WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Privacy: Be less restrictive of the HTML tags allowed in user data exports. 

Previously, only `a` and `br` tags were allowed in the `value` table cell for each field included in the HTML file generated when a user is exporting their personal data. Instead of relying on a hardcoded list of allowed tags, the `wp_kses()` call in `wp_privacy_generate_personal_data_export_group_html()` will now fallback to the default list of allowed tags (which includes `i`, `strong`, `em`, and other basic HTML formatting tags).

Also, a new context of `personal_data_export` will now be passed to the `wp_kses()` call. As a result, the list of HTML tags and attributes allowed in the export file can now be filtered using the `wp_kses_allowed_html` filter and checking for the `personal_data_export` context.

Fixes #44044.
Props tz-media, desrosj, pento, birgire, garrett-eclipse.
Built from https://develop.svn.wordpress.org/trunk@44824


git-svn-id: http://core.svn.wordpress.org/trunk@44656 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
desrosj 2019-03-08 22:05:53 +00:00
parent 175f825ec8
commit 26ab5fcee1
2 changed files with 4 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
wp-admin/includes/file.php
View File

@ -1956,17 +1956,7 @@ function wp_print_request_filesystem_credentials_modal() {
* @return string The HTML for this group and its items.
*/
function wp_privacy_generate_personal_data_export_group_html( $group_data ) {
$allowed_tags = array(
'a' => array(
'href' => array(),
'target' => array(),
),
'br' => array(),
);
$allowed_protocols = array( 'http', 'https' );
$group_html = '';
$group_html .= '<h2>' . esc_html( $group_data['group_label'] ) . '</h2>';
$group_html = '<h2>' . esc_html( $group_data['group_label'] ) . '</h2>';
$group_html .= '<div>';
foreach ( (array) $group_data['items'] as $group_item_id => $group_item_data ) {
@ -1975,14 +1965,14 @@ function wp_privacy_generate_personal_data_export_group_html( $group_data ) {
foreach ( (array) $group_item_data as $group_item_datum ) {
$value = $group_item_datum['value'];
// If it looks like a link, make it a link
// If it looks like a link, make it a link.
if ( false === strpos( $value, ' ' ) && ( 0 === strpos( $value, 'http://' ) || 0 === strpos( $value, 'https://' ) ) ) {
$value = '<a href="' . esc_url( $value ) . '">' . esc_html( $value ) . '</a>';
}
$group_html .= '<tr>';
$group_html .= '<th>' . esc_html( $group_item_datum['name'] ) . '</th>';
$group_html .= '<td>' . wp_kses( $value, $allowed_tags, $allowed_protocols ) . '</td>';
$group_html .= '<td>' . wp_kses( $value, 'personal_data_export' ) . '</td>';
$group_html .= '</tr>';
}

2
wp-includes/version.php
View File

@ -13,7 +13,7 @@
*
* @global string $wp_version
*/
$wp_version = '5.2-alpha-44823';
$wp_version = '5.2-alpha-44824';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.