Commit Graph

191 Commits

Author SHA1 Message Date
Gary Pendergast 456f8015b7 KSES: Deprecate `wp_kses_js_entities()`.
This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.

I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.

Props dmsnell, desrosj.
Fixes #33848.


Built from https://develop.svn.wordpress.org/trunk@38785


git-svn-id: http://core.svn.wordpress.org/trunk@38728 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-13 22:25:31 +00:00
Aaron Jorbin dd983343d3 Formatting: Allow KSES custom elements with hyphens
The W3C Custom Elements spec (http://www.w3.org/TR/custom-elements/#concepts) allows you to use your own custom DOM elements/tags. One of the main requirements is that the tag name "must contain a U+002D HYPHEN-MINUS character". This adjusts KSES to allow it.

Fixes #34105.
Props batmoo.


Built from https://develop.svn.wordpress.org/trunk@38511


git-svn-id: http://core.svn.wordpress.org/trunk@38452 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-02 04:16:28 +00:00
Drew Jaynes 6cc13f0c54 Docs: Fix formatting, tense, verb conjugation, and other syntax for wp-includes/* elements introduced or changed in 4.6.
Part 1/2.

See #37318.

Built from https://develop.svn.wordpress.org/trunk@38121


git-svn-id: http://core.svn.wordpress.org/trunk@38062 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-20 16:57:32 +00:00
Drew Jaynes 5e467a2774 Docs: Add changelog entries to the hook doc for the `safe_style_css` filter denoting recent CSS attribute additions.
* `min-height`, `max-height`, `min-width`, and `max-width` were added in 4.4, see [33739].
* `list-style-type` was added in 4.6, see [37898].

See #35877. See #32246.

Built from https://develop.svn.wordpress.org/trunk@37931


git-svn-id: http://core.svn.wordpress.org/trunk@37872 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-30 17:02:30 +00:00
Jeremy Felt 571f70c60a KSES: Add `list-style-type` to the list of allowed CSS attributes.
Props azaozz.
Fixes #35877.

Built from https://develop.svn.wordpress.org/trunk@37898


git-svn-id: http://core.svn.wordpress.org/trunk@37839 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-28 22:10:31 +00:00
Jeremy Felt d9d7e5fa63 KSES: Adjust the list of safecss attributes for readability.
Props azaozz.
See #35877.

Built from https://develop.svn.wordpress.org/trunk@37897


git-svn-id: http://core.svn.wordpress.org/trunk@37838 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-28 22:06:31 +00:00
Drew Jaynes d28f1a08ef Docs: Apply inline `@see` tags to hooks referenced in DocBlocks in a variety of wp-includes/* files.
Applying these specially-crafted `@see` tags allows the Code Reference parser to recognize and link these elements as actions and filters.

See #36921.

Built from https://develop.svn.wordpress.org/trunk@37543


git-svn-id: http://core.svn.wordpress.org/trunk@37511 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-23 19:01:27 +00:00
Drew Jaynes 9cb5247392 Docs: Standardize filter docs in remaining wp-includes/* files to use third-person singular verbs per the inline documentation standards for PHP.
See #36913.

Built from https://develop.svn.wordpress.org/trunk@37518


git-svn-id: http://core.svn.wordpress.org/trunk@37486 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-22 18:50:28 +00:00
Drew Jaynes fe3b007fdd Docs: Remove inline `@see` tags from function, class, and method references in inline docs.
Known functions, classes, and methods are now auto-linked in Code Reference pages following #meta1483.

Note: Hook references are still linked via inline `@see` tags due to the unlikelihood of reliably matching for known hooks based on a RegEx pattern.

See #32246.

Built from https://develop.svn.wordpress.org/trunk@37342


git-svn-id: http://core.svn.wordpress.org/trunk@37308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-02 04:00:28 +00:00
Drew Jaynes 6a94d3e2e3 Docs: Use the correct parameter name in the DocBlock for `wp_kses_post_deep()`, introduced in [36429].
Props sebastianpisula.
Fixes #35700. See #35316.

Built from https://develop.svn.wordpress.org/trunk@36489


git-svn-id: http://core.svn.wordpress.org/trunk@36456 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-07 00:18:26 +00:00
Dominik Schilling cd892b86b4 Media: In `wp_read_image_metadata()` make sure that IPTC keywords are UTF8 encoded.
Prevents missing `_wp_attachment_metadata` when an image contains keywords with latin extended characters.

