Gary Pendergast
e740c695e6
KSES: Allow the `download` attribute on `<a>` tags.
...
To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.
Merges [43813] from the 5.0 branch to trunk.
Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
Fixes #44724 .
Built from https://develop.svn.wordpress.org/trunk@44156
git-svn-id: http://core.svn.wordpress.org/trunk@43986 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-14 03:28:38 +00:00
Gary Pendergast
1947e4424a
KSES: Allow `url()` to be used in inline CSS.
...
The cover image block uses the `url()` function in its inline CSS, to show the cover image. KSES didn't allow this, causing the block to not save correctly for Author and Contributor users. As KSES does already check each attribute name against an allowed list, we're able to add an extra check for certain attributes to be able to use the `url()` function, too.
Merges [43781] from the 5.0 branch to core.
Props peterwilsoncc, azaozz, pento, dd32.
Fixes #45067 .
Built from https://develop.svn.wordpress.org/trunk@44136
git-svn-id: http://core.svn.wordpress.org/trunk@43966 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-14 01:41:36 +00:00
Jeremy Felt
32e9dea3ea
KSES: Add selected ARIA attributes support.
...
Allow low-privileged users to use the ARIA attributes `aria-describedby`, `aria-details`, `aria-label`, `aria-labelledby` and `aria-hidden`.
Merges [43731] to trunk.
Props mattheu, swissspidy, rianrietveld, afercia, GaryJ.
See #30421 .
Built from https://develop.svn.wordpress.org/trunk@43984
git-svn-id: http://core.svn.wordpress.org/trunk@43816 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 03:15:24 +00:00
Jeremy Felt
a0309e80b6
KSES: Allow HTML data-* attributes.
...
Add global support for HTML attributes prefixed `data-` for authors and contributors, as required by the new editor.
Merges [43727] to trunk.
Props azaozz, peterwilsoncc.
Fixes #33121 .
Built from https://develop.svn.wordpress.org/trunk@43981
git-svn-id: http://core.svn.wordpress.org/trunk@43813 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 02:39:25 +00:00
Gary Pendergast
56c162fbc9
Coding Standards: Upgrade WPCS to 1.0.0
...
WPCS 1.0.0 includes a bunch of new auto-fixers, which drops the number of coding standards issues across WordPress significantly. Prior to running the auto-fixers, there were 15,312 issues detected. With this commit, we now drop to 4,769 issues.
This change includes three notable additions:
- Multiline function calls must now put each parameter on a new line.
- Auto-formatting files is now part of the `grunt precommit` script.
- Auto-fixable coding standards issues will now cause Travis failures.
Fixes #44600 .
Built from https://develop.svn.wordpress.org/trunk@43571
git-svn-id: http://core.svn.wordpress.org/trunk@43400 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-08-17 01:51:36 +00:00
John Blackbourn
4ccca7a835
Formatting: Begin the process of improving the docs for KSES related functions.
...
See #33801
Built from https://develop.svn.wordpress.org/trunk@43016
git-svn-id: http://core.svn.wordpress.org/trunk@42845 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-04-28 13:58:21 +00:00
Sergey Biryukov
0e9549d424
Formatting: Permit use of `text-transform` in `safecss_filter_attr()`.
...
Add unit tests for `safecss_filter_attr()`.
Props birgire, juiiee8487, danielbachhuber.
Fixes #42729 .
Built from https://develop.svn.wordpress.org/trunk@42880
git-svn-id: http://core.svn.wordpress.org/trunk@42710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-03-27 00:54:34 +00:00
Sergey Biryukov
8a701e5b3f
Formatting: Avoid a PHP 7.2 warning in `wp_kses_attr()` when one of `$allowedtags` elements is an uncountable value.
...
Props andrei0x309, soulseekah, SergeyBiryukov.
Fixes #43312 .
Built from https://develop.svn.wordpress.org/trunk@42860
git-svn-id: http://core.svn.wordpress.org/trunk@42690 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-03-20 21:35:31 +00:00
Sergey Biryukov
5d1e06f939
Docs: Move inline comments in `wp_kses_split2()` before the blocks they apply to.
...
See #42505 .
Built from https://develop.svn.wordpress.org/trunk@42712
git-svn-id: http://core.svn.wordpress.org/trunk@42540 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-02-14 11:46:33 +00:00
Gary Pendergast
aaf99e6913
Code is Poetry.
