From 58f8f500d356aed863f7b95f53adbdc919b3c0da Mon Sep 17 00:00:00 2001 From: whyisjake Date: Thu, 12 Dec 2019 18:13:03 +0000 Subject: [PATCH] Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes, MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function. Brings r46895 to the 5.3 branch. Props: xknown, nickdaugherty, peterwilsoncc. Built from https://develop.svn.wordpress.org/branches/5.3@46899 git-svn-id: http://core.svn.wordpress.org/branches/5.3@46699 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/kses.php | 2 +- wp-includes/version.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/wp-includes/kses.php b/wp-includes/kses.php index bdb7c5d986..d2f3cbb82e 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -1665,7 +1665,7 @@ function wp_kses_html_error( $string ) { */ function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) { $string = preg_replace( '/(�*58(?![;0-9])|�*3a(?![;a-f0-9]))/i', '$1;', $string ); - $string2 = preg_split( '/:|�*58;|�*3a;/i', $string, 2 ); + $string2 = preg_split( '/:|�*58;|�*3a;|:/i', $string, 2 ); if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) { $string = trim( $string2[1] ); $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ); diff --git a/wp-includes/version.php b/wp-includes/version.php index 099c8c024f..283b039962 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.3.1-RC2-46898'; +$wp_version = '5.3.1-RC2-46899'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.