When `wp_kses_split` processes a document it attempts to leave HTML comments
alone. It makes minor adjustments, but leaves the comments in the document in
its output. Unfortunately it only recognizes one kind of HTML comment and
rejects many others.
This patch makes a minor adjustment to the algorithm in `wp_kses_split` to
recognize and preserve an additional kind of HTML comment: closing tags with
an invalid tag name, e.g. `</%dolly>`.
These invalid closing tags must be interpreted as comments by a browser.
This bug fix aligns the implementation of `wp_kses_split()` more closely
with its stated goal of leaving HTML comments as comments.
It doesn't attempt to fully fix the mis-parsed comments, but it does propose a
minor fix that hopefully won't break any existing code or projects.
Developed in https://github.com/WordPress/wordpress-develop/pull/6395
Discussed in https://core.trac.wordpress.org/ticket/61009
Props ellatrix, dmsnell, joemcgill, jorbin, westonruter, zieladam.
See #61009.
Built from https://develop.svn.wordpress.org/trunk@58418
git-svn-id: http://core.svn.wordpress.org/trunk@57867 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Expand allowable set of custom data attribute names to include those containing
leading, trailing, and double `-` characters. Previously, WordPress was
removing data attributes that are used in the Interactivity API. By allowing
these additional custom data attributes, the related Interactivity API
directives will preserve through `kses`.
For example, the Interactivity API frequently relies on custom data attributes
such as `data-wp-on--click="..."`. The change in [43981] would strip these out
of the processed HTML, however.
Developed in https://github.com/WordPress/wordpress-develop/pull/6598
Discussed in https://core.trac.wordpress.org/ticket/61052
Props cbravobernal, dmsnell, gziolo, jonsurrell.
Follow-up to [43981].
Fixes#61052.
Built from https://develop.svn.wordpress.org/trunk@58294
git-svn-id: http://core.svn.wordpress.org/trunk@57754 1a063a9b-81f0-0310-95a4-ce76da25c4cd
It is perfectly possible to write a commented regex with layout for readability by using the `x` modifier.
As per the manual:
> x (`PCRE_EXTENDED`)
>
> If this modifier is set, whitespace data characters in the pattern are totally ignored except when escaped or inside a character class, and characters between an unescaped # outside a character class and the next newline character, inclusive, are also ignored. This is equivalent to Perl's /x modifier, and makes it possible to include commentary inside complicated patterns.
>
> Note, however, that this applies only to data characters. Whitespace characters may never appear within special character sequences in a pattern, for example within the sequence (?( which introduces a conditional subpattern.
Reference: [https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php PHP Manual: Pattern Modifiers].
This commit rewrites these two regexes to use the `x` modifier and gets rid of the unnecessary `phpcs:disable` comments.
The tests in the `tests/phpunit/tests/db/dbDelta.php` file cover this change.
Follow-up to [42249].
Props jrf.
See #59650.
Built from https://develop.svn.wordpress.org/trunk@57061
git-svn-id: http://core.svn.wordpress.org/trunk@56572 1a063a9b-81f0-0310-95a4-ce76da25c4cd
It is perfectly possible to write a commented regex with layout for readability by using the `x` modifier.
As per the manual:
> x (`PCRE_EXTENDED`)
>
> If this modifier is set, whitespace data characters in the pattern are totally ignored except when escaped or inside a character class, and characters between an unescaped # outside a character class and the next newline character, inclusive, are also ignored. This is equivalent to Perl's /x modifier, and makes it possible to include commentary inside complicated patterns.
>
> Note, however, that this applies only to data characters. Whitespace characters may never appear within special character sequences in a pattern, for example within the sequence (?( which introduces a conditional subpattern.
Reference: [https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php PHP Manual: Pattern Modifiers].
This commit rewrites these two regexes to use the `x` modifier and gets rid of the unnecessary `phpcs:disable` comments.
