whyisjake
ee92e93f79
Ensure that a user can publish_posts before making a post sticky.
...
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.
Built from https://develop.svn.wordpress.org/branches/5.0@46915
git-svn-id: http://core.svn.wordpress.org/branches/5.0@46715 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-12-12 18:52:47 +00:00
desrosj
1f26aab97c
Fix for URL sanitization in wp_kses_bad_protocol_once()
.
...
Merges [45997] to the 5.0 branch.
Props irsdl, sstoqnov, whyisjake.
Built from https://develop.svn.wordpress.org/branches/5.0@46004
git-svn-id: http://core.svn.wordpress.org/branches/5.0@45815 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-04 21:38:37 +00:00
iandunn
6ae36b3cfd
KSES: Correct @since
tags for wp_kses_uri_attributes
.
...
r44014 introduced the `wp_kses_uri_attributes` function and filter, but incorrectly used `4.9.9` instead of `5.0.1`.
Built from https://develop.svn.wordpress.org/branches/5.0@44017
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43847 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-13 00:00:46 +00:00
iandunn
fb3c6ea061
KSES: Make the URI attributes DRY.
...
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.
Built from https://develop.svn.wordpress.org/branches/5.0@44014
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43844 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:53:45 +00:00
Gary Pendergast
d82b02eb33
KSES: Conditionally remove the <form>
element from $allowedposttags
.
...
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`.
Built from https://develop.svn.wordpress.org/branches/5.0@43994
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43826 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-12 23:12:45 +00:00
Gary Pendergast
722f25cd97
KSES: Allow the download
attribute on <a>
tags.
...
To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.
Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
See #44724 .
Built from https://develop.svn.wordpress.org/branches/5.0@43813
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43642 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-24 01:19:39 +00:00
Gary Pendergast
5d58c6dc66
KSES: Allow url()
to be used in inline CSS.
...
The cover image block uses the `url()` function in its inline CSS, to show the cover image. KSES didn't allow this, causing the block to not save correctly for Author and Contributor users. As KSES does already check each attribute name against an allowed list, we're able to add an extra check for certain attributes to be able to use the `url()` function, too.
Props peterwilsoncc, azaozz, pento, dd32.
See #45067 .
Built from https://develop.svn.wordpress.org/branches/5.0@43781
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43610 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-22 04:04:41 +00:00
Peter Wilson
f7ace6f1b2
KSES: Add selected ARIA attributes support.
...
Allow low-privileged users to use the ARIA attributes `aria-describedby`, `aria-details`, `aria-label`, `aria-labelledby` and `aria-hidden`.
Props mattheu, swissspidy, rianrietveld, afercia, GaryJ.
See #30421 .
Built from https://develop.svn.wordpress.org/branches/5.0@43731
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43560 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-15 23:44:26 +00:00
Peter Wilson
4b3d92a0db
KSES: Allow HTML data-* attributes.
...
Add global support for HTML attributes prefixed `data-` for authors and contributors, as required by the new editor.
Props azaozz, peterwilsoncc.
Fixes #33121 .
Built from https://develop.svn.wordpress.org/branches/5.0@43727
git-svn-id: http://core.svn.wordpress.org/branches/5.0@43556 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-10-15 05:22:25 +00:00
Sergey Biryukov
8fae65141a
Formatting: Avoid a PHP 7.2 warning in wp_kses_attr()
when one of $allowedtags
elements is an uncountable value.
...
Props andrei0x309, soulseekah, SergeyBiryukov.
Merges [42860] to the 4.9 branch.
Fixes #43312 .
Built from https://develop.svn.wordpress.org/branches/4.9@42861
git-svn-id: http://core.svn.wordpress.org/branches/4.9@42691 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-03-20 21:37:41 +00:00
Drew Jaynes
474711aac1
Docs: Adjust notation for the $context
parameter in the DocBlocks for the wp_kses_allowed_html()
function and its associated wp_kses_allowed_html
filter.
...
`$context|$allowedtags` can be either a string or array.
Props bor0.
Fixes #40575 .
Built from https://develop.svn.wordpress.org/trunk@40950
git-svn-id: http://core.svn.wordpress.org/trunk@40800 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-06-25 22:16:40 +00:00
Dominik Schilling
77858f4b92
KSES: Support 'tag' => true
as a shorthand for 'tag' => array()
in wp_kses_attr()
.
...
`Automatic_Upgrader_Skin::feedback()` had always assumed that this is already the case, now it is.