Fixes #35316.
Built from https://develop.svn.wordpress.org/trunk@36429


git-svn-id: http://core.svn.wordpress.org/trunk@36396 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-01 14:53:27 +00:00
John Blackbourn a5d44337b2 Docs: `@param` fixes for a variety of docblocks.
See #32246

Built from https://develop.svn.wordpress.org/trunk@36232


git-svn-id: http://core.svn.wordpress.org/trunk@36199 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-09 01:45:26 +00:00
Sergey Biryukov ae37057114 KSES: Allow the `reversed` attribute for `<ol>`.
Props lancewillett.
Fixes #35079.
Built from https://develop.svn.wordpress.org/trunk@35960


git-svn-id: http://core.svn.wordpress.org/trunk@35924 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-16 09:54:26 +00:00
Scott Taylor 55e16aa98a KSES: have you ever heard of the `<bdo>` HTML tag? Same. http://www.w3schools.com/tags/tag_bdo.asp
Adds unit test.

Props iandunn.
Fixes #34063.

Built from https://develop.svn.wordpress.org/trunk@35141


git-svn-id: http://core.svn.wordpress.org/trunk@35106 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-13 17:18:25 +00:00
Scott Taylor 8d27055b0c Allow these CSS properties in KSES: `min-height', 'max-height', 'min-width', 'max-width'`
Props MikeHansenMe.
Fixes #31949.

Built from https://develop.svn.wordpress.org/trunk@33739


git-svn-id: http://core.svn.wordpress.org/trunk@33707 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-25 21:46:20 +00:00
Gary Pendergast c3e0ed7e03 Shortcodes: Improve the reliablity of shortcodes inside HTML tags.
Props miqrogroove.

See #15694.


Built from https://develop.svn.wordpress.org/trunk@33359


git-svn-id: http://core.svn.wordpress.org/trunk@33331 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-22 05:15:25 +00:00
Scott Taylor 32dabc1f90 Don't strip `\0` (backslash+zero) from post content for users without "unfiltered_html"
Adds unit tests.

Props miqrogroove.
Fixes #28699.

Built from https://develop.svn.wordpress.org/trunk@32860


git-svn-id: http://core.svn.wordpress.org/trunk@32831 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-19 18:47:27 +00:00
Scott Taylor f888767c73 `$status` shouldn't be loosely compared to `true` in `wp_xmlrpc_server::wp_deleteComment()`.
`$initial` shouldn't be loosely compared to `true` in `get_calendar()`.
`current_user_can()` shouldn't be loosely compared to `false` in `kses_init()`
`$get_all` shouldn't be loosely compared to `true` in `get_blog_details()`.
`is_array()` and `in_array()` shouldn't be loosely compared in `wpmu_validate_user_signup()`.
`$result` should by strictly compared in `check_ajax_referer()`.
`wp_verify_nonce()` should by strictly compared in `_show_post_preview()`.
`is_user_logged_in()` should not be loosly compared against `false` in `wp-signup.php`.

See #32444.

Built from https://develop.svn.wordpress.org/trunk@32733


git-svn-id: http://core.svn.wordpress.org/trunk@32704 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-12 17:48:26 +00:00
Scott Taylor 4b24007353 Add missing doc blocks to `kses.php` - also fix some unfortunate whitespace issues in related funcs.
See #32444.

Built from https://develop.svn.wordpress.org/trunk@32603


git-svn-id: http://core.svn.wordpress.org/trunk@32573 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-26 18:06:24 +00:00
Scott Taylor 86f29795a4 Add `<s>` to `$allowedtags` in KSES.
From https://developer.mozilla.org/en-US/docs/Web/HTML/Element/s :
"The <strike> element, alter ego of the <s> element is obsolete and should not be used on Web sites any more."

`<strike>` shall remain for BC, but `<s>` should not be stripped from the author (et al) role's HTML input.

Props paulschreiber.
Fixes #30954.

Built from https://develop.svn.wordpress.org/trunk@31205


git-svn-id: http://core.svn.wordpress.org/trunk@31186 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-16 16:07:23 +00:00
Scott Taylor fc843ce4d0 There are some random `add_action()` and `add_filter()` calls littered around some files in `wp-includes/`. These should be moved to `wp-includes/default-filters.php` with the rest of the registered hooks. It seems like this was the best practice for awhile and then we randomly stopped. This file loads way before any of the includes, so the hooks will be registered for any request that loads WordPress, even `SHORTINIT` - a lot of the hooks registered won't run anyways (that's already the case).
See #30947.

