Commit Graph

189 Commits

Author SHA1 Message Date
John Blackbourn dfe1f9b322 Docs: Promote many `bool` types to `true` or `false` where only that value is used.
See #51800

Built from https://develop.svn.wordpress.org/trunk@49927


git-svn-id: http://core.svn.wordpress.org/trunk@49626 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-01-03 22:04:04 +00:00
Sergey Biryukov 5770b676b0 Docs: Correct an example in `wp_kses_normalize_entities()` description.
Props ediamin.
Fixes #51620.
Built from https://develop.svn.wordpress.org/trunk@49304


git-svn-id: http://core.svn.wordpress.org/trunk@49066 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-10-25 00:14:05 +00:00
John Blackbourn 1fbcdb2213 Docs: Various corrections to inline docblocks.
See #49572
Built from https://develop.svn.wordpress.org/trunk@48573


git-svn-id: http://core.svn.wordpress.org/trunk@48335 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-23 00:48:06 +00:00
whyisjake daace832e3 Media: Add "loading" as an allowed kses image attribute
With loading="lazy" being added to all images in [47554], let's ensure that it passes kses attributes too.

Fixes #50731.
Props TimothyBlynJacobs, peterwilsoncc, azaozz. 


Built from https://develop.svn.wordpress.org/trunk@48572


git-svn-id: http://core.svn.wordpress.org/trunk@48334 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-23 00:44:04 +00:00
Sergey Biryukov 0ce2ddce47 Docs: Synchronize description for the `$allowed_html` parameter of various KSES functions.
Follow-up to [43016].

Props Christian1012, jdgrimes, markparnell.
Fixes #39542. See #33801.
Built from https://develop.svn.wordpress.org/trunk@48478


git-svn-id: http://core.svn.wordpress.org/trunk@48247 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-14 12:41:03 +00:00
Sergey Biryukov 3336009e34 Docs: Replace "html" and "xhtml" instances in DocBlocks and comments with "HTML" and "XHTML".
This ensures consistent capitalization where appropriate.

Props navidos, desrosj.
Fixes #50473.
Built from https://develop.svn.wordpress.org/trunk@48199


git-svn-id: http://core.svn.wordpress.org/trunk@47968 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-28 14:02:06 +00:00
Sergey Biryukov c892c420b7 Docs: Miscellaneous DocBlock corrections.
See #49572.
Built from https://develop.svn.wordpress.org/trunk@48198


git-svn-id: http://core.svn.wordpress.org/trunk@47967 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-28 11:53:04 +00:00
Sergey Biryukov 5e7dfff3a0 Docs: Use sentence case for comments in `tests/kses.php`, per the documentation standards.
Follow-up to [48132].

See #49464, #49572.
Built from https://develop.svn.wordpress.org/trunk@48139


git-svn-id: http://core.svn.wordpress.org/trunk@47908 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-23 11:11:10 +00:00
whyisjake 446d06c45d Formatting: Extend `wp_kses_hair` and `wp_kses_hair_parse` to allow digits and underscores.
Fixes a lot of issues around parsing XML/HTML attributes.

Fixes #49464.

See #34406, #48608.

Props codeforest, zodiac1978, johnpgreen, dlh, ayeshrajans, johnpgreen, rilwis, travisnorthcutt, miqrogroove, chriscct7, whyisjake.

Built from https://develop.svn.wordpress.org/trunk@48132


git-svn-id: http://core.svn.wordpress.org/trunk@47901 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-23 05:07:11 +00:00
desrosj 4b60af1a6a General: Remove “whitelist” and “blacklist” in favor of more clear and inclusive language.
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”

With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).

Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.

Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.

Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes #50413.
Built from https://develop.svn.wordpress.org/trunk@48121


git-svn-id: http://core.svn.wordpress.org/trunk@47890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-22 17:26:13 +00:00
Sergey Biryukov e13c363b17 Docs: Capitalize "ID", when referring to a post ID, term ID, etc. in a more consistent way.
See #49572.
Built from https://develop.svn.wordpress.org/trunk@48104


git-svn-id: http://core.svn.wordpress.org/trunk@47873 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-20 12:02:12 +00:00
Adam Silverstein 810e9c3c2b Formatting: new filter `safecss_filter_attr_allow_css` on css parts.
Enables developers to determine whether a section of CSS should be allowed or discarded. By default, the value will be false if the part contains \ ( & } = or comments. Returning true allows the CSS part to be included in the output.

