Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2024-11-13 06:07:23 +01:00
Code Issues Projects Releases Wiki Activity

KSES: Conditionally remove the <form> element from $allowedposttags.

Browse Source 
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.

Merges [43994] to the 3.9 branch.


Built from https://develop.svn.wordpress.org/branches/3.9@44016


git-svn-id: http://core.svn.wordpress.org/branches/3.9@43846 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Gary Pendergast 2018-12-12 23:58:11 +00:00
parent 7fd3a9f5f7
commit 006095dd57
1 changed files with 22 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
wp-includes/kses.php
View File

@ -160,15 +160,6 @@ if ( ! CUSTOM_TAGS ) {
'lang' => true, 'lang' => true,
'xml:lang' => true, 'xml:lang' => true,
), ),
'form' => array(
'action' => true,
'accept' => true,
'accept-charset' => true,
'enctype' => true,
'method' => true,
'name' => true,
'target' => true,
),
'h1' => array( 'h1' => array(
'align' => true, 'align' => true,
), ),
@ -569,6 +560,7 @@ function wp_kses_one_attr( $string, $element ) {
* Return a list of allowed tags and attributes for a given context. * Return a list of allowed tags and attributes for a given context.
* *
* @since 3.5.0 * @since 3.5.0
* @since 5.0.1 `form` removed as allowable HTML tag.
* *
* @param string $context The context for which to retrieve tags. Allowed values are * @param string $context The context for which to retrieve tags. Allowed values are
* post | strip | data | entities or the name of a field filter such as pre_user_description. * post | strip | data | entities or the name of a field filter such as pre_user_description.
@ -593,8 +585,27 @@ function wp_kses_allowed_html( $context = '' ) {
switch ( $context ) { switch ( $context ) {
case 'post': case 'post':
/** This filter is documented in wp-includes/kses.php */ /** This filter is documented in wp-includes/kses.php */
return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context ); $tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
break;
// 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
$tags = $allowedposttags;
$tags['form'] = array(
'action' => true,
'accept' => true,
'accept-charset' => true,
'enctype' => true,
'method' => true,
'name' => true,
'target' => true,
);
/** This filter is documented in wp-includes/kses.php */
$tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
}
return $tags;
case 'user_description': case 'user_description':
case 'pre_user_description': case 'pre_user_description':
$tags = $allowedtags; $tags = $allowedtags;