Built from https://develop.svn.wordpress.org/trunk@31168


git-svn-id: http://core.svn.wordpress.org/trunk@31149 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-12 16:40:23 +00:00
Scott Taylor 4a1ad9acec Jump statements should not be followed by other statements (there were 5 lingering).
See #30799.

Built from https://develop.svn.wordpress.org/trunk@31100


git-svn-id: http://core.svn.wordpress.org/trunk@31081 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-08 21:15:22 +00:00
Scott Taylor ac4e67b82e Perl-style comments should not be used
See #30799.

Built from https://develop.svn.wordpress.org/trunk@31079


git-svn-id: http://core.svn.wordpress.org/trunk@31060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-08 05:52:24 +00:00
Drew Jaynes ad1ecf88c5 Only backtick-escape individual HTML entities in the DocBlock for `wp_kses_normalize_entities()`.
Props TobiasBg.
Fixes #30473.

Built from https://develop.svn.wordpress.org/trunk@30726


git-svn-id: http://core.svn.wordpress.org/trunk@30716 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 11:47:23 +00:00
Drew Jaynes 3d77f9a816 Remove some now-unnecessary double quotes around HTML entities used in DocBlock comments.
See #30473.

Built from https://develop.svn.wordpress.org/trunk@30721


git-svn-id: http://core.svn.wordpress.org/trunk@30711 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 08:49:23 +00:00
Drew Jaynes 8e5543da53 Backtick-escape three sets of HTML entities used in DocBlock descriptions in wp-includes/kses.php.
Without the escaping, the Code Reference/browser may inadvertently attempt to convert and display entities.

Fixes #30473.

Built from https://develop.svn.wordpress.org/trunk@30720


git-svn-id: http://core.svn.wordpress.org/trunk@30710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 08:47:22 +00:00
Andrew Nacin e7614d6c45 Fix typo in style filter. props miqrogroove
Built from https://develop.svn.wordpress.org/trunk@30425


git-svn-id: http://core.svn.wordpress.org/trunk@30420 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-20 13:15:24 +00:00
Drew Jaynes f8657d5890 Remove redundant and erroneous `@uses` tag from most core inline documentation.
Per our inline documentation standards, no further use of the `@uses` tag is recommended as used and used-by relationships can be derived through other means. This removes most uses of the tag in core documentation, with remaining tags to be converted to `@global` or `@see` as they apply.

Fixes #30191.

Built from https://develop.svn.wordpress.org/trunk@30105


git-svn-id: http://core.svn.wordpress.org/trunk@30105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-30 01:05:24 +00:00
Scott Taylor 2ad420dddf Add `audio`, `video`, and `track` to `$allowedposttags` (KSES).
Props jwenerd, wonderboymusic. 
Fixes #29826.

Built from https://develop.svn.wordpress.org/trunk@30064


git-svn-id: http://core.svn.wordpress.org/trunk@30064 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-28 19:36:23 +00:00
Andrew Nacin ae21b1884d kses: Add colgroup.
props collinsinternet.
fixes #29433.

Built from https://develop.svn.wordpress.org/trunk@29740


git-svn-id: http://core.svn.wordpress.org/trunk@29514 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-09-12 05:51:17 +00:00
Sergey Biryukov 788597141a Make wp_kses_no_null() remove any invalid control characters in a string.
props mauteri, miqrogroove.
fixes #28506.
Built from https://develop.svn.wordpress.org/trunk@28942


git-svn-id: http://core.svn.wordpress.org/trunk@28740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-01 18:01:17 +00:00
Scott Taylor 38e39c93ea In `kses.php`, ensure that `$allowedposttags`, `$allowedtags`, and `$allowedentitynames` are added to the global namespace.
Props Jaza613.
Fixes #28582.


Built from https://develop.svn.wordpress.org/trunk@28845


git-svn-id: http://core.svn.wordpress.org/trunk@28649 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-26 02:14:15 +00:00
Andrew Nacin fbbc31f3c5 Inline documentation for hooks in wp-includes/kses.php.
props siobhyb, DrewAPicture.
fixes #25800.