...
WordPress' code just... wasn't.
This is now dealt with.
Props jrf, pento, netweb, GaryJ, jdgrimes, westonruter, Greg Sherwood from PHPCS, and everyone who's ever contributed to WPCS and PHPCS.
Fixes #41057 .
Built from https://develop.svn.wordpress.org/trunk@42343
git-svn-id: http://core.svn.wordpress.org/trunk@42172 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-30 23:11:00 +00:00
Gary Pendergast
882db52bdd
General: Add inline PHPCS options to leave regex indentation.
...
We have a handful of super long regexen that are written over multiple lines, as a collection of strings concatenated together. Each string is indented appropriately for the regex, but PHPCS doesn't recognised this, so defaults to removing the extra whitespace.
Disabling the `Squiz.Strings.ConcatenationSpacing.PaddingFound` rule for these blocks stops the extra whitespace from being removed.
See #41057 .
Built from https://develop.svn.wordpress.org/trunk@42249
git-svn-id: http://core.svn.wordpress.org/trunk@42078 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-28 04:24:57 +00:00
Gary Pendergast
c90cfa3b50
General: Fix some precision alignment formatting warnings.
...
The WPCS `WordPress.WhiteSpace.PrecisionAlignment` rule throws warnings for a bunch of code that will likely cause issues for `wpcbf`. Fixing these manually beforehand gives us better auto-fixed results later.
See #41057 .
Built from https://develop.svn.wordpress.org/trunk@42228
git-svn-id: http://core.svn.wordpress.org/trunk@42057 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-26 23:57:55 +00:00
Drew Jaynes
474711aac1
Docs: Adjust notation for the `$context` parameter in the DocBlocks for the `wp_kses_allowed_html()` function and its associated `wp_kses_allowed_html` filter.
...
`$context|$allowedtags` can be either a string or array.
Props bor0.
Fixes #40575 .
Built from https://develop.svn.wordpress.org/trunk@40950
git-svn-id: http://core.svn.wordpress.org/trunk@40800 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-06-25 22:16:40 +00:00
Dominik Schilling
77858f4b92
KSES: Support `'tag' => true` as a shorthand for `'tag' => array()` in `wp_kses_attr()`.
...
`Automatic_Upgrader_Skin::feedback()` had always assumed that this is already the case, now it is.
See #20017 .
Fixes #40680 .
Built from https://develop.svn.wordpress.org/trunk@40637
git-svn-id: http://core.svn.wordpress.org/trunk@40498 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-11 19:23:43 +00:00
John Blackbourn
d327c92e4b
Docs: Add and correct `@since` docs for a variety of functions and methods.
...
Props keesiemeijer, chris_dev
Fixes #39343 , #39357 , #39344
See #39130
Built from https://develop.svn.wordpress.org/trunk@39638
git-svn-id: http://core.svn.wordpress.org/trunk@39578 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-12-27 09:21:44 +00:00
Gary Pendergast
456f8015b7
KSES: Deprecate `wp_kses_js_entities()`.
...
This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.
I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.
Props dmsnell, desrosj.
Fixes #33848 .
Built from https://develop.svn.wordpress.org/trunk@38785
git-svn-id: http://core.svn.wordpress.org/trunk@38728 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-13 22:25:31 +00:00
Aaron Jorbin
dd983343d3
Formatting: Allow KSES custom elements with hyphens
...
The W3C Custom Elements spec (http://www.w3.org/TR/custom-elements/#concepts ) allows you to use your own custom DOM elements/tags. One of the main requirements is that the tag name "must contain a U+002D HYPHEN-MINUS character". This adjusts KSES to allow it.
Fixes #34105 .
Props batmoo.
Built from https://develop.svn.wordpress.org/trunk@38511
git-svn-id: http://core.svn.wordpress.org/trunk@38452 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-02 04:16:28 +00:00
Drew Jaynes
6cc13f0c54
Docs: Fix formatting, tense, verb conjugation, and other syntax for wp-includes/* elements introduced or changed in 4.6.
...
Part 1/2.
See #37318 .