See #20017 .
Fixes #40680 .
Built from https://develop.svn.wordpress.org/trunk@40637
git-svn-id: http://core.svn.wordpress.org/trunk@40498 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-05-11 19:23:43 +00:00
John Blackbourn
d327c92e4b
Docs: Add and correct @since
docs for a variety of functions and methods.
...
Props keesiemeijer, chris_dev
Fixes #39343 , #39357 , #39344
See #39130
Built from https://develop.svn.wordpress.org/trunk@39638
git-svn-id: http://core.svn.wordpress.org/trunk@39578 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-12-27 09:21:44 +00:00
Gary Pendergast
456f8015b7
KSES: Deprecate wp_kses_js_entities()
.
...
This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.
I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.
Props dmsnell, desrosj.
Fixes #33848 .
Built from https://develop.svn.wordpress.org/trunk@38785
git-svn-id: http://core.svn.wordpress.org/trunk@38728 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-13 22:25:31 +00:00
Aaron Jorbin
dd983343d3
Formatting: Allow KSES custom elements with hyphens
...
The W3C Custom Elements spec (http://www.w3.org/TR/custom-elements/#concepts ) allows you to use your own custom DOM elements/tags. One of the main requirements is that the tag name "must contain a U+002D HYPHEN-MINUS character". This adjusts KSES to allow it.
Fixes #34105 .
Props batmoo.
Built from https://develop.svn.wordpress.org/trunk@38511
git-svn-id: http://core.svn.wordpress.org/trunk@38452 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-09-02 04:16:28 +00:00
Drew Jaynes
6cc13f0c54
Docs: Fix formatting, tense, verb conjugation, and other syntax for wp-includes/* elements introduced or changed in 4.6.
...
Part 1/2.
See #37318 .
Built from https://develop.svn.wordpress.org/trunk@38121
git-svn-id: http://core.svn.wordpress.org/trunk@38062 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-20 16:57:32 +00:00
Drew Jaynes
5e467a2774
Docs: Add changelog entries to the hook doc for the safe_style_css
filter denoting recent CSS attribute additions.
...
* `min-height`, `max-height`, `min-width`, and `max-width` were added in 4.4, see [33739].
* `list-style-type` was added in 4.6, see [37898].
See #35877 . See #32246 .
Built from https://develop.svn.wordpress.org/trunk@37931
git-svn-id: http://core.svn.wordpress.org/trunk@37872 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-30 17:02:30 +00:00
Jeremy Felt
571f70c60a
KSES: Add list-style-type
to the list of allowed CSS attributes.
...
Props azaozz.
Fixes #35877 .
Built from https://develop.svn.wordpress.org/trunk@37898
git-svn-id: http://core.svn.wordpress.org/trunk@37839 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-28 22:10:31 +00:00
Jeremy Felt
d9d7e5fa63
KSES: Adjust the list of safecss attributes for readability.
...
Props azaozz.
See #35877 .
Built from https://develop.svn.wordpress.org/trunk@37897
git-svn-id: http://core.svn.wordpress.org/trunk@37838 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-28 22:06:31 +00:00
Drew Jaynes
d28f1a08ef
Docs: Apply inline @see
tags to hooks referenced in DocBlocks in a variety of wp-includes/* files.
...
Applying these specially-crafted `@see` tags allows the Code Reference parser to recognize and link these elements as actions and filters.
See #36921 .
Built from https://develop.svn.wordpress.org/trunk@37543
git-svn-id: http://core.svn.wordpress.org/trunk@37511 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-23 19:01:27 +00:00
Drew Jaynes
9cb5247392
Docs: Standardize filter docs in remaining wp-includes/* files to use third-person singular verbs per the inline documentation standards for PHP.
...
See #36913 .
Built from https://develop.svn.wordpress.org/trunk@37518
git-svn-id: http://core.svn.wordpress.org/trunk@37486 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-22 18:50:28 +00:00
Drew Jaynes
fe3b007fdd
Docs: Remove inline @see
tags from function, class, and method references in inline docs.
...
Known functions, classes, and methods are now auto-linked in Code Reference pages following #meta1483.
Note: Hook references are still linked via inline `@see` tags due to the unlikelihood of reliably matching for known hooks based on a RegEx pattern.
See #32246 .