The tests in the `tests/phpunit/tests/db/dbDelta.php` file cover this change.
Follow-up to [42249].
Props jrf.
See #59650.
Built from https://develop.svn.wordpress.org/trunk@57056
git-svn-id: http://core.svn.wordpress.org/trunk@56567 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Allow admin notices to be created with additional attributes. Test attributes include `hidden`, `data-*`, and `role="*"` values, which are all in use in various admin notices across core.
This commit adds `aria-live` and `hidden` to the KSES global attributes array to support core usages.
Follow up to [56408], [56409], [56410], [56518], [56570], [56571], [56572], [56573], [56576], [56589], [56590], [56597], [56599], [56600], [56601], [56602].
Props costdev, joedolson.
See #57791.
Built from https://develop.svn.wordpress.org/trunk@56603
git-svn-id: http://core.svn.wordpress.org/trunk@56115 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_starts_with()` and `str_ends_with()` were introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins or ends with the given substring (needle).
WordPress core includes a polyfill for these functions on PHP < 8.0 as of WordPress 5.9.
Follow-up to [55990], [56014], [56019].
See #58220.
Built from https://develop.svn.wordpress.org/trunk@56020
git-svn-id: http://core.svn.wordpress.org/trunk@55532 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_starts_with()` and `str_ends_with()` were introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins or ends with the given substring (needle).
WordPress core includes a polyfill for these functions on PHP < 8.0 as of WordPress 5.9.
This commit uses `str_starts_with()` and `str_ends_with()` in core files where appropriate:
* `$needle === substr( $string, 0, $length )`, where `$length` is the length of `$needle`, is replaced with `str_starts_with( $haystack, $needle )`.
* `$needle === substr( $string, $offset )`, where `$offset` is negative and the absolute value of `$offset` is the length of `$needle`, is replaced with `str_ends_with( $haystack, $needle )`.
This aims to make the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987], [55988].
Props Soean, spacedmonkey, Clorith, ocean90, azaozz, sabernhardt, SergeyBiryukov.
Fixes#58220.
Built from https://develop.svn.wordpress.org/trunk@55990
git-svn-id: http://core.svn.wordpress.org/trunk@55502 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).
WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987].
Props Soean, spacedmonkey, costdev, dingo_d, azaozz, mikeschroder, flixos90, peterwilsoncc, SergeyBiryukov.
Fixes#58206.
Built from https://develop.svn.wordpress.org/trunk@55988
git-svn-id: http://core.svn.wordpress.org/trunk@55500 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_starts_with()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins with the given substring (needle).
WordPress core includes a polyfill for `str_starts_with()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `0 === strpos( ... )` with `str_starts_with()` in core files, making the code more readable and consistent, as well as improving performance.
While `strpos()` is slightly faster than the polyfill on PHP < 8.0, `str_starts_with()` is noticeably faster on PHP 8.0+, as it is optimized to avoid unnecessarily searching along the whole haystack if it does not find the needle.
Follow-up to [52039], [52040], [52326].
Props spacedmonkey, costdev, sabernhardt, mukesh27, desrosj, jorbin, TobiasBg, ayeshrajans, lgadzhev, SergeyBiryukov.
Fixes#58012.
Built from https://develop.svn.wordpress.org/trunk@55703
git-svn-id: http://core.svn.wordpress.org/trunk@55215 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset indirectly improves performance of the commonly used `esc_url()` function by optimizing the low-level function `wp_kses_bad_protocol()` for the by far most common scenarios, which are URLs using either the `http` or `https` protocol.
For this common scenario, the changeset now avoids the `do while` loop. While for a single call to the `esc_url()` function the performance wins are negligible, given that `esc_url()` is often called many times in one page load, they can add up, making this a worthwhile improvement.
Props mukesh27, schlessera, markjaquith, azaozz, spacedmonkey.
Fixes#22951.