Built from https://develop.svn.wordpress.org/trunk@38121
git-svn-id: http://core.svn.wordpress.org/trunk@38062 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-20 16:57:32 +00:00
Drew Jaynes
5e467a2774
Docs: Add changelog entries to the hook doc for the `safe_style_css` filter denoting recent CSS attribute additions.
...
* `min-height`, `max-height`, `min-width`, and `max-width` were added in 4.4, see [33739].
* `list-style-type` was added in 4.6, see [37898].
See #35877 . See #32246 .
Built from https://develop.svn.wordpress.org/trunk@37931
git-svn-id: http://core.svn.wordpress.org/trunk@37872 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-30 17:02:30 +00:00
Jeremy Felt
571f70c60a
KSES: Add `list-style-type` to the list of allowed CSS attributes.
...
Props azaozz.
Fixes #35877 .
Built from https://develop.svn.wordpress.org/trunk@37898
git-svn-id: http://core.svn.wordpress.org/trunk@37839 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-28 22:10:31 +00:00
Jeremy Felt
d9d7e5fa63
KSES: Adjust the list of safecss attributes for readability.
...
Props azaozz.
See #35877 .
Built from https://develop.svn.wordpress.org/trunk@37897
git-svn-id: http://core.svn.wordpress.org/trunk@37838 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-28 22:06:31 +00:00
Drew Jaynes
d28f1a08ef
Docs: Apply inline `@see` tags to hooks referenced in DocBlocks in a variety of wp-includes/* files.
...
Applying these specially-crafted `@see` tags allows the Code Reference parser to recognize and link these elements as actions and filters.
See #36921 .
Built from https://develop.svn.wordpress.org/trunk@37543
git-svn-id: http://core.svn.wordpress.org/trunk@37511 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-23 19:01:27 +00:00
Drew Jaynes
9cb5247392
Docs: Standardize filter docs in remaining wp-includes/* files to use third-person singular verbs per the inline documentation standards for PHP.
...
See #36913 .
Built from https://develop.svn.wordpress.org/trunk@37518
git-svn-id: http://core.svn.wordpress.org/trunk@37486 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-22 18:50:28 +00:00
Drew Jaynes
fe3b007fdd
Docs: Remove inline `@see` tags from function, class, and method references in inline docs.
...
Known functions, classes, and methods are now auto-linked in Code Reference pages following #meta1483.
Note: Hook references are still linked via inline `@see` tags due to the unlikelihood of reliably matching for known hooks based on a RegEx pattern.
See #32246 .
Built from https://develop.svn.wordpress.org/trunk@37342
git-svn-id: http://core.svn.wordpress.org/trunk@37308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-02 04:00:28 +00:00
Drew Jaynes
6a94d3e2e3
Docs: Use the correct parameter name in the DocBlock for `wp_kses_post_deep()`, introduced in [36429].
...
Props sebastianpisula.
Fixes #35700 . See #35316 .
Built from https://develop.svn.wordpress.org/trunk@36489
git-svn-id: http://core.svn.wordpress.org/trunk@36456 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-07 00:18:26 +00:00
Dominik Schilling
cd892b86b4
Media: In `wp_read_image_metadata()` make sure that IPTC keywords are UTF8 encoded.
...
Prevents missing `_wp_attachment_metadata` when an image contains keywords with latin extended characters.
Fixes #35316 .
Built from https://develop.svn.wordpress.org/trunk@36429
git-svn-id: http://core.svn.wordpress.org/trunk@36396 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-01 14:53:27 +00:00
John Blackbourn
a5d44337b2
Docs: `@param` fixes for a variety of docblocks.
...
See #32246
Built from https://develop.svn.wordpress.org/trunk@36232
git-svn-id: http://core.svn.wordpress.org/trunk@36199 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-09 01:45:26 +00:00
Sergey Biryukov
ae37057114
KSES: Allow the `reversed` attribute for `<ol>`.
...
Props lancewillett.
Fixes #35079 .
Built from https://develop.svn.wordpress.org/trunk@35960
git-svn-id: http://core.svn.wordpress.org/trunk@35924 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-16 09:54:26 +00:00
Scott Taylor
55e16aa98a
KSES: have you ever heard of the `<bdo>` HTML tag? Same. http://www.w3schools.com/tags/tag_bdo.asp
...
Adds unit test.
Props iandunn.
Fixes #34063 .
Built from https://develop.svn.wordpress.org/trunk@35141
git-svn-id: http://core.svn.wordpress.org/trunk@35106 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-13 17:18:25 +00:00
Scott Taylor
8d27055b0c
Allow these CSS properties in KSES: `min-height', 'max-height', 'min-width', 'max-width'`
...
Props MikeHansenMe.
Fixes #31949 .
Built from https://develop.svn.wordpress.org/trunk@33739
git-svn-id: http://core.svn.wordpress.org/trunk@33707 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-25 21:46:20 +00:00
Gary Pendergast
c3e0ed7e03
Shortcodes: Improve the reliablity of shortcodes inside HTML tags.
...
Props miqrogroove.
See #15694 .
Built from https://develop.svn.wordpress.org/trunk@33359
git-svn-id: http://core.svn.wordpress.org/trunk@33331 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-22 05:15:25 +00:00
Scott Taylor
32dabc1f90
Don't strip `\0` (backslash+zero) from post content for users without "unfiltered_html"
...
Adds unit tests.
Props miqrogroove.
Fixes #28699 .
Built from https://develop.svn.wordpress.org/trunk@32860
git-svn-id: http://core.svn.wordpress.org/trunk@32831 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-19 18:47:27 +00:00
Scott Taylor
f888767c73
`$status` shouldn't be loosely compared to `true` in `wp_xmlrpc_server::wp_deleteComment()`.
...
`$initial` shouldn't be loosely compared to `true` in `get_calendar()`.
`current_user_can()` shouldn't be loosely compared to `false` in `kses_init()`
`$get_all` shouldn't be loosely compared to `true` in `get_blog_details()`.
`is_array()` and `in_array()` shouldn't be loosely compared in `wpmu_validate_user_signup()`.
`$result` should by strictly compared in `check_ajax_referer()`.
`wp_verify_nonce()` should by strictly compared in `_show_post_preview()`.
`is_user_logged_in()` should not be loosly compared against `false` in `wp-signup.php`.
See #32444 .
Built from https://develop.svn.wordpress.org/trunk@32733
git-svn-id: http://core.svn.wordpress.org/trunk@32704 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-12 17:48:26 +00:00
Scott Taylor
4b24007353
Add missing doc blocks to `kses.php` - also fix some unfortunate whitespace issues in related funcs.
...
See #32444 .
Built from https://develop.svn.wordpress.org/trunk@32603
git-svn-id: http://core.svn.wordpress.org/trunk@32573 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-26 18:06:24 +00:00
Scott Taylor
86f29795a4
Add `<s>` to `$allowedtags` in KSES.
...
From https://developer.mozilla.org/en-US/docs/Web/HTML/Element/s :
"The <strike> element, alter ego of the <s> element is obsolete and should not be used on Web sites any more."
`<strike>` shall remain for BC, but `<s>` should not be stripped from the author (et al) role's HTML input.
Props paulschreiber.
Fixes #30954 .
Built from https://develop.svn.wordpress.org/trunk@31205
git-svn-id: http://core.svn.wordpress.org/trunk@31186 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-16 16:07:23 +00:00
Scott Taylor
fc843ce4d0
There are some random `add_action()` and `add_filter()` calls littered around some files in `wp-includes/`. These should be moved to `wp-includes/default-filters.php` with the rest of the registered hooks. It seems like this was the best practice for awhile and then we randomly stopped. This file loads way before any of the includes, so the hooks will be registered for any request that loads WordPress, even `SHORTINIT` - a lot of the hooks registered won't run anyways (that's already the case).
...
See #30947 .
Built from https://develop.svn.wordpress.org/trunk@31168
git-svn-id: http://core.svn.wordpress.org/trunk@31149 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-12 16:40:23 +00:00
Scott Taylor
4a1ad9acec
Jump statements should not be followed by other statements (there were 5 lingering).
...
See #30799 .
Built from https://develop.svn.wordpress.org/trunk@31100
git-svn-id: http://core.svn.wordpress.org/trunk@31081 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-08 21:15:22 +00:00
Scott Taylor
ac4e67b82e
Perl-style comments should not be used
...
See #30799 .
Built from https://develop.svn.wordpress.org/trunk@31079
git-svn-id: http://core.svn.wordpress.org/trunk@31060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-08 05:52:24 +00:00
Drew Jaynes
ad1ecf88c5
Only backtick-escape individual HTML entities in the DocBlock for `wp_kses_normalize_entities()`.