Replaces the `safe_style_disallowed_chars` filter introduced in r47891.

Props azaozz.
Fixes #37134.


Built from https://develop.svn.wordpress.org/trunk@48086


git-svn-id: http://core.svn.wordpress.org/trunk@47853 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-18 21:01:11 +00:00
Pascal Birchler 609dd1d14f Sitemaps: Add XML sitemaps functionality to WordPress.
While web crawlers are able to discover pages from links within the site and from other sites, XML sitemaps supplement this approach by allowing crawlers to quickly and comprehensively identify all URLs included in the sitemap and learn other signals about those URLs using the associated metadata.

See https://make.wordpress.org/core/2020/06/10/merge-announcement-extensible-core-sitemaps/ for more details.

This feature exposes the sitemap index via `/wp-sitemap.xml` and exposes a variety of new filters and hooks for developers to modify the behavior. Users can disable sitemaps completely by turning off search engine visibility in WordPress admin.

This change also introduces a new `esc_xml()` function to escape strings for output in XML, as well as XML support to `wp_kses_normalize_entities()`.

Props Adrian McShane, afragen, adamsilverstein, casiepa, flixos90, garrett-eclipse, joemcgill, kburgoine, kraftbj, milana_cap, pacifika, pbiron, pfefferle, Ruxandra Gradina, swissspidy, szepeviktor, tangrufus, tweetythierry.
Fixes #50117.
See #3670. See #19998.

Built from https://develop.svn.wordpress.org/trunk@48072


git-svn-id: http://core.svn.wordpress.org/trunk@47839 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-17 15:24:07 +00:00
Sergey Biryukov 72b5018aa3 Docs: Miscellaneous DocBlock corrections.
See #49572.
Built from https://develop.svn.wordpress.org/trunk@47892


git-svn-id: http://core.svn.wordpress.org/trunk@47666 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-03 10:02:13 +00:00
Adam Silverstein 86b50870ec Formatting: add a new 'safe_style_disallowed_chars' filter.
Enable developers to change the regex used in `safecss_filter_attr` to limit characters in the parsed CSS.

Props paulschreiber, swissspidy, rmccue, bartekcholewa, miinasikk.
Fixes #37134.


Built from https://develop.svn.wordpress.org/trunk@47891


git-svn-id: http://core.svn.wordpress.org/trunk@47665 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-06-02 23:46:11 +00:00
Peter Wilson 39babb4dfb KSES: Support the `video` element's `playsinline` attribute.
Allow users without the `unfiltered_html` capability to use the `playsinline` attribute when embedding videos.

Additionally this adds unit tests for passing the video element through kses.

Fixes #50167. See #29826.

Built from https://develop.svn.wordpress.org/trunk@47837


git-svn-id: http://core.svn.wordpress.org/trunk@47613 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-05-21 04:54:11 +00:00
Sergey Biryukov 7932193708 Coding Standards: Use strict comparison where static strings are involved.
This reduces the number of `WordPress.PHP.StrictComparisons.LooseComparison` issues in half, from 1897 to 890.

Includes minor code layout fixes for better readability.

See #49542.
Built from https://develop.svn.wordpress.org/trunk@47808


git-svn-id: http://core.svn.wordpress.org/trunk@47584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-05-16 18:42:12 +00:00
Sergey Biryukov 38676936ba Coding Standards: Use strict type check for `in_array()` and `array_search()` where strings are involved.
This reduces the number of `WordPress.PHP.StrictInArray.MissingTrueStrict` issues from 486 to 50.

Includes minor code layout fixes for better readability.

See #49542.
Built from https://develop.svn.wordpress.org/trunk@47550


git-svn-id: http://core.svn.wordpress.org/trunk@47325 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-04-05 03:02:11 +00:00
Sergey Biryukov 641c632b0c Coding Standards: Use Yoda conditions where appropriate.
See #49222.
Built from https://develop.svn.wordpress.org/trunk@47219


git-svn-id: http://core.svn.wordpress.org/trunk@47019 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-02-09 16:55:09 +00:00
Sergey Biryukov 001ffe81fb Docs: Improve inline comments per the documentation standards.
Includes minor code layout fixes for better readability.

