Do SimplePie sanitization with wp_kses_post() rather than DOMDocument, which cannot be guaranteed to be available.

Overrides SimplePie_Sanitize with WP_SimplePie_Sanitize_KSES.

props markjaquith, rmccue.
see #21990.



git-svn-id: http://core.svn.wordpress.org/trunk@22811 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/class-feed.php

@@ -92,3 +92,38 @@ class WP_SimplePie_File extends SimplePie_File {
 		}
 	}
 }
+
+/**
+ * WordPress SimplePie Sanitization Class
+ *
+ * Extension of the SimplePie_Sanitize class to use KSES, because
+ * we cannot universally count on DOMDocument being available
+ *
+ * @package WordPress
+ * @since 3.5.0
+ */
+class WP_SimplePie_Sanitize_KSES extends SimplePie_Sanitize {
+	public function sanitize( $data, $type, $base = '' ) {
+		$data = trim( $data );
+		if ( $type & SIMPLEPIE_CONSTRUCT_MAYBE_HTML ) {
+			if (preg_match('/(&(#(x[0-9a-fA-F]+|[0-9]+)|[a-zA-Z0-9]+)|<\/[A-Za-z][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E]*' . SIMPLEPIE_PCRE_HTML_ATTRIBUTE . '>)/', $data)) {
+				$type |= SIMPLEPIE_CONSTRUCT_HTML;
+			}
+			else {
+				$type |= SIMPLEPIE_CONSTRUCT_TEXT;
+			}
+		}
+		if ( $type & SIMPLEPIE_CONSTRUCT_BASE64 ) {
+			$data = base64_decode( $data );
+		}
+		if ( $type & ( SIMPLEPIE_CONSTRUCT_HTML | SIMPLEPIE_CONSTRUCT_XHTML ) ) {
+			$data = wp_kses_post( $data );
+			if ( $this->output_encoding !== 'UTF-8' ) {
+				$data = $this->registry->call( 'Misc', 'change_encoding', array( $data, 'UTF-8', $this->output_encoding ) );
+			}
+			return $data;
+		} else {
+			return parent::sanitize( $data, $type, $base );
+		}
+	}
+}

wp-includes/feed.php

@@ -528,6 +528,11 @@ function fetch_feed($url) {
 
 	$feed = new SimplePie();
 
+	$feed->set_sanitize_class( 'WP_SimplePie_Sanitize_KSES' );
+	// We must manually overwrite $feed->sanitize because SimplePie's
+	// constructor sets it before we have a chance to set the sanitization class
+	$feed->sanitize = new WP_SimplePie_Sanitize_KSES();
+
 	$feed->set_cache_class( 'WP_Feed_Cache' );
 	$feed->set_file_class( 'WP_SimplePie_File' );