KSES: Allow attributes to be restricted via callbacks.
Add callback validation to HTML tag attributes for increased flexibility over an array of values only. In `object` tags, validate the `data` attribute via a callback to ensure it is a PDF and matches the `type` attribute. This prevents mime type mismatches in browsers. Follow up to [51963]. Props Pento, dd32, swissspidy, xknown, peterwilsoncc. Fixes #54261. Built from https://develop.svn.wordpress.org/trunk@52304 git-svn-id: http://core.svn.wordpress.org/trunk@51896 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Peter Wilson
parent
8d723966d0
commit
2d944ca1d9
|
|
@ -272,7 +272,10 @@ if ( ! CUSTOM_TAGS ) {
|
|||
'xml:lang' => true,
|
||||
),
|
||||
'object' => array(
|
||||
'data' => true,
|
||||
'data' => array(
|
||||
'required' => true,
|
||||
'value_callback' => '_wp_kses_allow_pdf_objects',
|
||||
),
|
||||
'type' => array(
|
||||
'required' => true,
|
||||
'values' => array( 'application/pdf' ),
|
||||
|
|
@ -1661,6 +1664,17 @@ function wp_kses_check_attr_val( $value, $vless, $checkname, $checkvalue ) {
|
|||
$ok = false;
|
||||
}
|
||||
break;
|
||||
|
||||
case 'value_callback':
|
||||
/*
|
||||
* The value_callback check is used when you want to make sure that the attribute
|
||||
* value is accepted by the callback function.
|
||||
*/
|
||||
|
||||
if ( ! call_user_func( $checkvalue, $value ) ) {
|
||||
$ok = false;
|
||||
}
|
||||
break;
|
||||
} // End switch.
|
||||
|
||||
return $ok;
|
||||
|
|
@ -2566,3 +2580,34 @@ function _wp_add_global_attributes( $value ) {
|
|||
|
||||
return $value;
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper function to check if this is a safe PDF URL.
|
||||
*
|
||||
* @since 5.9.0
|
||||
* @access private
|
||||
* @ignore
|
||||
*
|
||||
* @param string $url The URL to check.
|
||||
* @return bool True if the URL is safe, false otherwise.
|
||||
*/
|
||||
function _wp_kses_allow_pdf_objects( $value ) {
|
||||
// We're not interested in URLs that contain query strings or fragments.
|
||||
if ( strpos( $value, '?' ) !== false || strpos( $value, '#' ) !== false ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// If it doesn't have a PDF extension, it's not safe.
|
||||
if ( 0 !== substr_compare( $value, '.pdf', -4, 4, true ) ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// If the URL host matches the current site's media URL, it's safe.
|
||||
$upload_info = wp_upload_dir( null, false );
|
||||
$upload_host = wp_parse_url( $upload_info['url'], PHP_URL_HOST );
|
||||
if ( 0 === strpos( $value, "http://$upload_host/" ) || 0 === strpos( $value, "https://$upload_host/" ) ) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@
|
|||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '5.9-beta1-52303';
|
||||
$wp_version = '5.9-beta1-52304';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
|
|
|||
Loading…
Reference in New Issue