See #48303.
Built from https://develop.svn.wordpress.org/trunk@47122


git-svn-id: http://core.svn.wordpress.org/trunk@46922 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-01-29 00:45:18 +00:00
Sergey Biryukov 1b675c6e4a Formatting: Return early from `wp_kses_attr_check()` if the element is not in the list of allowed elements and attributes.
Props krynes, tristanleboss.
Fixes #48549.
Built from https://develop.svn.wordpress.org/trunk@46959


git-svn-id: http://core.svn.wordpress.org/trunk@46759 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-14 15:53:06 +00:00
whyisjake 84e4c8531a Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Props: xknown, nickdaugherty, peterwilsoncc.

Built from https://develop.svn.wordpress.org/trunk@46895


git-svn-id: http://core.svn.wordpress.org/trunk@46695 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 17:55:05 +00:00
Sergey Biryukov 7acfab22b8 KSES: Add support for gradient backgrounds.
Props jorgefilipecosta.
Fixes #48376.
Built from https://develop.svn.wordpress.org/trunk@46793


git-svn-id: http://core.svn.wordpress.org/trunk@46593 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-11-28 00:29:02 +00:00
John Blackbourn f545bb3f63 Docs: Improve documentation of known return types, plus other docs fixes.
See #48303

Built from https://develop.svn.wordpress.org/trunk@46660


git-svn-id: http://core.svn.wordpress.org/trunk@46460 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-11-05 21:23:02 +00:00
Peter Wilson 428600fb93 KSES: Add support for modern layout techniques in `style` attribute.
Adds support for `flex`, `grid` and `column` layout techniques to the list of CSS attributes considered safe for inline CSS. The `\` character and CSS functions, eg `minmax()` are not yet supported.

Extends support of `border` properties to include `border-radius` and individual `background` properties to include all those implicitly supported by the shorthand attribute.

Props mrahmadawais, marybaum, birgire, peterwilsoncc, azaozz.
Fixes #37248.
See #47367.

Built from https://develop.svn.wordpress.org/trunk@46235


git-svn-id: http://core.svn.wordpress.org/trunk@46047 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-22 22:17:57 +00:00
desrosj 30ac675795 Fix for URL sanitization that can lead to cross-site scripting (XSS) attacks.
Props irsdl, sstoqnov, whyisjake.
Built from https://develop.svn.wordpress.org/trunk@45997


git-svn-id: http://core.svn.wordpress.org/trunk@45808 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 17:52:56 +00:00
Gary Pendergast 4803fc405e Coding Standards: Fix the `Squiz.PHP.DisallowMultipleAssignments` violations in `wp-includes`.
See #47632.


Built from https://develop.svn.wordpress.org/trunk@45590


git-svn-id: http://core.svn.wordpress.org/trunk@45401 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-07-02 23:42:58 +00:00
Peter Wilson 460e256026 KSES: Add `flex` and related long form properties to safe CSS.
Allow `flex`, `flex-grow`, `flex-shrink` and `flex-basis` to be used in inline CSS. As of WordPress 5.3 the block editor is expected to use `flex-basis` inline to set the width in the column block.

Props aduth.
Fixes #47281.
See #37248.


Built from https://develop.svn.wordpress.org/trunk@45363


git-svn-id: http://core.svn.wordpress.org/trunk@45174 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-05-18 04:34:52 +00:00
Gary Pendergast 4325de4629 KSES: Add `background-position` and `grid-template-columns` as safe CSS properties.
Props aduth.
Fixes #46597.


Built from https://develop.svn.wordpress.org/trunk@45242


git-svn-id: http://core.svn.wordpress.org/trunk@45051 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-04-18 05:56:51 +00:00
desrosj 72098048c6 Docs: Update `since` annotation for `text-transform` support in `safecss_filter_attr()`.
Introduced in [42880].

Fixes #42729.
Built from https://develop.svn.wordpress.org/trunk@44531


git-svn-id: http://core.svn.wordpress.org/trunk@44362 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-01-10 01:43:49 +00:00
desrosj 8cb7058273 PHPCS: Fix alignment issues.
This fixes some array alignment issues introduced in [44293].
Built from https://develop.svn.wordpress.org/trunk@44294


git-svn-id: http://core.svn.wordpress.org/trunk@44124 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-18 16:58:48 +00:00
desrosj 164452f942 KSES: Conditionally remove the `<form>` element from `$allowedposttags`.
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.

