KSES: Allow attributes to be restricted via callbacks.
Add callback validation to HTML tag attributes for increased flexibility over an array of values only. In `object` tags, validate the `data` attribute via a callback to ensure it is a PDF and matches the `type` attribute. This prevents mime type mismatches in browsers. Follow up to [51963]. Props Pento, dd32, swissspidy, xknown, peterwilsoncc. Fixes #54261. Built from https://develop.svn.wordpress.org/trunk@52304 git-svn-id: http://core.svn.wordpress.org/trunk@51896 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Peter Wilson
parent
8d723966d0
commit
2d944ca1d9
|
|
@ -272,7 +272,10 @@ if ( ! CUSTOM_TAGS ) {
|
||||||
'xml:lang' => true,
|
'xml:lang' => true,
|
||||||
),
|
),
|
||||||
'object' => array(
|
'object' => array(
|
||||||
'data' => true,
|
'data' => array(
|
||||||
|
'required' => true,
|
||||||
|
'value_callback' => '_wp_kses_allow_pdf_objects',
|
||||||
|
),
|
||||||
'type' => array(
|
'type' => array(
|
||||||
'required' => true,
|
'required' => true,
|
||||||
'values' => array( 'application/pdf' ),
|
'values' => array( 'application/pdf' ),
|
||||||
|
|
@ -1661,6 +1664,17 @@ function wp_kses_check_attr_val( $value, $vless, $checkname, $checkvalue ) {
|
||||||
$ok = false;
|
$ok = false;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case 'value_callback':
|
||||||
|
/*
|
||||||
|
* The value_callback check is used when you want to make sure that the attribute
|
||||||
|
* value is accepted by the callback function.
|
||||||
|
*/
|
||||||
|
|
||||||
|
if ( ! call_user_func( $checkvalue, $value ) ) {
|
||||||
|
$ok = false;
|
||||||
|
}
|
||||||
|
break;
|
||||||
} // End switch.
|
} // End switch.
|
||||||
|
|
||||||
return $ok;
|
return $ok;
|
||||||
|
|
@ -2566,3 +2580,34 @@ function _wp_add_global_attributes( $value ) {
|
||||||
|
|
||||||
return $value;
|
return $value;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Helper function to check if this is a safe PDF URL.
|
||||||
|
*
|
||||||
|
* @since 5.9.0
|
||||||
|
* @access private
|
||||||
|
* @ignore
|
||||||
|
*
|
||||||
|
* @param string $url The URL to check.
|
||||||
|
* @return bool True if the URL is safe, false otherwise.
|
||||||
|
*/
|
||||||
|
function _wp_kses_allow_pdf_objects( $value ) {
|
||||||
|
// We're not interested in URLs that contain query strings or fragments.
|
||||||
|
if ( strpos( $value, '?' ) !== false || strpos( $value, '#' ) !== false ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// If it doesn't have a PDF extension, it's not safe.
|
||||||
|
if ( 0 !== substr_compare( $value, '.pdf', -4, 4, true ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// If the URL host matches the current site's media URL, it's safe.
|
||||||
|
$upload_info = wp_upload_dir( null, false );
|
||||||
|
$upload_host = wp_parse_url( $upload_info['url'], PHP_URL_HOST );
|
||||||
|
if ( 0 === strpos( $value, "http://$upload_host/" ) || 0 === strpos( $value, "https://$upload_host/" ) ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@
|
||||||
*
|
*
|
||||||
* @global string $wp_version
|
* @global string $wp_version
|
||||||
*/
|
*/
|
||||||
$wp_version = '5.9-beta1-52303';
|
$wp_version = '5.9-beta1-52304';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue