KSES: Allow the download attribute on <a> tags.

To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value. Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento. See #44724. Built from https://develop.svn.wordpress.org/branches/5.0@43813 git-svn-id: http://core.svn.wordpress.org/branches/5.0@43642 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-11-04 18:01:42 +01:00 · 2018-10-24 01:19:39 +00:00 · 2018-10-24 01:19:39 +00:00 · 722f25cd97
commit 722f25cd97
parent 23984141ce
2 changed files with 4 additions and 1 deletions
--- a/wp-includes/kses.php
+++ b/wp-includes/kses.php
@ -66,6 +66,9 @@ if ( ! CUSTOM_TAGS ) {
 			'rev' => true,
 			'name' => true,
 			'target' => true,
+			'download' => array(
+				'valueless' => 'y',
+			),
 		),
 		'abbr' => array(),
 		'acronym' => array(),
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '5.0-alpha-43812';
+$wp_version = '5.0-alpha-43813';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.