`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 4.5 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.5@46913
git-svn-id: http://core.svn.wordpress.org/branches/4.5@46713 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.
Merges [44014] and [44017] to the `4.6` branch.
Built from https://develop.svn.wordpress.org/branches/4.5@44032
git-svn-id: http://core.svn.wordpress.org/branches/4.5@43862 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`$initial` shouldn't be loosely compared to `true` in `get_calendar()`.
`current_user_can()` shouldn't be loosely compared to `false` in `kses_init()`
`$get_all` shouldn't be loosely compared to `true` in `get_blog_details()`.
`is_array()` and `in_array()` shouldn't be loosely compared in `wpmu_validate_user_signup()`.
`$result` should by strictly compared in `check_ajax_referer()`.
`wp_verify_nonce()` should by strictly compared in `_show_post_preview()`.
`is_user_logged_in()` should not be loosly compared against `false` in `wp-signup.php`.
See #32444.
Built from https://develop.svn.wordpress.org/trunk@32733
git-svn-id: http://core.svn.wordpress.org/trunk@32704 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Per our inline documentation standards, no further use of the `@uses` tag is recommended as used and used-by relationships can be derived through other means. This removes most uses of the tag in core documentation, with remaining tags to be converted to `@global` or `@see` as they apply.
Fixes#30191.
Built from https://develop.svn.wordpress.org/trunk@30105
git-svn-id: http://core.svn.wordpress.org/trunk@30105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.
Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.
Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.
Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.
Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.
Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.
Plugins should use wp_unslash() on data being passed to core API.
Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.
Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.
Remove many no longer necessary calls to $wpdb->escape() and esc_sql().
In wp_get_referer() and wp_get_original_referer(), return unslashed data.
Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.
Switch several queries over to prepare().
Expect something to break.
Props alexkingorg
see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Remove explicit declarations of class, id, style, and title from $allowedposttags
* Dynamicallly add global attributes to every tag for the 'post' context
* No longer calls wp_kses_array_lc() every time wp_kses() runs. Instead it runs once if CUSTOM_TAGS is true. Plugins directly passing a custom allowed_html array will no longer get the lc treatment. Keep an eye out for problems with this.
* wp_kses_data() and wp_filter_kses() pass current_filter() for the $allowed_html argument to wp_kses().
* wp_kses_allowed_html() handles being passed a filter name for a context. If the filter is not a recognized one it defaults to using $allowedtags as was done before for wp_kses_data() and wp_filter_kses().
* wp_kses_allowed_html() recognizes user_description and pre_user_description out of the box. For these it takes $allowedtags and inserts rel attribute support.
* wp_kses_allowed_html() allows plugins to override the return values for the default contexts and support arbitrary contexts via a wp_kses_allowed_html filter.
* wp_kses_hook() can now pass a string context for $allowed_html to the pre_kses filter. We might have to pass the result of wp_kses_allowed_html() instead if it turns out that plugins are digging in $allowed_html.
fixes#17977
see #20210
git-svn-id: http://core.svn.wordpress.org/trunk@21790 1a063a9b-81f0-0310-95a4-ce76da25c4cd
safecss_filter_attr() block for style tags must be moved out of the is_array() only branch of wp_kses_attr() to accommodate for this.
git-svn-id: http://svn.automattic.com/wordpress/trunk@19976 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This allows plugins to filter the list of protocols used for esc_url() too, and helps us keep the list of protocols in sync.
git-svn-id: http://svn.automattic.com/wordpress/trunk@18826 1a063a9b-81f0-0310-95a4-ce76da25c4cd