Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes,

`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 5.3 branch.

Props: xknown, nickdaugherty, peterwilsoncc.

Built from https://develop.svn.wordpress.org/branches/5.3@46899


git-svn-id: http://core.svn.wordpress.org/branches/5.3@46699 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
whyisjake 2019-12-12 18:13:03 +00:00
parent 8221d6d320
commit 58f8f500d3
2 changed files with 2 additions and 2 deletions

View File

@ -1665,7 +1665,7 @@ function wp_kses_html_error( $string ) {
*/ */
function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) { function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
$string = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string ); $string = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 ); $string2 = preg_split( '/:|&#0*58;|&#x0*3a;|:/i', $string, 2 );
if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) { if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
$string = trim( $string2[1] ); $string = trim( $string2[1] );
$protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ); $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );

View File

@ -13,7 +13,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '5.3.1-RC2-46898'; $wp_version = '5.3.1-RC2-46899';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.