WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

PressThis: update _limit_url(), use esc_url_raw(). Fixes checking of urlencoded strings. 

See #31373.
Built from https://develop.svn.wordpress.org/trunk@31737


git-svn-id: http://core.svn.wordpress.org/trunk@31718 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Andrew Ozz 2015-03-11 23:23:25 +00:00
parent 4cc85f4da2
commit ce297a7227
2 changed files with 5 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
wp-admin/includes/class-wp-press-this.php
View File

@ -342,23 +342,17 @@ class WP_Press_This {
return '';
}
$url = $this->_limit_string( $url );
// HTTP 1.1 allows 8000 chars but the "de-facto" standard supported in all current browsers is 2048.
if ( mb_strlen( $url ) > 2048 ) {
if ( strlen( $url ) > 2048 ) {
return ''; // Return empty rather than a trunacted/invalid URL
}
// Only allow http(s) or protocol relative URLs.
if ( ! preg_match( '%^(https?:)?//%i', $url ) ) {
// Does it look like an URL?
if ( ! preg_match( '/^([!#$&-;=?-\[\]_a-z~]|%[0-9a-fA-F]{2})+$/', $url ) ) {
return '';
}
if ( strpos( $url, '"' ) !== false || strpos( $url, ' ' ) !== false ) {
return '';
}
return $url;
return esc_url_raw( $url, array( 'http', 'https' ) );
}
private function _limit_img( $src ) {

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '4.2-alpha-31736';
$wp_version = '4.2-alpha-31737';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.