stacksize - 1] == $tag ) { // found closing tag $tag = ''; // Close Tag // Pop - array_pop ($tagstack); + array_pop( $tagstack ); $stacksize--; } else { // closing tag not at top, search for it - for ($j=$stacksize-1;$j>=0;$j--) { - if ($tagstack[$j] == $tag) { + for ( $j = $stacksize-1; $j >= 0; $j-- ) { + if ( $tagstack[$j] == $tag ) { // add tag to tagqueue - for ($k=$stacksize-1;$k>=$j;$k--){ - $tagqueue .= ''; + for ( $k = $stacksize-1; $k >= $j; $k--) { + $tagqueue .= ''; $stacksize--; } break; @@ -1043,14 +1046,15 @@ function force_balance_tags( $text ) { // Tag Cleaning // If self-closing or '', don't do anything. - if((substr($regex[2],-1) == '/') || ($tag == '')) { + if ( substr($regex[2],-1) == '/' || $tag == '' ) { + // do nothing } // ElseIf it's a known single-entity tag but it doesn't close itself, do so elseif ( in_array($tag, $single_tags) ) { $regex[2] .= '/'; } else { // Push the tag onto the stack // If the top of the stack is the same as the tag we want to push, close previous tag - if (($stacksize > 0) && !in_array($tag, $nestable_tags) && ($tagstack[$stacksize - 1] == $tag)) { + if ( $stacksize > 0 && !in_array($tag, $nestable_tags) && $tagstack[$stacksize - 1] == $tag ) { $tagqueue = ''; $stacksize--; } @@ -1059,18 +1063,18 @@ function force_balance_tags( $text ) { // Attributes $attributes = $regex[2]; - if($attributes) { + if( !empty($attributes) ) $attributes = ' '.$attributes; - } - $tag = '<'.$tag.$attributes.'>'; + + $tag = '<' . $tag . $attributes . '>'; //If already queuing a close tag, then put this tag on, too - if ($tagqueue) { + if ( !empty($tagqueue) ) { $tagqueue .= $tag; $tag = ''; } } - $newtext .= substr($text,0,$i) . $tag; - $text = substr($text,$i+$l); + $newtext .= substr($text, 0, $i) . $tag; + $text = substr($text, $i + $l); } // Clear Tag Queue @@ -1080,9 +1084,8 @@ function force_balance_tags( $text ) { $newtext .= $text; // Empty Stack - while($x = array_pop($tagstack)) { + while( $x = array_pop($tagstack) ) $newtext .= ''; // Add remaining tags to close - } // WP fix for the bug with HTML comments $newtext = str_replace("< !--","