KSES: Conditionally remove the `<form>` element from `$allowedposttags`.

To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.

Merges [43994] to the 4.6 branch.

Built from https://develop.svn.wordpress.org/branches/4.6@44001


git-svn-id: http://core.svn.wordpress.org/branches/4.6@43833 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Gary Pendergast 2018-12-12 23:27:21 +00:00
parent bcbb4f7808
commit 6e7503eedc
1 changed files with 22 additions and 10 deletions

View File

@ -184,15 +184,6 @@ if ( ! CUSTOM_TAGS ) {
'lang' => true,
'xml:lang' => true,
),
'form' => array(
'action' => true,
'accept' => true,
'accept-charset' => true,
'enctype' => true,
'method' => true,
'name' => true,
'target' => true,
),
'h1' => array(
'align' => true,
),
@ -612,6 +603,7 @@ function wp_kses_one_attr( $string, $element ) {
* Return a list of allowed tags and attributes for a given context.
*
* @since 3.5.0
* @since 5.0.1 `form` removed as allowable HTML tag.
*
* @global array $allowedposttags
* @global array $allowedtags
@ -641,7 +633,27 @@ function wp_kses_allowed_html( $context = '' ) {
switch ( $context ) {
case 'post':
/** This filter is documented in wp-includes/kses.php */
return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
$tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
// 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
$tags = $allowedposttags;
$tags['form'] = array(
'action' => true,
'accept' => true,
'accept-charset' => true,
'enctype' => true,
'method' => true,
'name' => true,
'target' => true,
);
/** This filter is documented in wp-includes/kses.php */
$tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
}
return $tags;
case 'user_description':
case 'pre_user_description':