Introduce wp_kses_post() and wp_kses_data() for filtering unescaped data. Fixes slashing of displayed fields. fixes #10949

git-svn-id: http://svn.automattic.com/wordpress/trunk@12125 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-10-29 17:15:58 +00:00 · 2009-10-29 17:15:58 +00:00 · 4ec1d4bc32
parent f089f96723
commit 4ec1d4bc32
2 changed files with 40 additions and 4 deletions
--- a/wp-includes/default-filters.php
+++ b/wp-includes/default-filters.php
@ -26,11 +26,16 @@ foreach ( array( 'term_name', 'comment_author_name', 'link_name', 'link_target',
 	add_filter( $filter, '_wp_specialchars', 30 );
 }

-// Kses only for textarea saves and displays
-foreach ( array( 'pre_term_description', 'term_description', 'pre_link_description', 'link_description', 'pre_link_notes', 'link_notes', 'pre_user_description', 'user_description' ) as $filter ) {
+// Kses only for textarea saves
+foreach ( array( 'pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description' ) as $filter ) {
 	add_filter( $filter, 'wp_filter_kses' );
 }

+// Kses only for textarea saves displays
+foreach ( array( 'term_description', 'link_description', 'link_notes', 'user_description' ) as $filter ) {
+	add_filter( $filter, 'wp_kses_data' );
+}
+
 // Email saves
 foreach ( array( 'pre_comment_author_email', 'pre_user_email' ) as $filter ) {
 	add_filter( $filter, 'trim'           );
--- a/wp-includes/kses.php
+++ b/wp-includes/kses.php
@ -1059,7 +1059,7 @@ function _wp_kses_decode_entities_chr_hexdec( $match ) {
 * @since 1.0.0
 * @uses $allowedtags
 *
- * @param string $data Content to filter
+ * @param string $data Content to filter, expected to be escaped with slashes
 * @return string Filtered content
 */
 function wp_filter_kses($data) {
@ -1067,6 +1067,20 @@ function wp_filter_kses($data) {
 	return addslashes( wp_kses(stripslashes( $data ), $allowedtags) );
 }

+/**
+ * Sanitize content with allowed HTML Kses rules.
+ *
+ * @since 2.9.0
+ * @uses $allowedtags
+ *
+ * @param string $data Content to filter, expected to not be escaped
+ * @return string Filtered content
+ */
+function wp_kses_data($data) {
+	global $allowedtags;
+	return wp_kses( $data , $allowedtags );
+}
+
 /**
 * Sanitize content for allowed HTML tags for post content.
 *
@ -1076,7 +1090,7 @@ function wp_filter_kses($data) {
 * @since 2.0.0
 * @uses $allowedposttags
 *
- * @param string $data Post content to filter
+ * @param string $data Post content to filter, expected to be escaped with slashes
 * @return string Filtered post content with allowed HTML tags and attributes intact.
 */
 function wp_filter_post_kses($data) {
@ -1084,6 +1098,23 @@ function wp_filter_post_kses($data) {
 	return addslashes ( wp_kses(stripslashes( $data ), $allowedposttags) );
 }

+/**
+ * Sanitize content for allowed HTML tags for post content.
+ *
+ * Post content refers to the page contents of the 'post' type and not $_POST
+ * data from forms.
+ *
+ * @since 2.9.0
+ * @uses $allowedposttags
+ *
+ * @param string $data Post content to filter
+ * @return string Filtered post content with allowed HTML tags and attributes intact.
+ */
+function wp_kses_post($data) {
+	global $allowedposttags;
+	return wp_kses( $data , $allowedposttags );
+}
+
 /**
 * Strips all of the HTML in the content.
 *