Merges [43994] to trunk.
Built from https://develop.svn.wordpress.org/trunk@44293


git-svn-id: http://core.svn.wordpress.org/trunk@44123 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-18 16:46:48 +00:00
iandunn 614df6b5cc KSES: Make the URI attributes DRY.
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.

Merges [44014] and [44017] to `trunk`.

Built from https://develop.svn.wordpress.org/trunk@44207


git-svn-id: http://core.svn.wordpress.org/trunk@44037 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-15 11:18:25 +00:00
Gary Pendergast e740c695e6 KSES: Allow the `download` attribute on `<a>` tags.
To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.

Merges [43813] from the 5.0 branch to trunk.

Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
Fixes #44724.


Built from https://develop.svn.wordpress.org/trunk@44156


git-svn-id: http://core.svn.wordpress.org/trunk@43986 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-14 03:28:38 +00:00
Gary Pendergast 1947e4424a KSES: Allow `url()` to be used in inline CSS.
The cover image block uses the `url()` function in its inline CSS, to show the cover image. KSES didn't allow this, causing the block to not save correctly for Author and Contributor users. As KSES does already check each attribute name against an allowed list, we're able to add an extra check for certain attributes to be able to use the `url()` function, too.

Merges [43781] from the 5.0 branch to core.

Props peterwilsoncc, azaozz, pento, dd32.
Fixes #45067.


Built from https://develop.svn.wordpress.org/trunk@44136


git-svn-id: http://core.svn.wordpress.org/trunk@43966 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-14 01:41:36 +00:00
Jeremy Felt 32e9dea3ea KSES: Add selected ARIA attributes support.
Allow low-privileged users to use the ARIA attributes `aria-describedby`, `aria-details`, `aria-label`, `aria-labelledby` and `aria-hidden`.

Merges [43731] to trunk.

Props mattheu, swissspidy, rianrietveld, afercia, GaryJ.
See #30421.

Built from https://develop.svn.wordpress.org/trunk@43984


git-svn-id: http://core.svn.wordpress.org/trunk@43816 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 03:15:24 +00:00
Jeremy Felt a0309e80b6 KSES: Allow HTML data-* attributes.
Add global support for HTML attributes prefixed `data-` for authors and contributors, as required by the new editor.

Merges [43727] to trunk.

Props azaozz, peterwilsoncc.
Fixes #33121.

Built from https://develop.svn.wordpress.org/trunk@43981


git-svn-id: http://core.svn.wordpress.org/trunk@43813 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 02:39:25 +00:00
Gary Pendergast 56c162fbc9 Coding Standards: Upgrade WPCS to 1.0.0
WPCS 1.0.0 includes a bunch of new auto-fixers, which drops the number of coding standards issues across WordPress significantly. Prior to running the auto-fixers, there were 15,312 issues detected. With this commit, we now drop to 4,769 issues.

This change includes three notable additions:
- Multiline function calls must now put each parameter on a new line.
- Auto-formatting files is now part of the `grunt precommit` script. 
- Auto-fixable coding standards issues will now cause Travis failures.

Fixes #44600.


Built from https://develop.svn.wordpress.org/trunk@43571


git-svn-id: http://core.svn.wordpress.org/trunk@43400 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-08-17 01:51:36 +00:00
John Blackbourn 4ccca7a835 Formatting: Begin the process of improving the docs for KSES related functions.
See #33801

Built from https://develop.svn.wordpress.org/trunk@43016


git-svn-id: http://core.svn.wordpress.org/trunk@42845 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-28 13:58:21 +00:00
Sergey Biryukov 0e9549d424 Formatting: Permit use of `text-transform` in `safecss_filter_attr()`.
Add unit tests for `safecss_filter_attr()`.

