From 39710dcb5aa7eecd0508e19786d8da34093efd5d Mon Sep 17 00:00:00 2001 From: iandunn Date: Thu, 13 Dec 2018 00:14:26 +0000 Subject: [PATCH] KSES: Make the URI attributes DRY. This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes. Merges [44014] and [44017] to the `4.9` branch. Built from https://develop.svn.wordpress.org/branches/4.9@44020 git-svn-id: http://core.svn.wordpress.org/branches/4.9@43850 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/kses.php | 54 +++++++++++++++++++++++++++++++++++++++-- wp-includes/version.php | 2 +- 2 files changed, 53 insertions(+), 3 deletions(-) diff --git a/wp-includes/kses.php b/wp-includes/kses.php index 3b65ee9496..ab7aa75fe4 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -536,7 +536,7 @@ function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { * @return string Filtered attribute. */ function wp_kses_one_attr( $string, $element ) { - $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action'); + $uris = wp_kses_uri_attributes(); $allowed_html = wp_kses_allowed_html( 'post' ); $allowed_protocols = wp_allowed_protocols(); $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); @@ -733,6 +733,56 @@ function wp_kses_split( $string, $allowed_html, $allowed_protocols ) { return preg_replace_callback( '%(|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string ); } +/** + * Helper function listing HTML attributes containing a URL. + * + * This function returns a list of all HTML attributes that must contain + * a URL according to the HTML specification. + * + * This list includes URI attributes both allowed and disallowed by KSES. + * + * @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes + * + * @since 5.0.1 + * + * @return array HTML attributes that must include a URL. + */ +function wp_kses_uri_attributes() { + $uri_attributes = array( + 'action', + 'archive', + 'background', + 'cite', + 'classid', + 'codebase', + 'data', + 'formaction', + 'href', + 'icon', + 'longdesc', + 'manifest', + 'poster', + 'profile', + 'src', + 'usemap', + 'xmlns', + ); + + /** + * Filters the list of attributes that are required to contain a URL. + * + * Use this filter to add any `data-` attributes that are required to be + * validated as a URL. + * + * @since 5.0.1 + * + * @param array $uri_attributes HTML attributes requiring validation as a URL. + */ + $uri_attributes = apply_filters( 'wp_kses_uri_attributes', $uri_attributes ); + + return $uri_attributes; +} + /** * Callback for wp_kses_split. * @@ -930,7 +980,7 @@ function wp_kses_hair($attr, $allowed_protocols) { $attrarr = array(); $mode = 0; $attrname = ''; - $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action'); + $uris = wp_kses_uri_attributes(); // Loop through the whole attribute list diff --git a/wp-includes/version.php b/wp-includes/version.php index f13e4de4a1..f841cdb024 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.9.9-alpha-43997'; +$wp_version = '4.9.9-alpha-44020'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.