Commit Graph

152 Commits

Author SHA1 Message Date
iandunn
6ae36b3cfd KSES: Correct @since tags for wp_kses_uri_attributes.
r44014 introduced the `wp_kses_uri_attributes` function and filter, but incorrectly used `4.9.9` instead of `5.0.1`.

Built from https://develop.svn.wordpress.org/branches/5.0@44017


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43847 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:00:46 +00:00
iandunn
fb3c6ea061 KSES: Make the URI attributes DRY.
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.

Built from https://develop.svn.wordpress.org/branches/5.0@44014


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43844 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:53:45 +00:00
Gary Pendergast
d82b02eb33 KSES: Conditionally remove the <form> element from $allowedposttags.
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.


Built from https://develop.svn.wordpress.org/branches/5.0@43994


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43826 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:12:45 +00:00
Gary Pendergast
722f25cd97 KSES: Allow the download attribute on <a> tags.
To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.

Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
See #44724.


Built from https://develop.svn.wordpress.org/branches/5.0@43813


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43642 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-24 01:19:39 +00:00
Gary Pendergast
5d58c6dc66 KSES: Allow url() to be used in inline CSS.
The cover image block uses the `url()` function in its inline CSS, to show the cover image. KSES didn't allow this, causing the block to not save correctly for Author and Contributor users. As KSES does already check each attribute name against an allowed list, we're able to add an extra check for certain attributes to be able to use the `url()` function, too.

Props peterwilsoncc, azaozz, pento, dd32.
See #45067.


Built from https://develop.svn.wordpress.org/branches/5.0@43781


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43610 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-22 04:04:41 +00:00
Peter Wilson
f7ace6f1b2 KSES: Add selected ARIA attributes support.
Allow low-privileged users to use the ARIA attributes `aria-describedby`, `aria-details`, `aria-label`, `aria-labelledby` and `aria-hidden`.

Props mattheu, swissspidy, rianrietveld, afercia, GaryJ.
See #30421.

Built from https://develop.svn.wordpress.org/branches/5.0@43731


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43560 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-15 23:44:26 +00:00
Peter Wilson
4b3d92a0db KSES: Allow HTML data-* attributes.
Add global support for HTML attributes prefixed `data-` for authors and contributors, as required by the new editor.

Props azaozz, peterwilsoncc.
Fixes #33121.

Built from https://develop.svn.wordpress.org/branches/5.0@43727


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43556 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-15 05:22:25 +00:00
Sergey Biryukov
8fae65141a Formatting: Avoid a PHP 7.2 warning in wp_kses_attr() when one of $allowedtags elements is an uncountable value.
Props andrei0x309, soulseekah, SergeyBiryukov.
Merges [42860] to the 4.9 branch.
Fixes #43312.
Built from https://develop.svn.wordpress.org/branches/4.9@42861


git-svn-id: http://core.svn.wordpress.org/branches/4.9@42691 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-03-20 21:37:41 +00:00
Drew Jaynes
474711aac1 Docs: Adjust notation for the $context parameter in the DocBlocks for the wp_kses_allowed_html() function and its associated wp_kses_allowed_html filter.
`$context|$allowedtags` can be either a string or array.

Props bor0.
Fixes #40575.

Built from https://develop.svn.wordpress.org/trunk@40950


git-svn-id: http://core.svn.wordpress.org/trunk@40800 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-06-25 22:16:40 +00:00
Dominik Schilling
77858f4b92 KSES: Support 'tag' => true as a shorthand for 'tag' => array() in wp_kses_attr().
`Automatic_Upgrader_Skin::feedback()` had always assumed that this is already the case, now it is.

See #20017.
Fixes #40680.
Built from https://develop.svn.wordpress.org/trunk@40637


git-svn-id: http://core.svn.wordpress.org/trunk@40498 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-11 19:23:43 +00:00
John Blackbourn
d327c92e4b Docs: Add and correct @since docs for a variety of functions and methods.
Props keesiemeijer, chris_dev
Fixes #39343, #39357, #39344
See #39130

Built from https://develop.svn.wordpress.org/trunk@39638


git-svn-id: http://core.svn.wordpress.org/trunk@39578 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-12-27 09:21:44 +00:00
Gary Pendergast
456f8015b7 KSES: Deprecate wp_kses_js_entities().
This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.

I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.

Props dmsnell, desrosj.
Fixes #33848.


Built from https://develop.svn.wordpress.org/trunk@38785


git-svn-id: http://core.svn.wordpress.org/trunk@38728 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-13 22:25:31 +00:00
Aaron Jorbin
dd983343d3 Formatting: Allow KSES custom elements with hyphens
The W3C Custom Elements spec (http://www.w3.org/TR/custom-elements/#concepts) allows you to use your own custom DOM elements/tags. One of the main requirements is that the tag name "must contain a U+002D HYPHEN-MINUS character". This adjusts KSES to allow it.

