KSES: Conditionally remove the `<form>` element from `$allowedposttags`.

To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.

Merges [43994] to the 4.1 branch.


Built from https://develop.svn.wordpress.org/branches/4.1@44013


git-svn-id: http://core.svn.wordpress.org/branches/4.1@43843 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Gary Pendergast 2018-12-12 23:52:17 +00:00
parent 9ba26aa950
commit 1a074d093a
1 changed files with 22 additions and 11 deletions

View File

@ -180,15 +180,6 @@ if ( ! CUSTOM_TAGS ) {
'lang' => true, 'lang' => true,
'xml:lang' => true, 'xml:lang' => true,
), ),
'form' => array(
'action' => true,
'accept' => true,
'accept-charset' => true,
'enctype' => true,
'method' => true,
'name' => true,
'target' => true,
),
'h1' => array( 'h1' => array(
'align' => true, 'align' => true,
), ),
@ -607,6 +598,7 @@ function wp_kses_one_attr( $string, $element ) {
* Return a list of allowed tags and attributes for a given context. * Return a list of allowed tags and attributes for a given context.
* *
* @since 3.5.0 * @since 3.5.0
* @since 5.0.1 `form` removed as allowable HTML tag.
* *
* @param string $context The context for which to retrieve tags. Allowed values are * @param string $context The context for which to retrieve tags. Allowed values are
* post | strip | data | entities or the name of a field filter such as pre_user_description. * post | strip | data | entities or the name of a field filter such as pre_user_description.
@ -631,8 +623,27 @@ function wp_kses_allowed_html( $context = '' ) {
switch ( $context ) { switch ( $context ) {
case 'post': case 'post':
/** This filter is documented in wp-includes/kses.php */ /** This filter is documented in wp-includes/kses.php */
return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context ); $tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
break;
// 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
$tags = $allowedposttags;
$tags['form'] = array(
'action' => true,
'accept' => true,
'accept-charset' => true,
'enctype' => true,
'method' => true,
'name' => true,
'target' => true,
);
/** This filter is documented in wp-includes/kses.php */
$tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
}
return $tags;
case 'user_description': case 'user_description':
case 'pre_user_description': case 'pre_user_description':
$tags = $allowedtags; $tags = $allowedtags;