diff --git a/wp-includes/kses.php b/wp-includes/kses.php index 31bc2b5e7a..7eeadca569 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -1088,16 +1088,20 @@ function wp_kses_split2( $content, $allowed_html, $allowed_protocols ) { // Allow HTML comments. if ( str_starts_with( $content, '' ), '', $content ); - while ( ( $newstring = wp_kses( $content, $allowed_html, $allowed_protocols ) ) != $content ) { + + while ( ( $newstring = wp_kses( $content, $allowed_html, $allowed_protocols ) ) !== $content ) { $content = $newstring; } + if ( '' === $content ) { return ''; } + // Prevent multiple dashes in comments. $content = preg_replace( '/--+/', '-', $content ); // Prevent three dashes closing a comment. $content = preg_replace( '/-$/', '', $content ); + return ""; } @@ -1357,6 +1361,7 @@ function wp_kses_hair( $attr, $allowed_protocols ) { if ( preg_match( '/^\s+/', $attr ) ) { // Valueless. $working = 1; $mode = 0; + if ( false === array_key_exists( $attrname, $attrarr ) ) { $attrarr[ $attrname ] = array( 'name' => $attrname, @@ -1365,6 +1370,7 @@ function wp_kses_hair( $attr, $allowed_protocols ) { 'vless' => 'y', ); } + $attr = preg_replace( '/^\s+/', '', $attr ); } @@ -1386,6 +1392,7 @@ function wp_kses_hair( $attr, $allowed_protocols ) { 'vless' => 'n', ); } + $working = 1; $mode = 0; $attr = preg_replace( '/^"[^"]*"(\s+|$)/', '', $attr ); @@ -1407,6 +1414,7 @@ function wp_kses_hair( $attr, $allowed_protocols ) { 'vless' => 'n', ); } + $working = 1; $mode = 0; $attr = preg_replace( "/^'[^']*'(\s+|$)/", '', $attr ); @@ -1428,6 +1436,7 @@ function wp_kses_hair( $attr, $allowed_protocols ) { 'vless' => 'n', ); } + // We add quotes to conform to W3C's HTML spec. $working = 1; $mode = 0; @@ -1437,13 +1446,13 @@ function wp_kses_hair( $attr, $allowed_protocols ) { break; } // End switch. - if ( 0 == $working ) { // Not well-formed, remove and try again. + if ( 0 === $working ) { // Not well-formed, remove and try again. $attr = wp_kses_html_error( $attr ); $mode = 0; } } // End while. - if ( 1 == $mode && false === array_key_exists( $attrname, $attrarr ) ) { + if ( 1 === $mode && false === array_key_exists( $attrname, $attrarr ) ) { /* * Special case, for when the attribute list ends with a valueless * attribute like "selected". @@ -1707,9 +1716,9 @@ function wp_kses_bad_protocol( $content, $allowed_protocols ) { do { $original_content = $content; $content = wp_kses_bad_protocol_once( $content, $allowed_protocols ); - } while ( $original_content != $content && ++$iterations < 6 ); + } while ( $original_content !== $content && ++$iterations < 6 ); - if ( $original_content != $content ) { + if ( $original_content !== $content ) { return ''; } @@ -1974,6 +1983,7 @@ function wp_kses_normalize_entities2( $matches ) { } $i = $matches[1]; + if ( valid_unicode( $i ) ) { $i = str_pad( ltrim( $i, '0' ), 3, '0', STR_PAD_LEFT ); $i = "&#$i;"; @@ -2003,6 +2013,7 @@ function wp_kses_normalize_entities3( $matches ) { } $hexchars = $matches[1]; + return ( ! valid_unicode( hexdec( $hexchars ) ) ) ? "&#x$hexchars;" : '&#x' . ltrim( $hexchars, '0' ) . ';'; } @@ -2015,10 +2026,13 @@ function wp_kses_normalize_entities3( $matches ) { * @return bool Whether or not the codepoint is a valid Unicode codepoint. */ function valid_unicode( $i ) { - return ( 0x9 == $i || 0xa == $i || 0xd == $i || - ( 0x20 <= $i && $i <= 0xd7ff ) || - ( 0xe000 <= $i && $i <= 0xfffd ) || - ( 0x10000 <= $i && $i <= 0x10ffff ) ); + $i = (int) $i; + + return ( 0x9 === $i || 0xa === $i || 0xd === $i || + ( 0x20 <= $i && $i <= 0xd7ff ) || + ( 0xe000 <= $i && $i <= 0xfffd ) || + ( 0x10000 <= $i && $i <= 0x10ffff ) + ); } /** diff --git a/wp-includes/version.php b/wp-includes/version.php index c432ad5933..30dca32671 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.4-alpha-56376'; +$wp_version = '6.4-alpha-56377'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.