From 80eab318ebde0cadb58304b05133035010d4105a Mon Sep 17 00:00:00 2001 From: whyisjake Date: Thu, 12 Dec 2019 17:54:02 +0000 Subject: [PATCH] Prevent stored XSS through wp_targeted_link_rel(). Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan. Built from https://develop.svn.wordpress.org/trunk@46894 git-svn-id: http://core.svn.wordpress.org/trunk@46694 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/formatting.php | 71 ++++++++++++++++++++++---------------- wp-includes/version.php | 2 +- 2 files changed, 42 insertions(+), 31 deletions(-) diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 8e600f278b..965fcde2cc 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -3148,9 +3148,25 @@ function wp_rel_ugc( $text ) { */ function wp_targeted_link_rel( $text ) { // Don't run (more expensive) regex if no links with targets. - if ( stripos( $text, 'target' ) !== false && stripos( $text, ']*target\s*=[^>]*)>|i', 'wp_targeted_link_rel_callback', $text ); + if ( stripos( $text, 'target' ) === false || stripos( $text, ']*target\s*=[^>]*)>|i', 'wp_targeted_link_rel_callback', $part ); + } + + $text = ''; + for ( $i = 0; $i < count( $html_parts ); $i++ ) { + $text .= $html_parts[ $i ]; + if ( isset( $extra_parts[ $i ] ) ) { + $text .= $extra_parts[ $i ]; } } @@ -3169,8 +3185,17 @@ function wp_targeted_link_rel( $text ) { * @return string HTML A Element with rel noreferrer noopener in addition to any existing values */ function wp_targeted_link_rel_callback( $matches ) { - $link_html = $matches[1]; - $rel_match = array(); + $link_html = $matches[1]; + $original_link_html = $link_html; + + // Consider the html escaped if there are no unescaped quotes + $is_escaped = ! preg_match( '/(^|[^\\\\])[\'"]/', $link_html ); + if ( $is_escaped ) { + // Replace only the quotes so that they are parsable by wp_kses_hair, leave the rest as is + $link_html = preg_replace( '/\\\\([\'"])/', '$1', $link_html ); + } + + $atts = wp_kses_hair( $link_html, wp_allowed_protocols() ); /** * Filters the rel values that are added to links with `target` attribute. @@ -3182,35 +3207,21 @@ function wp_targeted_link_rel_callback( $matches ) { */ $rel = apply_filters( 'wp_targeted_link_rel', 'noopener noreferrer', $link_html ); - // Avoid additional regex if the filter removes rel values. - if ( ! $rel ) { - return ""; + // Return early if no rel values to be added or if no actual target attribute + if ( ! $rel || ! isset( $atts['target'] ) ) { + return ""; } - // Value with delimiters, spaces around are optional. - $attr_regex = '|rel\s*=\s*?(\\\\{0,1}["\'])(.*?)\\1|i'; - preg_match( $attr_regex, $link_html, $rel_match ); - - if ( empty( $rel_match[0] ) ) { - // No delimiters, try with a single value and spaces, because `rel = va"lue` is totally fine... - $attr_regex = '|rel\s*=(\s*)([^\s]*)|i'; - preg_match( $attr_regex, $link_html, $rel_match ); + if ( isset( $atts['rel'] ) ) { + $all_parts = preg_split( '/\s/', "{$atts['rel']['value']} $rel", -1, PREG_SPLIT_NO_EMPTY ); + $rel = implode( ' ', array_unique( $all_parts ) ); } - if ( ! empty( $rel_match[0] ) ) { - $parts = preg_split( '|\s+|', strtolower( $rel_match[2] ) ); - $parts = array_map( 'esc_attr', $parts ); - $needed = explode( ' ', $rel ); - $parts = array_unique( array_merge( $parts, $needed ) ); - $delimiter = trim( $rel_match[1] ) ? $rel_match[1] : '"'; - $rel = 'rel=' . $delimiter . trim( implode( ' ', $parts ) ) . $delimiter; - $link_html = str_replace( $rel_match[0], $rel, $link_html ); - } elseif ( preg_match( '|target\s*=\s*?\\\\"|', $link_html ) ) { - $link_html .= " rel=\\\"$rel\\\""; - } elseif ( preg_match( '#(target|href)\s*=\s*?\'#', $link_html ) ) { - $link_html .= " rel='$rel'"; - } else { - $link_html .= " rel=\"$rel\""; + $atts['rel']['whole'] = 'rel="' . esc_attr( $rel ) . '"'; + $link_html = join( ' ', array_column( $atts, 'whole' ) ); + + if ( $is_escaped ) { + $link_html = preg_replace( '/[\'"]/', '\\\\$0', $link_html ); } return ""; diff --git a/wp-includes/version.php b/wp-includes/version.php index 04ab729850..a4e8f5ffa8 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.4-alpha-46893'; +$wp_version = '5.4-alpha-46894'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.