Built from https://develop.svn.wordpress.org/trunk@27739


git-svn-id: http://core.svn.wordpress.org/trunk@27576 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-26 14:57:15 +00:00
Andrew Nacin f9fd129f28 Allow XML attributes with colons to be read by kses.
The attribute would still need to be whitelisted to get through the filters.

props jorbin.
fixes #17847.

Built from https://develop.svn.wordpress.org/trunk@27707


git-svn-id: http://core.svn.wordpress.org/trunk@27546 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-25 12:53:16 +00:00
Andrew Nacin 5fd175300c Allow the role attribute in kses for all elements.
props mikecorkum.
fixes #24098.

Built from https://develop.svn.wordpress.org/trunk@27388


git-svn-id: http://core.svn.wordpress.org/trunk@27236 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-04 02:11:16 +00:00
Andrew Nacin 8ec592f244 Add dfn, mark, and samp to kses.
props kraftbj.
fixes #24950.

Built from https://develop.svn.wordpress.org/trunk@26973


git-svn-id: http://core.svn.wordpress.org/trunk@26852 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-01-17 08:38:09 +00:00
Peter Westwood e1e79ddf64 KSES: Extend support in wp_kses_normalize_entities to named entities with up to two numbers on the end of the name so as to support a wider list of valid entities.
Fixes â#26290

Built from https://develop.svn.wordpress.org/trunk@26440


git-svn-id: http://core.svn.wordpress.org/trunk@26338 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-27 22:32:09 +00:00
Andrew Nacin d362dc1e49 Allow the value attribute for list items processed by kses.
props kraftbj.
fixes #24293.

Built from https://develop.svn.wordpress.org/trunk@25460


git-svn-id: http://core.svn.wordpress.org/trunk@25381 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-16 20:49:10 +00:00
Ryan Boren 43a7e695e9 Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 16:28:40 +00:00
Ryan Boren cc5ed3a485 Change all core API to expect unslashed rather than slashed arguments.
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.

Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.

Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.

Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.

Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.

Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.

Plugins should use wp_unslash() on data being passed to core API.

Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.

Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.

Remove many no longer necessary calls to $wpdb->escape() and esc_sql().

In wp_get_referer() and wp_get_original_referer(), return unslashed data.

Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.

Switch several queries over to prepare().

Expect something to break.

Props alexkingorg
see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-14 22:51:06 +00:00
Andrew Nacin 40543db45f Recommend the wp_kses_allowed_html filter over CUSTOM_TAGS. Soft deprecate CUSTOM_TAGS. see #17977, #20210.
git-svn-id: http://core.svn.wordpress.org/trunk@21796 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-10 18:00:41 +00:00
Andrew Nacin ed375f4106 Remove kses allowedtags that were commented out long ago. see #17977.
git-svn-id: http://core.svn.wordpress.org/trunk@21795 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-10 17:53:46 +00:00
Ryan Boren ffac99eadc * Introduce wp_kses_allowed_html() which accepts a context string and returns an array of allowed tags.
* Remove explicit declarations of class, id, style, and title from $allowedposttags
 * Dynamicallly add global attributes to every tag for the 'post' context
 * No longer calls wp_kses_array_lc() every time wp_kses() runs. Instead it runs once if CUSTOM_TAGS is true. Plugins directly passing a custom allowed_html array will no longer get the lc treatment. Keep an eye out for problems with this.
 * wp_kses_data() and wp_filter_kses() pass current_filter() for the $allowed_html argument to wp_kses().
 * wp_kses_allowed_html() handles being passed a filter name for a context. If the filter is not a recognized one it defaults to using $allowedtags as was done before for wp_kses_data() and wp_filter_kses().
 * wp_kses_allowed_html() recognizes user_description and pre_user_description out of the box. For these it takes $allowedtags and inserts rel attribute support.
 * wp_kses_allowed_html() allows plugins to override the return values for the default contexts and support arbitrary contexts via a wp_kses_allowed_html filter.
 * wp_kses_hook() can now pass a string context for $allowed_html to the pre_kses filter. We might have to pass the result of wp_kses_allowed_html() instead if it turns out that plugins are digging in $allowed_html.