Fixes #34105.
Props batmoo.


Built from https://develop.svn.wordpress.org/trunk@38511


git-svn-id: http://core.svn.wordpress.org/trunk@38452 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-02 04:16:28 +00:00
Drew Jaynes
6cc13f0c54 Docs: Fix formatting, tense, verb conjugation, and other syntax for wp-includes/* elements introduced or changed in 4.6.
Part 1/2.

See #37318.

Built from https://develop.svn.wordpress.org/trunk@38121


git-svn-id: http://core.svn.wordpress.org/trunk@38062 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-20 16:57:32 +00:00
Drew Jaynes
5e467a2774 Docs: Add changelog entries to the hook doc for the safe_style_css filter denoting recent CSS attribute additions.
* `min-height`, `max-height`, `min-width`, and `max-width` were added in 4.4, see [33739].
* `list-style-type` was added in 4.6, see [37898].

See #35877. See #32246.

Built from https://develop.svn.wordpress.org/trunk@37931


git-svn-id: http://core.svn.wordpress.org/trunk@37872 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-30 17:02:30 +00:00
Jeremy Felt
571f70c60a KSES: Add list-style-type to the list of allowed CSS attributes.
Props azaozz.
Fixes #35877.

Built from https://develop.svn.wordpress.org/trunk@37898


git-svn-id: http://core.svn.wordpress.org/trunk@37839 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-28 22:10:31 +00:00
Jeremy Felt
d9d7e5fa63 KSES: Adjust the list of safecss attributes for readability.
Props azaozz.
See #35877.

Built from https://develop.svn.wordpress.org/trunk@37897


git-svn-id: http://core.svn.wordpress.org/trunk@37838 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-28 22:06:31 +00:00
Drew Jaynes
d28f1a08ef Docs: Apply inline @see tags to hooks referenced in DocBlocks in a variety of wp-includes/* files.
Applying these specially-crafted `@see` tags allows the Code Reference parser to recognize and link these elements as actions and filters.

See #36921.

Built from https://develop.svn.wordpress.org/trunk@37543


git-svn-id: http://core.svn.wordpress.org/trunk@37511 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-23 19:01:27 +00:00
Drew Jaynes
9cb5247392 Docs: Standardize filter docs in remaining wp-includes/* files to use third-person singular verbs per the inline documentation standards for PHP.
See #36913.

Built from https://develop.svn.wordpress.org/trunk@37518


git-svn-id: http://core.svn.wordpress.org/trunk@37486 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-22 18:50:28 +00:00
Drew Jaynes
fe3b007fdd Docs: Remove inline @see tags from function, class, and method references in inline docs.
Known functions, classes, and methods are now auto-linked in Code Reference pages following #meta1483.

Note: Hook references are still linked via inline `@see` tags due to the unlikelihood of reliably matching for known hooks based on a RegEx pattern.

See #32246.

Built from https://develop.svn.wordpress.org/trunk@37342


git-svn-id: http://core.svn.wordpress.org/trunk@37308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-02 04:00:28 +00:00
Drew Jaynes
6a94d3e2e3 Docs: Use the correct parameter name in the DocBlock for wp_kses_post_deep(), introduced in [36429].
Props sebastianpisula.
Fixes #35700. See #35316.

Built from https://develop.svn.wordpress.org/trunk@36489


git-svn-id: http://core.svn.wordpress.org/trunk@36456 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-07 00:18:26 +00:00
Dominik Schilling
cd892b86b4 Media: In wp_read_image_metadata() make sure that IPTC keywords are UTF8 encoded.
Prevents missing `_wp_attachment_metadata` when an image contains keywords with latin extended characters.

Fixes #35316.
Built from https://develop.svn.wordpress.org/trunk@36429


git-svn-id: http://core.svn.wordpress.org/trunk@36396 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-01 14:53:27 +00:00
John Blackbourn
a5d44337b2 Docs: @param fixes for a variety of docblocks.
See #32246

Built from https://develop.svn.wordpress.org/trunk@36232


git-svn-id: http://core.svn.wordpress.org/trunk@36199 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-09 01:45:26 +00:00
Sergey Biryukov
ae37057114 KSES: Allow the reversed attribute for <ol>.
Props lancewillett.
Fixes #35079.
Built from https://develop.svn.wordpress.org/trunk@35960


git-svn-id: http://core.svn.wordpress.org/trunk@35924 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-16 09:54:26 +00:00
Scott Taylor
55e16aa98a KSES: have you ever heard of the <bdo> HTML tag? Same. http://www.w3schools.com/tags/tag_bdo.asp
Adds unit test.

