From 296684d9cf58965d81b81acc1b63ef08c7cddf77 Mon Sep 17 00:00:00 2001
From: Andrew Nacin <wp@andrewnacin.com>
Date: Tue, 22 Jan 2013 15:37:36 +0000
Subject: [PATCH] Verify tags used in the gallery shortcode.

git-svn-id: http://core.svn.wordpress.org/branches/3.5@23317 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/media.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/wp-includes/media.php b/wp-includes/media.php
index 1582f6a897..d664e0735c 100644
--- a/wp-includes/media.php
+++ b/wp-includes/media.php
@@ -735,6 +735,15 @@ function gallery_shortcode($attr) {
 
 	$itemtag = tag_escape($itemtag);
 	$captiontag = tag_escape($captiontag);
+	$icontag = tag_escape($icontag);
+	$valid_tags = wp_kses_allowed_html( 'post' );
+	if ( ! isset( $valid_tags[ $itemtag ] ) )
+		$itemtag = 'dl';
+	if ( ! isset( $valid_tags[ $captiontag ] ) )
+		$captiontag = 'dd';
+	if ( ! isset( $valid_tags[ $icontag ] ) )
+		$icontag = 'dt';
+
 	$columns = intval($columns);
 	$itemwidth = $columns > 0 ? floor(100/$columns) : 100;
 	$float = is_rtl() ? 'right' : 'left';