fixes #17977
see #20210


git-svn-id: http://core.svn.wordpress.org/trunk@21790 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-10 16:19:54 +00:00
Mark Jaquith a0736b43ba Add <small> to KSES, to hang out with its <big> brother. props SergeyBiryukov. fixes #18573
git-svn-id: http://core.svn.wordpress.org/trunk@21777 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-06 19:08:42 +00:00
ryan 01dd4131b8 Don't allow unfiltered HTML comments from a frame. Props nacin. fixes #20812
git-svn-id: http://core.svn.wordpress.org/trunk@20974 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-01 20:47:08 +00:00
nacin a7ef8337be Handle multiple feed: schemes.
git-svn-id: http://svn.automattic.com/wordpress/trunk@20540 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-04-19 21:48:12 +00:00
duck_ f62dac2756 Reduce memory usage in wp-includes/kses.php by switching unnecessary empty arrays to boolean. Fixes #20017.
safecss_filter_attr() block for style tags must be moved out of the is_array() only branch of wp_kses_attr() to accommodate for this.


git-svn-id: http://svn.automattic.com/wordpress/trunk@19976 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-02-21 20:33:44 +00:00
duck_ 81a7ad2c81 split was deprecated in PHP 5.3.0, so use explode instead. Props garyc40. Fixes #16325.
git-svn-id: http://svn.automattic.com/wordpress/trunk@19726 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-01-09 21:20:51 +00:00
ryan 83b131f8e3 User lowercase true, false, null instead of uppercase. Props c3mdigital, mfields. fixes #16302
git-svn-id: http://svn.automattic.com/wordpress/trunk@19687 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-01-05 20:50:54 +00:00
ryan 07ff8b216b Use one space, not two, after trailing punctuation. fixes #19537
git-svn-id: http://svn.automattic.com/wordpress/trunk@19593 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-12-13 23:45:31 +00:00
ryan 8e8847e303 Don't use wp_parse_args() on non associative array. Props SergeyBiryukov. see #18268
git-svn-id: http://svn.automattic.com/wordpress/trunk@18856 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-10-01 15:54:52 +00:00
ryan 32e25b6aec phpdoc typo and readability fixes. Props SergeyBiryukov. fixes #18560
git-svn-id: http://svn.automattic.com/wordpress/trunk@18827 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-09-29 22:57:43 +00:00
duck_ 4171ea192b Introduce wp_allowed_protocols() for use in wp_kses() and esc_url(). See #18268.
This allows plugins to filter the list of protocols used for esc_url() too, and helps us keep the list of protocols in sync.