Props iandunn.
Fixes #34063.

Built from https://develop.svn.wordpress.org/trunk@35141


git-svn-id: http://core.svn.wordpress.org/trunk@35106 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-13 17:18:25 +00:00
Scott Taylor
8d27055b0c Allow these CSS properties in KSES: min-height', 'max-height', 'min-width', 'max-width'
Props MikeHansenMe.
Fixes #31949.

Built from https://develop.svn.wordpress.org/trunk@33739


git-svn-id: http://core.svn.wordpress.org/trunk@33707 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-25 21:46:20 +00:00
Gary Pendergast
c3e0ed7e03 Shortcodes: Improve the reliablity of shortcodes inside HTML tags.
Props miqrogroove.

See #15694.


Built from https://develop.svn.wordpress.org/trunk@33359


git-svn-id: http://core.svn.wordpress.org/trunk@33331 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-22 05:15:25 +00:00
Scott Taylor
32dabc1f90 Don't strip \0 (backslash+zero) from post content for users without "unfiltered_html"
Adds unit tests.

Props miqrogroove.
Fixes #28699.

Built from https://develop.svn.wordpress.org/trunk@32860


git-svn-id: http://core.svn.wordpress.org/trunk@32831 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-19 18:47:27 +00:00
Scott Taylor
f888767c73 $status shouldn't be loosely compared to true in wp_xmlrpc_server::wp_deleteComment().
`$initial` shouldn't be loosely compared to `true` in `get_calendar()`.
`current_user_can()` shouldn't be loosely compared to `false` in `kses_init()`
`$get_all` shouldn't be loosely compared to `true` in `get_blog_details()`.
`is_array()` and `in_array()` shouldn't be loosely compared in `wpmu_validate_user_signup()`.
`$result` should by strictly compared in `check_ajax_referer()`.
`wp_verify_nonce()` should by strictly compared in `_show_post_preview()`.
`is_user_logged_in()` should not be loosly compared against `false` in `wp-signup.php`.

See #32444.

Built from https://develop.svn.wordpress.org/trunk@32733


git-svn-id: http://core.svn.wordpress.org/trunk@32704 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-12 17:48:26 +00:00
Scott Taylor
4b24007353 Add missing doc blocks to kses.php - also fix some unfortunate whitespace issues in related funcs.
See #32444.

Built from https://develop.svn.wordpress.org/trunk@32603


git-svn-id: http://core.svn.wordpress.org/trunk@32573 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-26 18:06:24 +00:00
Scott Taylor
86f29795a4 Add <s> to $allowedtags in KSES.
From https://developer.mozilla.org/en-US/docs/Web/HTML/Element/s :
"The <strike> element, alter ego of the <s> element is obsolete and should not be used on Web sites any more."

`<strike>` shall remain for BC, but `<s>` should not be stripped from the author (et al) role's HTML input.

Props paulschreiber.
Fixes #30954.

Built from https://develop.svn.wordpress.org/trunk@31205


git-svn-id: http://core.svn.wordpress.org/trunk@31186 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-16 16:07:23 +00:00
Scott Taylor
fc843ce4d0 There are some random add_action() and add_filter() calls littered around some files in wp-includes/. These should be moved to wp-includes/default-filters.php with the rest of the registered hooks. It seems like this was the best practice for awhile and then we randomly stopped. This file loads way before any of the includes, so the hooks will be registered for any request that loads WordPress, even SHORTINIT - a lot of the hooks registered won't run anyways (that's already the case).
See #30947.

Built from https://develop.svn.wordpress.org/trunk@31168


git-svn-id: http://core.svn.wordpress.org/trunk@31149 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-12 16:40:23 +00:00
Scott Taylor
4a1ad9acec Jump statements should not be followed by other statements (there were 5 lingering).
See #30799.

Built from https://develop.svn.wordpress.org/trunk@31100


git-svn-id: http://core.svn.wordpress.org/trunk@31081 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-08 21:15:22 +00:00
Scott Taylor
ac4e67b82e Perl-style comments should not be used
See #30799.

Built from https://develop.svn.wordpress.org/trunk@31079


git-svn-id: http://core.svn.wordpress.org/trunk@31060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-08 05:52:24 +00:00
Drew Jaynes
ad1ecf88c5 Only backtick-escape individual HTML entities in the DocBlock for wp_kses_normalize_entities().
Props TobiasBg.
Fixes #30473.

Built from https://develop.svn.wordpress.org/trunk@30726


git-svn-id: http://core.svn.wordpress.org/trunk@30716 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 11:47:23 +00:00
Drew Jaynes
3d77f9a816 Remove some now-unnecessary double quotes around HTML entities used in DocBlock comments.
See #30473.