...
Props TobiasBg.
Fixes #30473 .
Built from https://develop.svn.wordpress.org/trunk@30726
git-svn-id: http://core.svn.wordpress.org/trunk@30716 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 11:47:23 +00:00
Drew Jaynes
3d77f9a816
Remove some now-unnecessary double quotes around HTML entities used in DocBlock comments.
...
See #30473 .
Built from https://develop.svn.wordpress.org/trunk@30721
git-svn-id: http://core.svn.wordpress.org/trunk@30711 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 08:49:23 +00:00
Drew Jaynes
8e5543da53
Backtick-escape three sets of HTML entities used in DocBlock descriptions in wp-includes/kses.php.
...
Without the escaping, the Code Reference/browser may inadvertently attempt to convert and display entities.
Fixes #30473 .
Built from https://develop.svn.wordpress.org/trunk@30720
git-svn-id: http://core.svn.wordpress.org/trunk@30710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 08:47:22 +00:00
Andrew Nacin
e7614d6c45
Fix typo in style filter. props miqrogroove
...
Built from https://develop.svn.wordpress.org/trunk@30425
git-svn-id: http://core.svn.wordpress.org/trunk@30420 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-20 13:15:24 +00:00
Drew Jaynes
f8657d5890
Remove redundant and erroneous `@uses` tag from most core inline documentation.
...
Per our inline documentation standards, no further use of the `@uses` tag is recommended as used and used-by relationships can be derived through other means. This removes most uses of the tag in core documentation, with remaining tags to be converted to `@global` or `@see` as they apply.
Fixes #30191 .
Built from https://develop.svn.wordpress.org/trunk@30105
git-svn-id: http://core.svn.wordpress.org/trunk@30105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-30 01:05:24 +00:00
Scott Taylor
2ad420dddf
Add `audio`, `video`, and `track` to `$allowedposttags` (KSES).
...
Props jwenerd, wonderboymusic.
Fixes #29826 .
Built from https://develop.svn.wordpress.org/trunk@30064
git-svn-id: http://core.svn.wordpress.org/trunk@30064 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-28 19:36:23 +00:00
Andrew Nacin
ae21b1884d
kses: Add colgroup.
...
props collinsinternet.
fixes #29433 .
Built from https://develop.svn.wordpress.org/trunk@29740
git-svn-id: http://core.svn.wordpress.org/trunk@29514 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-09-12 05:51:17 +00:00
Sergey Biryukov
788597141a
Make wp_kses_no_null() remove any invalid control characters in a string.
...
props mauteri, miqrogroove.
fixes #28506 .
Built from https://develop.svn.wordpress.org/trunk@28942
git-svn-id: http://core.svn.wordpress.org/trunk@28740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-01 18:01:17 +00:00
Scott Taylor
38e39c93ea
In `kses.php`, ensure that `$allowedposttags`, `$allowedtags`, and `$allowedentitynames` are added to the global namespace.
...
Props Jaza613.
Fixes #28582 .
Built from https://develop.svn.wordpress.org/trunk@28845
git-svn-id: http://core.svn.wordpress.org/trunk@28649 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-26 02:14:15 +00:00
Andrew Nacin
fbbc31f3c5
Inline documentation for hooks in wp-includes/kses.php.
...
props siobhyb, DrewAPicture.
fixes #25800 .
Built from https://develop.svn.wordpress.org/trunk@27739
git-svn-id: http://core.svn.wordpress.org/trunk@27576 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-26 14:57:15 +00:00
Andrew Nacin
f9fd129f28
Allow XML attributes with colons to be read by kses.
...
The attribute would still need to be whitelisted to get through the filters.
props jorbin.
fixes #17847 .
Built from https://develop.svn.wordpress.org/trunk@27707
git-svn-id: http://core.svn.wordpress.org/trunk@27546 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-25 12:53:16 +00:00
Andrew Nacin
5fd175300c
Allow the role attribute in kses for all elements.
...
props mikecorkum.
fixes #24098 .
Built from https://develop.svn.wordpress.org/trunk@27388
git-svn-id: http://core.svn.wordpress.org/trunk@27236 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-04 02:11:16 +00:00