git-svn-id: http://svn.automattic.com/wordpress/trunk@18826 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-09-29 22:33:51 +00:00
nacin 70ba819afd i before e except after c. props trepmal, fixes #17730.
git-svn-id: http://svn.automattic.com/wordpress/trunk@18208 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-06-09 09:13:00 +00:00
nacin 95279728ae Upddate FSF address in kses. props mcepl, fixes #14967.
git-svn-id: http://svn.automattic.com/wordpress/trunk@18052 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-05-25 22:15:12 +00:00
ryan c5fb371ec6 kses optimizations. Props duck_. fixes #17045
git-svn-id: http://svn.automattic.com/wordpress/trunk@17730 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-04-27 21:50:39 +00:00
ryan 85f1feed84 Bring out the shears.
git-svn-id: http://svn.automattic.com/wordpress/trunk@17228 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-01-06 04:11:14 +00:00
ryan 607c8bf12a Update @author tag contact info. Props hakre. see #16039
git-svn-id: http://svn.automattic.com/wordpress/trunk@17185 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-12-30 20:07:12 +00:00
ryan 4fd6561b1c Add Copyright Statement, Licensing Information and Disclaimer to kses. Props hakre. Thanks Ulf Harnhammar. fixes #16039
git-svn-id: http://svn.automattic.com/wordpress/trunk@17181 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-12-30 18:37:18 +00:00
ryan 81cd855720 Don't be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url(). Props Mauro Gentile, duck_, miqrogroove
git-svn-id: http://svn.automattic.com/wordpress/trunk@17171 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-12-29 20:45:37 +00:00
ryan 4f9846e1f3 Don't be so sensitive.
git-svn-id: http://svn.automattic.com/wordpress/trunk@17119 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-12-23 15:26:49 +00:00
nacin 5f4a583fb1 Remove more create_function calls. props huichen, see #14424.
git-svn-id: http://svn.automattic.com/wordpress/trunk@16313 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-11-11 22:50:36 +00:00
ryan 44e222d5ae Add equal sign to blacklist. Props Pádraic Brady. for 3.1
git-svn-id: http://svn.automattic.com/wordpress/trunk@15383 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-07-12 14:30:39 +00:00
ryan ffba502e8c Don't use deprecated function. Blacklist curlies.
git-svn-id: http://svn.automattic.com/wordpress/trunk@15356 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-06-30 17:46:37 +00:00
markjaquith 0c1ce4e9bc Add some new protocols for KSES. Make the list of protocols filterable. Start esc_url() with the same list. fixes #10914. props technosailor
git-svn-id: http://svn.automattic.com/wordpress/trunk@14412 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-05-03 21:20:20 +00:00
nacin 0cd84fba21 Add HTML 5 elements to kses, first pass. props rmccue. see #12835.
git-svn-id: http://svn.automattic.com/wordpress/trunk@14406 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-05-03 20:34:49 +00:00
nacin 30d6eb32c6 Remove redundant isset() and empty() checks.
git-svn-id: http://svn.automattic.com/wordpress/trunk@13770 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-03-19 21:29:21 +00:00
ryan 624731b93f Fix numeric entity logic in kses. Props miqrogroove. see #12284
git-svn-id: http://svn.automattic.com/wordpress/trunk@13648 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-03-10 18:45:28 +00:00
westi 3775882493 Improve kses handling of attributes in valid XHTML self closed img tags. Fixes #12394 props dougal.
git-svn-id: http://svn.automattic.com/wordpress/trunk@13561 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-03-02 22:11:08 +00:00
nacin 8bcc5969dc Spelling and grammar fun. Fixes #11875 props cnorris23
git-svn-id: http://svn.automattic.com/wordpress/trunk@13382 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-02-24 20:13:23 +00:00
nacin cddfbdd914 Coil the kses entities whitelist. See #12284
git-svn-id: http://svn.automattic.com/wordpress/trunk@13363 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-02-24 07:33:14 +00:00
ryan 0a81feaaeb Whitelist entities. Props miqrogroove. see #12284
git-svn-id: http://svn.automattic.com/wordpress/trunk@13358 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-02-24 05:37:20 +00:00
westi bf4a5241e1 Add missing version numbers to _deprecated_argument() calls.
Remove deprecated argument from xfn_check() calls.
Pass version number to deprecated_file_included, deprecated_function_run and deprecated_argument_run actions.
Fixes #11386 props nacin.