Built from https://develop.svn.wordpress.org/trunk@30721


git-svn-id: http://core.svn.wordpress.org/trunk@30711 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 08:49:23 +00:00
Drew Jaynes
8e5543da53 Backtick-escape three sets of HTML entities used in DocBlock descriptions in wp-includes/kses.php.
Without the escaping, the Code Reference/browser may inadvertently attempt to convert and display entities.

Fixes #30473.

Built from https://develop.svn.wordpress.org/trunk@30720


git-svn-id: http://core.svn.wordpress.org/trunk@30710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 08:47:22 +00:00
Andrew Nacin
e7614d6c45 Fix typo in style filter. props miqrogroove
Built from https://develop.svn.wordpress.org/trunk@30425


git-svn-id: http://core.svn.wordpress.org/trunk@30420 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-20 13:15:24 +00:00
Drew Jaynes
f8657d5890 Remove redundant and erroneous @uses tag from most core inline documentation.
Per our inline documentation standards, no further use of the `@uses` tag is recommended as used and used-by relationships can be derived through other means. This removes most uses of the tag in core documentation, with remaining tags to be converted to `@global` or `@see` as they apply.

Fixes #30191.

Built from https://develop.svn.wordpress.org/trunk@30105


git-svn-id: http://core.svn.wordpress.org/trunk@30105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-30 01:05:24 +00:00
Scott Taylor
2ad420dddf Add audio, video, and track to $allowedposttags (KSES).
Props jwenerd, wonderboymusic. 
Fixes #29826.

Built from https://develop.svn.wordpress.org/trunk@30064


git-svn-id: http://core.svn.wordpress.org/trunk@30064 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-28 19:36:23 +00:00
Andrew Nacin
ae21b1884d kses: Add colgroup.
props collinsinternet.
fixes #29433.

Built from https://develop.svn.wordpress.org/trunk@29740


git-svn-id: http://core.svn.wordpress.org/trunk@29514 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-09-12 05:51:17 +00:00
Sergey Biryukov
788597141a Make wp_kses_no_null() remove any invalid control characters in a string.
props mauteri, miqrogroove.
fixes #28506.
Built from https://develop.svn.wordpress.org/trunk@28942


git-svn-id: http://core.svn.wordpress.org/trunk@28740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-01 18:01:17 +00:00
Scott Taylor
38e39c93ea In kses.php, ensure that $allowedposttags, $allowedtags, and $allowedentitynames are added to the global namespace.
Props Jaza613.
Fixes #28582.


Built from https://develop.svn.wordpress.org/trunk@28845


git-svn-id: http://core.svn.wordpress.org/trunk@28649 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-26 02:14:15 +00:00
Andrew Nacin
fbbc31f3c5 Inline documentation for hooks in wp-includes/kses.php.
props siobhyb, DrewAPicture.
fixes #25800.

Built from https://develop.svn.wordpress.org/trunk@27739


git-svn-id: http://core.svn.wordpress.org/trunk@27576 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-26 14:57:15 +00:00
Andrew Nacin
f9fd129f28 Allow XML attributes with colons to be read by kses.
The attribute would still need to be whitelisted to get through the filters.

props jorbin.
fixes #17847.

Built from https://develop.svn.wordpress.org/trunk@27707


git-svn-id: http://core.svn.wordpress.org/trunk@27546 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-25 12:53:16 +00:00
Andrew Nacin
5fd175300c Allow the role attribute in kses for all elements.
props mikecorkum.
fixes #24098.

Built from https://develop.svn.wordpress.org/trunk@27388


git-svn-id: http://core.svn.wordpress.org/trunk@27236 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-04 02:11:16 +00:00
Andrew Nacin
8ec592f244 Add dfn, mark, and samp to kses.
props kraftbj.
fixes #24950.

Built from https://develop.svn.wordpress.org/trunk@26973


git-svn-id: http://core.svn.wordpress.org/trunk@26852 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-01-17 08:38:09 +00:00
Peter Westwood
e1e79ddf64 KSES: Extend support in wp_kses_normalize_entities to named entities with up to two numbers on the end of the name so as to support a wider list of valid entities.
Fixes â#26290

Built from https://develop.svn.wordpress.org/trunk@26440


git-svn-id: http://core.svn.wordpress.org/trunk@26338 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-27 22:32:09 +00:00
Andrew Nacin
d362dc1e49 Allow the value attribute for list items processed by kses.
props kraftbj.
fixes #24293.

Built from https://develop.svn.wordpress.org/trunk@25460


git-svn-id: http://core.svn.wordpress.org/trunk@25381 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-16 20:49:10 +00:00
Ryan Boren
43a7e695e9 Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 16:28:40 +00:00