diff --git a/wp-includes/kses.php b/wp-includes/kses.php index 2ff0210493..4688b44bb6 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -536,7 +536,7 @@ function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { * @return string Filtered attribute. */ function wp_kses_one_attr( $string, $element ) { - $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action'); + $uris = wp_kses_uri_attributes(); $allowed_html = wp_kses_allowed_html( 'post' ); $allowed_protocols = wp_allowed_protocols(); $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); @@ -735,6 +735,56 @@ function wp_kses_split( $string, $allowed_html, $allowed_protocols ) { return preg_replace_callback( '%(|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string ); } +/** + * Helper function listing HTML attributes containing a URL. + * + * This function returns a list of all HTML attributes that must contain + * a URL according to the HTML specification. + * + * This list includes URI attributes both allowed and disallowed by KSES. + * + * @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes + * + * @since 5.0.1 + * + * @return array HTML attributes that must include a URL. + */ +function wp_kses_uri_attributes() { + $uri_attributes = array( + 'action', + 'archive', + 'background', + 'cite', + 'classid', + 'codebase', + 'data', + 'formaction', + 'href', + 'icon', + 'longdesc', + 'manifest', + 'poster', + 'profile', + 'src', + 'usemap', + 'xmlns', + ); + + /** + * Filters the list of attributes that are required to contain a URL. + * + * Use this filter to add any `data-` attributes that are required to be + * validated as a URL. + * + * @since 5.0.1 + * + * @param array $uri_attributes HTML attributes requiring validation as a URL. + */ + $uri_attributes = apply_filters( 'wp_kses_uri_attributes', $uri_attributes ); + + return $uri_attributes; +} + /** * Callback for wp_kses_split. * @@ -930,7 +980,7 @@ function wp_kses_hair($attr, $allowed_protocols) { $attrarr = array(); $mode = 0; $attrname = ''; - $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action'); + $uris = wp_kses_uri_attributes(); // Loop through the whole attribute list