mirror of
https://github.com/WordPress/WordPress.git
synced 2024-12-22 09:07:59 +01:00
KSES: Deprecate wp_kses_js_entities()
.
This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape. I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4. Props dmsnell, desrosj. Fixes #33848. Built from https://develop.svn.wordpress.org/trunk@38785 git-svn-id: http://core.svn.wordpress.org/trunk@38728 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
acd764a1d3
commit
456f8015b7
@ -3772,3 +3772,29 @@ function get_paged_template() {
|
||||
|
||||
return get_query_template( 'paged' );
|
||||
}
|
||||
|
||||
/**
|
||||
* Removes the HTML JavaScript entities found in early versions of Netscape 4.
|
||||
*
|
||||
* Previously, this function was pulled in from the original
|
||||
* import of kses and removed a specific vulnerability only
|
||||
* existent in early version of Netscape 4. However, this
|
||||
* vulnerability never affected any other browsers and can
|
||||
* be considered safe for the modern web.
|
||||
*
|
||||
* The regular expression which sanitized this vulnerability
|
||||
* has been removed in consideration of the performance and
|
||||
* energy demands it placed, now merely passing through its
|
||||
* input to the return.
|
||||
*
|
||||
* @since 1.0.0
|
||||
* @deprecated deprecated since 4.7
|
||||
*
|
||||
* @param string $string
|
||||
* @return string
|
||||
*/
|
||||
function wp_kses_js_entities( $string ) {
|
||||
_deprecated_function( __FUNCTION__, '4.7.0' );
|
||||
|
||||
return preg_replace( '%&\s*\{[^}]*(\}\s*;?|$)%', '', $string );
|
||||
}
|
||||
|
@ -527,7 +527,6 @@ function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
|
||||
if ( empty( $allowed_protocols ) )
|
||||
$allowed_protocols = wp_allowed_protocols();
|
||||
$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
|
||||
$string = wp_kses_js_entities($string);
|
||||
$string = wp_kses_normalize_entities($string);
|
||||
$string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook
|
||||
return wp_kses_split($string, $allowed_html, $allowed_protocols);
|
||||
@ -550,7 +549,6 @@ function wp_kses_one_attr( $string, $element ) {
|
||||
$allowed_html = wp_kses_allowed_html( 'post' );
|
||||
$allowed_protocols = wp_allowed_protocols();
|
||||
$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
|
||||
$string = wp_kses_js_entities( $string );
|
||||
|
||||
// Preserve leading and trailing whitespace.
|
||||
$matches = array();
|
||||
@ -1295,18 +1293,6 @@ function wp_kses_array_lc($inarray) {
|
||||
return $outarray;
|
||||
}
|
||||
|
||||
/**
|
||||
* Removes the HTML JavaScript entities found in early versions of Netscape 4.
|
||||
*
|
||||
* @since 1.0.0
|
||||
*
|
||||
* @param string $string
|
||||
* @return string
|
||||
*/
|
||||
function wp_kses_js_entities($string) {
|
||||
return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
|
||||
}
|
||||
|
||||
/**
|
||||
* Handles parsing errors in wp_kses_hair().
|
||||
*
|
||||
|
@ -4,7 +4,7 @@
|
||||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '4.7-alpha-38784';
|
||||
$wp_version = '4.7-alpha-38785';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
Loading…
Reference in New Issue
Block a user