Built from https://develop.svn.wordpress.org/trunk@55053
git-svn-id: http://core.svn.wordpress.org/trunk@54586 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While using reserved PHP keywords as parameter name labels is allowed, in the context of function calls using named parameters in PHP 8.0+, this will easily lead to confusion. To avoid that, it is recommended not to use reserved keywords as function parameter names.
This commit:
* Renames the `$string` parameter to `$content` in:
* `wp_kses()`
* `wp_kses_hook()`
* `wp_kses_split()`
* `wp_kses_split2()`
* `wp_kses_bad_protocol()`
* `wp_kses_no_null()`
* `wp_kses_stripslashes()`
* `wp_kses_bad_protocol_once()`
* `wp_kses_normalize_entities()`
* `wp_kses_decode_entities()`
* Renames the `$string` parameter to `$attr` in:
* `wp_kses_one_attr()`
* `wp_kses_html_error()`
* Renames the `$match` parameter to `$matches` in:
* `_wp_kses_split_callback()`
* `_wp_kses_decode_entities_chr()`
* `_wp_kses_decode_entities_chr_hexdec()`
* Renames the `$string` parameter to `$scheme` in `wp_kses_bad_protocol_once2()`.
Follow-up to [52946], [52996], [52997], [52998], [53003], [53014], [53029], [53039], [53116], [53117], [53137], [53174], [53184], [53185], [53192], [53193], [53198], [53203], [53207], [53215], [53216], [53220], [53230], [53232], [53236], [53239], [53240], [53242], [53243], [53245], [53246], [53257], [53269], [53270], [53271], [53272], [53273], [53274], [53275], [53276], [53277], [53281], [53283], [53284], [53285], [53287], [53364], [53365], [54927], [54929], [54930], [54931], [54932].
Props jrf, aristath, poena, justinahinon, SergeyBiryukov.
See #56788.
Built from https://develop.svn.wordpress.org/trunk@54933
git-svn-id: http://core.svn.wordpress.org/trunk@54485 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This resolves a bug in Featured Image blocks where `object-fit` was being removed during the `render_callback`.
Props raduiason, pbiron, kebbet, SergeyBiryukov, bernhard-reiter, ironprogrammer, xknown, audrasjb, ckanderson22, ivanjeronimo, seriouslysenpai.
Fixes#56855.
Built from https://develop.svn.wordpress.org/trunk@54675
git-svn-id: http://core.svn.wordpress.org/trunk@54227 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When using the `CUSTOM_TAGS` constant, these global variables should be set to arrays:
* `$allowedposttags`
* `$allowedtags`
* `$allowedentitynames`
* `$allowedxmlentitynames`
This commit aims to improve developer experience by displaying a more helpful message to explain a PHP fatal error further in the code if any of these globals are either not set or not an array.
Note Using `CUSTOM_TAGS` is not recommended and should be considered deprecated. The `wp_kses_allowed_html` filter is more powerful and supplies context.
Follow-up to [832], [834], [2896], [13358], [21796], [28845], [43016], [48072].
Props doctorlai, pento, KnowingArt_com, bosconiandynamics, TJNowell, ironprogrammer, audrasjb, mukesh27, SergeyBiryukov.
Fixes#47357.
Built from https://develop.svn.wordpress.org/trunk@54672
git-svn-id: http://core.svn.wordpress.org/trunk@54224 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add a note that the parameter is optional and defaults to the result of `wp_allowed_protocols()`.
This affects:
* `wp_kses()`
* `filter_block_content()`
* `filter_block_kses()`
* `filter_block_kses_value()`
Includes synchronizing the `$allowed_html` parameter description for consistency.
Follow-up to [649], [6630], [18826], [32603], [43016], [46896], [48478].
Props armondal, SergeyBiryukov.
Fixes#56580.
