From 456f8015b77c69537f8ec5b012cd3b3cc94e21d7 Mon Sep 17 00:00:00 2001 From: Gary Pendergast Date: Thu, 13 Oct 2016 22:25:31 +0000 Subject: [PATCH] KSES: Deprecate `wp_kses_js_entities()`. This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape. I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4. Props dmsnell, desrosj. Fixes #33848. Built from https://develop.svn.wordpress.org/trunk@38785 git-svn-id: http://core.svn.wordpress.org/trunk@38728 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/deprecated.php | 26 ++++++++++++++++++++++++++ wp-includes/kses.php | 14 -------------- wp-includes/version.php | 2 +- 3 files changed, 27 insertions(+), 15 deletions(-) diff --git a/wp-includes/deprecated.php b/wp-includes/deprecated.php index 8315702bab..d7598d0755 100644 --- a/wp-includes/deprecated.php +++ b/wp-includes/deprecated.php @@ -3772,3 +3772,29 @@ function get_paged_template() { return get_query_template( 'paged' ); } + +/** + * Removes the HTML JavaScript entities found in early versions of Netscape 4. + * + * Previously, this function was pulled in from the original + * import of kses and removed a specific vulnerability only + * existent in early version of Netscape 4. However, this + * vulnerability never affected any other browsers and can + * be considered safe for the modern web. + * + * The regular expression which sanitized this vulnerability + * has been removed in consideration of the performance and + * energy demands it placed, now merely passing through its + * input to the return. + * + * @since 1.0.0 + * @deprecated deprecated since 4.7 + * + * @param string $string + * @return string + */ +function wp_kses_js_entities( $string ) { + _deprecated_function( __FUNCTION__, '4.7.0' ); + + return preg_replace( '%&\s*\{[^}]*(\}\s*;?|$)%', '', $string ); +} diff --git a/wp-includes/kses.php b/wp-includes/kses.php index fae60cdd95..4745d8d7ef 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -527,7 +527,6 @@ function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { if ( empty( $allowed_protocols ) ) $allowed_protocols = wp_allowed_protocols(); $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); - $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook return wp_kses_split($string, $allowed_html, $allowed_protocols); @@ -550,7 +549,6 @@ function wp_kses_one_attr( $string, $element ) { $allowed_html = wp_kses_allowed_html( 'post' ); $allowed_protocols = wp_allowed_protocols(); $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); - $string = wp_kses_js_entities( $string ); // Preserve leading and trailing whitespace. $matches = array(); @@ -1295,18 +1293,6 @@ function wp_kses_array_lc($inarray) { return $outarray; } -/** - * Removes the HTML JavaScript entities found in early versions of Netscape 4. - * - * @since 1.0.0 - * - * @param string $string - * @return string - */ -function wp_kses_js_entities($string) { - return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string); -} - /** * Handles parsing errors in wp_kses_hair(). * diff --git a/wp-includes/version.php b/wp-includes/version.php index 1c4635c97c..d5ebfa7d99 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-alpha-38784'; +$wp_version = '4.7-alpha-38785'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.