X-Git-Url: https://scripts.mit.edu/gitweb/autoinstallsdev/wordpress.git/blobdiff_plain/256a3b381f63716209b3527d0a14442ae570c283..874d2a2f468a0d1e69aab49b1fe2d9d79d3e1142:/wp-includes/kses.php

diff --git a/wp-includes/kses.php b/wp-includes/kses.php
index 531e6efe..6696161c 100644
--- a/wp-includes/kses.php
+++ b/wp-includes/kses.php
@@ -44,6 +44,10 @@
 if ( ! defined( 'CUSTOM_TAGS' ) )
 	define( 'CUSTOM_TAGS', false );
 
+// Ensure that these variables are added to the global namespace
+// (e.g. if using namespaces / autoload in the current PHP environment).
+global $allowedposttags, $allowedtags, $allowedentitynames;
+
 if ( ! CUSTOM_TAGS ) {
 	/**
 	 * Kses global for default allowable HTML tags.
@@ -119,6 +123,7 @@ if ( ! CUSTOM_TAGS ) {
 			'datetime' => true,
 		),
 		'dd' => array(),
+		'dfn' => array(),
 		'details' => array(
 			'align' => true,
 			'dir' => true,
@@ -235,6 +240,7 @@ if ( ! CUSTOM_TAGS ) {
 		'map' => array(
 			'name' => true,
 		),
+		'mark' => array(),
 		'menu' => array(
 			'type' => true,
 		),
@@ -257,6 +263,7 @@ if ( ! CUSTOM_TAGS ) {
 			'cite' => true,
 		),
 		's' => array(),
+		'samp' => array(),
 		'span' => array(
 			'dir' => true,
 			'align' => true,
@@ -498,27 +505,42 @@ function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
 function wp_kses_allowed_html( $context = '' ) {
 	global $allowedposttags, $allowedtags, $allowedentitynames;
 
-	if ( is_array( $context ) )
+	if ( is_array( $context ) ) {
+		/**
+		 * Filter HTML elements allowed for a given context.
+		 *
+		 * @since 3.5.0
+		 *
+		 * @param string $tags    Allowed tags, attributes, and/or entities.
+		 * @param string $context Context to judge allowed tags by. Allowed values are 'post',
+		 *                        'data', 'strip', 'entities', 'explicit', or the name of a filter.
+		 */
 		return apply_filters( 'wp_kses_allowed_html', $context, 'explicit' );
+	}
 
 	switch ( $context ) {
 		case 'post':
+			/** This filter is documented in wp-includes/kses.php */
 			return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
 			break;
 		case 'user_description':
 		case 'pre_user_description':
 			$tags = $allowedtags;
 			$tags['a']['rel'] = true;
+			/** This filter is documented in wp-includes/kses.php */
 			return apply_filters( 'wp_kses_allowed_html', $tags, $context );
 			break;
 		case 'strip':
+			/** This filter is documented in wp-includes/kses.php */
 			return apply_filters( 'wp_kses_allowed_html', array(), $context );
 			break;
 		case 'entities':
+			/** This filter is documented in wp-includes/kses.php */
 			return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context);
 			break;
 		case 'data':
 		default:
+			/** This filter is documented in wp-includes/kses.php */
 			return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context );
 	}
 }
@@ -537,7 +559,16 @@ function wp_kses_allowed_html( $context = '' ) {
  * @return string Filtered content through 'pre_kses' hook
  */
 function wp_kses_hook( $string, $allowed_html, $allowed_protocols ) {
-	$string = apply_filters('pre_kses', $string, $allowed_html, $allowed_protocols);
+	/**
+	 * Filter content to be run through kses.
+	 *
+	 * @since 2.3.0
+	 *
+	 * @param string $string            Content to run through kses.
+	 * @param array  $allowed_html      Allowed HTML elements.
+	 * @param array  $allowed_protocols Allowed protocol in links.
+	 */
+	$string = apply_filters( 'pre_kses', $string, $allowed_html, $allowed_protocols );
 	return $string;
 }
 
@@ -760,10 +791,10 @@ function wp_kses_hair($attr, $allowed_protocols) {
 		switch ($mode) {
 			case 0 : # attribute name, href for instance
 
-				if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) {
+				if ( preg_match('/^([-a-zA-Z:]+)/', $attr, $match ) ) {
 					$attrname = $match[1];
 					$working = $mode = 1;
-					$attr = preg_replace('/^[-a-zA-Z]+/', '', $attr);
+					$attr = preg_replace( '/^[-a-zA-Z:]+/', '', $attr );
 				}
 
 				break;
@@ -960,7 +991,9 @@ function wp_kses_bad_protocol($string, $allowed_protocols) {
 }
 
 /**
- * Removes any null characters in $string.
+ * Removes any invalid control characters in $string.
+ *
+ * Also removes any instance of the '\0' string.
  *
  * @since 1.0.0
  *
@@ -968,7 +1001,7 @@ function wp_kses_bad_protocol($string, $allowed_protocols) {
  * @return string
  */
 function wp_kses_no_null($string) {
-	$string = preg_replace('/\0+/', '', $string);
+	$string = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string);
 	$string = preg_replace('/(\\\\0)+/', '', $string);
 
 	return $string;
@@ -1407,10 +1440,18 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
 	$css = wp_kses_no_null($css);
 	$css = str_replace(array("\n","\r","\t"), '', $css);
 
-	if ( preg_match( '%[\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments
+	if ( preg_match( '%[\\\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments
 		return '';
 
 	$css_array = explode( ';', trim( $css ) );
+
+	/**
+	 * Filter list of allowed CSS attributes.
+	 *
+	 * @since 2.8.1
+	 *
+	 * @param array $attr List of allowed CSS attributes.
+	 */
 	$allowed_attr = apply_filters( 'safe_style_css', array( 'text-align', 'margin', 'color', 'float',
 	'border', 'background', 'background-color', 'border-bottom', 'border-bottom-color',
 	'border-bottom-style', 'border-bottom-width', 'border-collapse', 'border-color', 'border-left',
@@ -1464,6 +1505,7 @@ function _wp_add_global_attributes( $value ) {
 		'id' => true,
 		'style' => true,
 		'title' => true,
+		'role' => true,
 	);
 
 	if ( true === $value )