git-svn-id: http://svn.automattic.com/wordpress/trunk@12680 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-01-09 10:03:55 +00:00
westi ff7831207c Updates and improvements to _depreceated_argument. See #11386 props nacin.
git-svn-id: http://svn.automattic.com/wordpress/trunk@12584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-12-30 16:23:39 +00:00
ryan cdf11d3479 Allow 0xAD in URI attributes. Props nbachiyski. fixes #9823 #10859
git-svn-id: http://svn.automattic.com/wordpress/trunk@12199 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-11-17 20:18:48 +00:00
ryan 4ec1d4bc32 Introduce wp_kses_post() and wp_kses_data() for filtering unescaped data. Fixes slashing of displayed fields. fixes #10949
git-svn-id: http://svn.automattic.com/wordpress/trunk@12125 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-10-29 17:15:58 +00:00
ryan 8e3808bce2 Remove trailing whitespace
git-svn-id: http://svn.automattic.com/wordpress/trunk@11930 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-09-14 14:03:32 +00:00
azaozz 613aeb5316 Do not use lambda functions in wp_kses_decode_entities(), props mdawaffe, fixes #10623
git-svn-id: http://svn.automattic.com/wordpress/trunk@11828 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-08-16 05:58:39 +00:00
azaozz 49f9fb716c Fix deprecated arg. in safecss_filter_attr(), for trunk
git-svn-id: http://svn.automattic.com/wordpress/trunk@11699 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-07-08 09:54:34 +00:00
ryan df5809a0cc Allow class, id, and style on headers. Props matt.
git-svn-id: http://svn.automattic.com/wordpress/trunk@11692 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-07-06 14:37:48 +00:00
azaozz e0e697974e Inline CSS filter for kses, for trunk, fixes #10336
git-svn-id: http://svn.automattic.com/wordpress/trunk@11689 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-07-04 04:49:39 +00:00
ryan 44777c3352 Revert accidental fxn rename
git-svn-id: http://svn.automattic.com/wordpress/trunk@11212 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-05-05 23:32:16 +00:00
markjaquith 6c2ffddf31 _a(), _ea(), _xa(), attr() are now esc_attr__(), esc_attr_e(), esc_attr_x(), esc_attr() -- still short, but less cryptic. see #9650
git-svn-id: http://svn.automattic.com/wordpress/trunk@11204 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-05-05 19:43:53 +00:00
ryan 0858d9b0c2 Use preg_replace_callback instead of preg_replace with eval. Props beaulebens. see #8689
git-svn-id: http://svn.automattic.com/wordpress/trunk@10339 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-01-09 19:29:35 +00:00
ryan e89192b1a8 Strip trailing whitespace
git-svn-id: http://svn.automattic.com/wordpress/trunk@10150 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-12-09 18:03:31 +00:00
westi 3ba1e08741 phpDoc corrections for KSES. Fixes #7550 props jacobsantos.
git-svn-id: http://svn.automattic.com/wordpress/trunk@8837 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-09-06 06:53:45 +00:00
ryan 3911137835 Apply kses bad-protocol checks only to URI typed attributes. Props takayukister. fixes #5917 #6888 #6910 #7512
git-svn-id: http://svn.automattic.com/wordpress/trunk@8671 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-08-19 18:43:21 +00:00
markjaquith 74c46749cb Cast to array when using foreach(). Props santosj (and thanks for your perseverance!). fixes #2784
git-svn-id: http://svn.automattic.com/wordpress/trunk@8572 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-08-06 20:31:54 +00:00
westi 1452266770 Mark kses callbacks as private. Fixes #7363.
git-svn-id: http://svn.automattic.com/wordpress/trunk@8410 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-07-23 08:36:15 +00:00
azaozz e13c015e92 kses - don't use create_function in preg_replace_callback. Fixes #7363.
git-svn-id: http://svn.automattic.com/wordpress/trunk@8387 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-07-21 05:11:00 +00:00
azaozz 40abfce30c kses - properly escape non-Unicode entities. Fixes #6583. Props schiller.
git-svn-id: http://svn.automattic.com/wordpress/trunk@8386 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-07-21 03:21:09 +00:00
azaozz 6c31b19627 Take first attribute and ignore later duplicate attributes. Fixes #6602 for trunk. Props schiller.
git-svn-id: http://svn.automattic.com/wordpress/trunk@8384 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-07-21 01:12:49 +00:00
azaozz eb1f1ece79 Prevent adjacent hyphens in a HTML/XML comment. Fixes #6642 for trunk. Props schiller.
git-svn-id: http://svn.automattic.com/wordpress/trunk@8382 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-07-21 00:32:43 +00:00
ryan d0e696c185 Allow lang and xml:lang for span. Props MtDewVirus. fixes #7003
git-svn-id: http://svn.automattic.com/wordpress/trunk@7969 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-05-20 23:56:28 +00:00
ryan 5f6bc326a4 Better protocol check from Łukasz Pilorz.
git-svn-id: http://svn.automattic.com/wordpress/trunk@7370 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-03-18 01:53:36 +00:00
westi 7039083a89 Update the allowed attributes for html list elements. Fixes #6253 props andy and lloydbudd.
git-svn-id: http://svn.automattic.com/wordpress/trunk@7337 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-03-16 22:16:27 +00:00
ryan 03170d477f Use preg_replace_callback instead of 'e' modifier. see #5644
git-svn-id: http://svn.automattic.com/wordpress/trunk@7107 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-02-29 18:28:32 +00:00
ryan 6fe2cd5873 Use preg_replace_callback instead of 'e' modifier. see #5644
git-svn-id: http://svn.automattic.com/wordpress/trunk@7106 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-02-29 17:49:50 +00:00
ryan 0aee557b68 phpdoc for kses from darkdragon. fixes #5641
git-svn-id: http://svn.automattic.com/wordpress/trunk@6630 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-01-16 19:15:07 +00:00
ryan 076634d99b Allow more tags in kses. Props lloydbudd. fixes #5617
git-svn-id: http://svn.automattic.com/wordpress/trunk@6617 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-01-14 23:56:53 +00:00