From 722f25cd97dd089ea3ad6635cc6a9033a7ad02e2 Mon Sep 17 00:00:00 2001
From: Gary Pendergast <gary@pento.net>
Date: Wed, 24 Oct 2018 01:19:39 +0000
Subject: [PATCH] KSES: Allow the `download` attribute on `<a>` tags.

To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.

Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
See #44724.


Built from https://develop.svn.wordpress.org/branches/5.0@43813


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43642 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/kses.php    | 3 +++
 wp-includes/version.php | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/wp-includes/kses.php b/wp-includes/kses.php
index b5cedc6f85..3083cc94f1 100644
--- a/wp-includes/kses.php
+++ b/wp-includes/kses.php
@@ -66,6 +66,9 @@ if ( ! CUSTOM_TAGS ) {
 			'rev' => true,
 			'name' => true,
 			'target' => true,
+			'download' => array(
+				'valueless' => 'y',
+			),
 		),
 		'abbr' => array(),
 		'acronym' => array(),
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 84803e2b4f..c415a564af 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.0-alpha-43812';
+$wp_version = '5.0-alpha-43813';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.