Upstream
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update `wp_kses_bad_protocol()` to recognize `:` on uri attributes, 

`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 4.6 branch.

Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/branches/4.6@46914


git-svn-id: http://core.svn.wordpress.org/branches/4.6@46714 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Sergey Biryukov 2019-12-12 18:46:23 +00:00
parent 251c570d28
commit 138f753da7
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
wp-includes/kses.php
View File

@ -1398,7 +1398,7 @@ function wp_kses_html_error($string) {
*/
function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) {
$string = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
$string2 = preg_split( '/:|&#0*58;|&#x0*3a;|:/i', $string, 2 );
if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {
$string = trim( $string2[1] );
$protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );