WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

KSES: Conditionally remove the `<form>` element from `$allowedposttags`. 

To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.

Merges [43994] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@44008


git-svn-id: http://core.svn.wordpress.org/branches/4.2@43838 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Gary Pendergast 2018-12-12 23:40:39 +00:00
parent f91b78ec58
commit 0e98d850b9
1 changed files with 22 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
wp-includes/kses.php
View File

@ -180,15 +180,6 @@ if ( ! CUSTOM_TAGS ) {
'lang' => true, 'lang' => true,
'xml:lang' => true, 'xml:lang' => true,
), ),
'form' => array(
'action' => true,
'accept' => true,
'accept-charset' => true,
'enctype' => true,
'method' => true,
'name' => true,
'target' => true,
),
'h1' => array( 'h1' => array(
'align' => true, 'align' => true,
), ),
@ -608,6 +599,7 @@ function wp_kses_one_attr( $string, $element ) {
* Return a list of allowed tags and attributes for a given context. * Return a list of allowed tags and attributes for a given context.
* *
* @since 3.5.0 * @since 3.5.0
* @since 5.0.1 `form` removed as allowable HTML tag.
* *
* @param string $context The context for which to retrieve tags. Allowed values are * @param string $context The context for which to retrieve tags. Allowed values are
* post | strip | data | entities or the name of a field filter such as pre_user_description. * post | strip | data | entities or the name of a field filter such as pre_user_description.
@ -632,7 +624,27 @@ function wp_kses_allowed_html( $context = '' ) {
switch ( $context ) { switch ( $context ) {
case 'post': case 'post':
/** This filter is documented in wp-includes/kses.php */ /** This filter is documented in wp-includes/kses.php */
return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context ); $tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
// 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
$tags = $allowedposttags;
$tags['form'] = array(
'action' => true,
'accept' => true,
'accept-charset' => true,
'enctype' => true,
'method' => true,
'name' => true,
'target' => true,
);
/** This filter is documented in wp-includes/kses.php */
$tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
}
return $tags;
case 'user_description': case 'user_description':
case 'pre_user_description': case 'pre_user_description':