Props birgire, juiiee8487, danielbachhuber.
Fixes #42729.
Built from https://develop.svn.wordpress.org/trunk@42880


git-svn-id: http://core.svn.wordpress.org/trunk@42710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-03-27 00:54:34 +00:00
Sergey Biryukov 8a701e5b3f Formatting: Avoid a PHP 7.2 warning in `wp_kses_attr()` when one of `$allowedtags` elements is an uncountable value.
Props andrei0x309, soulseekah, SergeyBiryukov.
Fixes #43312.
Built from https://develop.svn.wordpress.org/trunk@42860


git-svn-id: http://core.svn.wordpress.org/trunk@42690 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-03-20 21:35:31 +00:00
Sergey Biryukov 5d1e06f939 Docs: Move inline comments in `wp_kses_split2()` before the blocks they apply to.
See #42505.
Built from https://develop.svn.wordpress.org/trunk@42712


git-svn-id: http://core.svn.wordpress.org/trunk@42540 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-02-14 11:46:33 +00:00
Gary Pendergast aaf99e6913 Code is Poetry.
WordPress' code just... wasn't.
This is now dealt with.

Props jrf, pento, netweb, GaryJ, jdgrimes, westonruter, Greg Sherwood from PHPCS, and everyone who's ever contributed to WPCS and PHPCS.
Fixes #41057.


Built from https://develop.svn.wordpress.org/trunk@42343


git-svn-id: http://core.svn.wordpress.org/trunk@42172 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-30 23:11:00 +00:00
Gary Pendergast 882db52bdd General: Add inline PHPCS options to leave regex indentation.
We have a handful of super long regexen that are written over multiple lines, as a collection of strings concatenated together. Each string is indented appropriately for the regex, but PHPCS doesn't recognised this, so defaults to removing the extra whitespace.

Disabling the `Squiz.Strings.ConcatenationSpacing.PaddingFound` rule for these blocks stops the extra whitespace from being removed.

See #41057.


Built from https://develop.svn.wordpress.org/trunk@42249


git-svn-id: http://core.svn.wordpress.org/trunk@42078 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-28 04:24:57 +00:00
Gary Pendergast c90cfa3b50 General: Fix some precision alignment formatting warnings.
The WPCS `WordPress.WhiteSpace.PrecisionAlignment` rule throws warnings for a bunch of code that will likely cause issues for `wpcbf`. Fixing these manually beforehand gives us better auto-fixed results later.

See #41057.


Built from https://develop.svn.wordpress.org/trunk@42228


git-svn-id: http://core.svn.wordpress.org/trunk@42057 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-26 23:57:55 +00:00
Drew Jaynes 474711aac1 Docs: Adjust notation for the `$context` parameter in the DocBlocks for the `wp_kses_allowed_html()` function and its associated `wp_kses_allowed_html` filter.
`$context|$allowedtags` can be either a string or array.

Props bor0.
Fixes #40575.

Built from https://develop.svn.wordpress.org/trunk@40950


git-svn-id: http://core.svn.wordpress.org/trunk@40800 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-06-25 22:16:40 +00:00
Dominik Schilling 77858f4b92 KSES: Support `'tag' => true` as a shorthand for `'tag' => array()` in `wp_kses_attr()`.
`Automatic_Upgrader_Skin::feedback()` had always assumed that this is already the case, now it is.

See #20017.
Fixes #40680.
Built from https://develop.svn.wordpress.org/trunk@40637


git-svn-id: http://core.svn.wordpress.org/trunk@40498 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-11 19:23:43 +00:00
John Blackbourn d327c92e4b Docs: Add and correct `@since` docs for a variety of functions and methods.
Props keesiemeijer, chris_dev
Fixes #39343, #39357, #39344
See #39130

Built from https://develop.svn.wordpress.org/trunk@39638


git-svn-id: http://core.svn.wordpress.org/trunk@39578 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-12-27 09:21:44 +00:00
Gary Pendergast 456f8015b7 KSES: Deprecate `wp_kses_js_entities()`.
This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.

I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.

Props dmsnell, desrosj.
Fixes #33848.


Built from https://develop.svn.wordpress.org/trunk@38785


git-svn-id: http://core.svn.wordpress.org/trunk@38728 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-13 22:25:31 +00:00
Aaron Jorbin dd983343d3 Formatting: Allow KSES custom elements with hyphens
The W3C Custom Elements spec (http://www.w3.org/TR/custom-elements/#concepts) allows you to use your own custom DOM elements/tags. One of the main requirements is that the tag name "must contain a U+002D HYPHEN-MINUS character". This adjusts KSES to allow it.

Fixes #34105.
Props batmoo.


Built from https://develop.svn.wordpress.org/trunk@38511


git-svn-id: http://core.svn.wordpress.org/trunk@38452 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-02 04:16:28 +00:00