Built from https://develop.svn.wordpress.org/trunk@54181
git-svn-id: http://core.svn.wordpress.org/trunk@53740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `safecss_filter_attr()` function allows using custom CSS variables like `color: var(--color)`. However, it did not allow assigning values to CSS variables like `--color: #F00`, which is common in Global Styles and Gutenberg.
This commit adds support for assigning values to CSS variables, so that the function can be used consistently in Global Styles and the future Style Engine in Gutenberg.
Follow-up to [50923], [54100].
Props aristath, ramonopoly, SergeyBiryukov.
Fixes#56353.
Built from https://develop.svn.wordpress.org/trunk@54117
git-svn-id: http://core.svn.wordpress.org/trunk@53676 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds support for the following CSS properties considered safe for inline CSS:
* `flex-wrap`
* `gap`
* `column-gap`
* `row-gap`
Extends support for `margin` and `padding` to include logical properties:
* `margin-block-start`
* `margin-block-end`
* `margin-inline-start`
* `margin-inline-end`
* `padding-block-start`
* `padding-block-end`
* `padding-inline-start`
* `padding-inline-end`
Follow-up to [46235].
Props andrewserong, peterwilsoncc, ramonopoly, bernhard-reiter.
Fixes#56122.
Built from https://develop.svn.wordpress.org/trunk@54102
git-svn-id: http://core.svn.wordpress.org/trunk@53661 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Additionally, this commit updates `safecss_filter_attr()` to add support for nested `var()` functions, so that a fallback value can be another CSS variable.
Follow-up to [50923].
Props johnregan3, noisysocks, cbravobernal, uxl, isabel_brison, andrewserong, ramonopoly, joyously, bernhard-reiter, peterwilsoncc.
Fixes#55966.
Built from https://develop.svn.wordpress.org/trunk@54100
git-svn-id: http://core.svn.wordpress.org/trunk@53659 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Expand documentation of the `wp_kses_allowed_html` hook to indicate that developers must add permitted HTML tags and attributes in lowercase for KSES to recognise they are permitted.
Props r-a-y, SergeyBiryukov, peterwilsoncc.
Fixes#55407.
See #53399.
Built from https://develop.svn.wordpress.org/trunk@53034
git-svn-id: http://core.svn.wordpress.org/trunk@52623 1a063a9b-81f0-0310-95a4-ce76da25c4cd
From the conceptual point it makes sense to execute global styles filters before post filters. So the post filters are always the last.
Props xknown, sergey, audrasjb, vortfu, oandregal, get_dave.
Built from https://develop.svn.wordpress.org/trunk@52895
git-svn-id: http://core.svn.wordpress.org/trunk@52484 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* `str_contains()`
* `str_ends_with()`
* `str_starts_with()`
Additionally, include a test for a PDF file in an `<object>` tag with an unsupported protocol.
Follow-up to [51963], [52039], [52040], [52304], [52309].
Props TobiasBg, ramonopoly.
See #54261.
Built from https://develop.svn.wordpress.org/trunk@52326
git-svn-id: http://core.svn.wordpress.org/trunk@51918 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Improves the URL validation in `_wp_kses_allow_pdf_objects()` to account for sites using an upload path that contains a port, for example wp.org:8080.
Follow up to [51963], [52304].
Props ocean90, ramonopoly, talldanwp.
See #54261.
Built from https://develop.svn.wordpress.org/trunk@52309
git-svn-id: http://core.svn.wordpress.org/trunk@51901 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add callback validation to HTML tag attributes for increased flexibility over an array of values only.
In `object` tags, validate the `data` attribute via a callback to ensure it is a PDF and matches the `type` attribute. This prevents mime type mismatches in browsers.
Follow up to [51963].
Props Pento, dd32, swissspidy, xknown, peterwilsoncc.
Fixes#54261.
Built from https://develop.svn.wordpress.org/trunk@52304
git-svn-id: http://core.svn.wordpress.org/trunk@51896 1a063a9b-81f0-0310-95a4-ce76da25c4cd