X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/959f97d8ecd5c1668103a3e41c795486b944bc68..8a06f4f9392d1ac373442f82ee40428a3cb81395:/wp-includes/kses.php?ds=sidebyside diff --git a/wp-includes/kses.php b/wp-includes/kses.php index ae37fc26..c7538b98 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -182,8 +182,10 @@ if (!CUSTOM_TAGS) { 'class' => array (), 'dir' => array (), 'align' => array (), + 'lang' => array (), 'style' => array (), - 'title' => array ()), + 'title' => array (), + 'xml:lang' => array()), 'strike' => array(), 'strong' => array(), 'sub' => array(), @@ -429,6 +431,10 @@ function wp_kses_split2($string, $allowed_html, $allowed_protocols) { $string = $newstring; if ( $string == '' ) return ''; + // prevent multiple dashes in comments + $string = preg_replace('/--+/', '-', $string); + // prevent three dashes closing a comment + $string = preg_replace('/-$/', '', $string); return ""; } # Allow HTML comments @@ -531,7 +537,8 @@ function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) { * input. It will add quotes around attribute values that don't have any quotes * or apostrophes around them, to make it easier to produce HTML code that will * conform to W3C's HTML specification. It will also remove bad URL protocols - * from attribute values. + * from attribute values. It also reduces duplicate attributes by using the + * attribute defined first (foo='bar' foo='baz' will result in foo='bar'). * * @since 1.0.0 * @@ -574,7 +581,9 @@ function wp_kses_hair($attr, $allowed_protocols) { { $working = 1; $mode = 0; - $attrarr[] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y'); + if(FALSE === array_key_exists($attrname, $attrarr)) { + $attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y'); + } $attr = preg_replace('/^\s+/', '', $attr); } @@ -587,7 +596,9 @@ function wp_kses_hair($attr, $allowed_protocols) { { $thisval = wp_kses_bad_protocol($match[1], $allowed_protocols); - $attrarr[] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n'); + if(FALSE === array_key_exists($attrname, $attrarr)) { + $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n'); + } $working = 1; $mode = 0; $attr = preg_replace('/^"[^"]*"(\s+|$)/', '', $attr); @@ -599,7 +610,9 @@ function wp_kses_hair($attr, $allowed_protocols) { { $thisval = wp_kses_bad_protocol($match[1], $allowed_protocols); - $attrarr[] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname='$thisval'", 'vless' => 'n'); + if(FALSE === array_key_exists($attrname, $attrarr)) { + $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname='$thisval'", 'vless' => 'n'); + } $working = 1; $mode = 0; $attr = preg_replace("/^'[^']*'(\s+|$)/", '', $attr); @@ -611,7 +624,9 @@ function wp_kses_hair($attr, $allowed_protocols) { { $thisval = wp_kses_bad_protocol($match[1], $allowed_protocols); - $attrarr[] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n'); + if(FALSE === array_key_exists($attrname, $attrarr)) { + $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n'); + } # We add quotes to conform to W3C's HTML spec. $working = 1; $mode = 0; @@ -628,10 +643,10 @@ function wp_kses_hair($attr, $allowed_protocols) { } } # while - if ($mode == 1) + if ($mode == 1 && FALSE === array_key_exists($attrname, $attrarr)) # special case, for when the attribute list ends with a valueless # attribute like "selected" - $attrarr[] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y'); + $attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y'); return $attrarr; } @@ -1050,4 +1065,4 @@ function kses_init() { add_action('init', 'kses_init'); add_action('set_current_user', 'kses_init'); -?> \ No newline at end of file +?>