From 32dabc1f9099fa2bf52922ae22d887cc4da3e96b Mon Sep 17 00:00:00 2001 From: Scott Taylor Date: Fri, 19 Jun 2015 18:47:27 +0000 Subject: [PATCH] Don't strip `\0` (backslash+zero) from post content for users without "unfiltered_html" Adds unit tests. Props miqrogroove. Fixes #28699. Built from https://develop.svn.wordpress.org/trunk@32860 git-svn-id: http://core.svn.wordpress.org/trunk@32831 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/kses.php | 15 +++++++++++---- wp-includes/version.php | 2 +- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/wp-includes/kses.php b/wp-includes/kses.php index 637fac4627..7fa383779c 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -521,7 +521,7 @@ if ( ! CUSTOM_TAGS ) { function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { if ( empty( $allowed_protocols ) ) $allowed_protocols = wp_allowed_protocols(); - $string = wp_kses_no_null($string); + $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook @@ -1044,11 +1044,18 @@ function wp_kses_bad_protocol($string, $allowed_protocols) { * @since 1.0.0 * * @param string $string + * @param array $options Set 'slash_zero' => 'keep' when '\0' is allowed. Default is 'remove'. * @return string */ -function wp_kses_no_null($string) { - $string = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string); - $string = preg_replace('/(\\\\0)+/', '', $string); +function wp_kses_no_null( $string, $options = null ) { + if ( ! isset( $options['slash_zero'] ) ) { + $options = array( 'slash_zero' => 'remove' ); + } + + $string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string ); + if ( 'remove' == $options['slash_zero'] ) { + $string = preg_replace( '/\\\\+0+/', '', $string ); + } return $string; } diff --git a/wp-includes/version.php b/wp-includes/version.php index 7b2204a5fa..80d3198748 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.3-alpha-32859'; +$wp_version = '4.3-alpha-32860'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.