Built from https://develop.svn.wordpress.org/trunk@37342
git-svn-id: http://core.svn.wordpress.org/trunk@37308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-05-02 04:00:28 +00:00
Drew Jaynes
6a94d3e2e3
Docs: Use the correct parameter name in the DocBlock for wp_kses_post_deep()
, introduced in [36429].
...
Props sebastianpisula.
Fixes #35700 . See #35316 .
Built from https://develop.svn.wordpress.org/trunk@36489
git-svn-id: http://core.svn.wordpress.org/trunk@36456 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-07 00:18:26 +00:00
Dominik Schilling
cd892b86b4
Media: In wp_read_image_metadata()
make sure that IPTC keywords are UTF8 encoded.
...
Prevents missing `_wp_attachment_metadata` when an image contains keywords with latin extended characters.
Fixes #35316 .
Built from https://develop.svn.wordpress.org/trunk@36429
git-svn-id: http://core.svn.wordpress.org/trunk@36396 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-01 14:53:27 +00:00
John Blackbourn
a5d44337b2
Docs: @param
fixes for a variety of docblocks.
...
See #32246
Built from https://develop.svn.wordpress.org/trunk@36232
git-svn-id: http://core.svn.wordpress.org/trunk@36199 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-01-09 01:45:26 +00:00
Sergey Biryukov
ae37057114
KSES: Allow the reversed
attribute for <ol>
.
...
Props lancewillett.
Fixes #35079 .
Built from https://develop.svn.wordpress.org/trunk@35960
git-svn-id: http://core.svn.wordpress.org/trunk@35924 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-16 09:54:26 +00:00
Scott Taylor
55e16aa98a
KSES: have you ever heard of the <bdo>
HTML tag? Same. http://www.w3schools.com/tags/tag_bdo.asp
...
Adds unit test.
Props iandunn.
Fixes #34063 .
Built from https://develop.svn.wordpress.org/trunk@35141
git-svn-id: http://core.svn.wordpress.org/trunk@35106 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-13 17:18:25 +00:00
Scott Taylor
8d27055b0c
Allow these CSS properties in KSES: min-height', 'max-height', 'min-width', 'max-width'
...
Props MikeHansenMe.
Fixes #31949 .
Built from https://develop.svn.wordpress.org/trunk@33739
git-svn-id: http://core.svn.wordpress.org/trunk@33707 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-25 21:46:20 +00:00
Gary Pendergast
c3e0ed7e03
Shortcodes: Improve the reliablity of shortcodes inside HTML tags.
...
Props miqrogroove.
See #15694 .
Built from https://develop.svn.wordpress.org/trunk@33359
git-svn-id: http://core.svn.wordpress.org/trunk@33331 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-22 05:15:25 +00:00
Scott Taylor
32dabc1f90
Don't strip \0
(backslash+zero) from post content for users without "unfiltered_html"
...
Adds unit tests.
Props miqrogroove.
Fixes #28699 .
Built from https://develop.svn.wordpress.org/trunk@32860
git-svn-id: http://core.svn.wordpress.org/trunk@32831 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-19 18:47:27 +00:00
Scott Taylor
f888767c73
$status
shouldn't be loosely compared to true
in wp_xmlrpc_server::wp_deleteComment()
.
...
`$initial` shouldn't be loosely compared to `true` in `get_calendar()`.
`current_user_can()` shouldn't be loosely compared to `false` in `kses_init()`
`$get_all` shouldn't be loosely compared to `true` in `get_blog_details()`.
`is_array()` and `in_array()` shouldn't be loosely compared in `wpmu_validate_user_signup()`.
`$result` should by strictly compared in `check_ajax_referer()`.
`wp_verify_nonce()` should by strictly compared in `_show_post_preview()`.
`is_user_logged_in()` should not be loosly compared against `false` in `wp-signup.php`.
See #32444 .
Built from https://develop.svn.wordpress.org/trunk@32733
git-svn-id: http://core.svn.wordpress.org/trunk@32704 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-12 17:48:26 +00:00
Scott Taylor
4b24007353
Add missing doc blocks to kses.php
- also fix some unfortunate whitespace issues in related funcs.
...
See #32444 .
Built from https://develop.svn.wordpress.org/trunk@32603
git-svn-id: http://core.svn.wordpress.org/trunk@32573 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-26 18:06:24 +00:00
Scott Taylor
86f29795a4
Add <s>
to $allowedtags
in KSES.
...
From https://developer.mozilla.org/en-US/docs/Web/HTML/Element/s :
"The <strike> element, alter ego of the <s> element is obsolete and should not be used on Web sites any more."
`<strike>` shall remain for BC, but `<s>` should not be stripped from the author (et al) role's HTML input.
Props paulschreiber.
Fixes #30954 .
Built from https://develop.svn.wordpress.org/trunk@31205
git-svn-id: http://core.svn.wordpress.org/trunk@31186 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-16 16:07:23 +00:00
Scott Taylor
fc843ce4d0
There are some random add_action()
and add_filter()
calls littered around some files in wp-includes/
. These should be moved to wp-includes/default-filters.php
with the rest of the registered hooks. It seems like this was the best practice for awhile and then we randomly stopped. This file loads way before any of the includes, so the hooks will be registered for any request that loads WordPress, even SHORTINIT
- a lot of the hooks registered won't run anyways (that's already the case).
...
See #30947 .
Built from https://develop.svn.wordpress.org/trunk@31168
git-svn-id: http://core.svn.wordpress.org/trunk@31149 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-12 16:40:23 +00:00
Scott Taylor
4a1ad9acec
Jump statements should not be followed by other statements (there were 5 lingering).
...
See #30799 .
Built from https://develop.svn.wordpress.org/trunk@31100
git-svn-id: http://core.svn.wordpress.org/trunk@31081 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-08 21:15:22 +00:00
Scott Taylor
ac4e67b82e
Perl-style comments should not be used
...
See #30799 .
Built from https://develop.svn.wordpress.org/trunk@31079
git-svn-id: http://core.svn.wordpress.org/trunk@31060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-08 05:52:24 +00:00
Drew Jaynes
ad1ecf88c5
Only backtick-escape individual HTML entities in the DocBlock for wp_kses_normalize_entities()
.
...
Props TobiasBg.
Fixes #30473 .
Built from https://develop.svn.wordpress.org/trunk@30726
git-svn-id: http://core.svn.wordpress.org/trunk@30716 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 11:47:23 +00:00
Drew Jaynes
3d77f9a816
Remove some now-unnecessary double quotes around HTML entities used in DocBlock comments.
...
See #30473 .
Built from https://develop.svn.wordpress.org/trunk@30721
git-svn-id: http://core.svn.wordpress.org/trunk@30711 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 08:49:23 +00:00
Drew Jaynes
8e5543da53
Backtick-escape three sets of HTML entities used in DocBlock descriptions in wp-includes/kses.php.
...
Without the escaping, the Code Reference/browser may inadvertently attempt to convert and display entities.
Fixes #30473 .
Built from https://develop.svn.wordpress.org/trunk@30720
git-svn-id: http://core.svn.wordpress.org/trunk@30710 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-03 08:47:22 +00:00
Andrew Nacin
e7614d6c45
Fix typo in style filter. props miqrogroove
...
Built from https://develop.svn.wordpress.org/trunk@30425
git-svn-id: http://core.svn.wordpress.org/trunk@30420 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-20 13:15:24 +00:00
Drew Jaynes
f8657d5890
Remove redundant and erroneous @uses
tag from most core inline documentation.
...
Per our inline documentation standards, no further use of the `@uses` tag is recommended as used and used-by relationships can be derived through other means. This removes most uses of the tag in core documentation, with remaining tags to be converted to `@global` or `@see` as they apply.
Fixes #30191 .
Built from https://develop.svn.wordpress.org/trunk@30105
git-svn-id: http://core.svn.wordpress.org/trunk@30105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-30 01:05:24 +00:00
Scott Taylor
2ad420dddf
Add audio
, video
, and track
to $allowedposttags
(KSES).
...
Props jwenerd, wonderboymusic.
Fixes #29826 .
Built from https://develop.svn.wordpress.org/trunk@30064
git-svn-id: http://core.svn.wordpress.org/trunk@30064 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-28 19:36:23 +00:00
Andrew Nacin
ae21b1884d
kses: Add colgroup.
...
props collinsinternet.
fixes #29433 .
Built from https://develop.svn.wordpress.org/trunk@29740
git-svn-id: http://core.svn.wordpress.org/trunk@29514 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-09-12 05:51:17 +00:00
Sergey Biryukov
788597141a
Make wp_kses_no_null() remove any invalid control characters in a string.
...
props mauteri, miqrogroove.
fixes #28506 .
Built from https://develop.svn.wordpress.org/trunk@28942
git-svn-id: http://core.svn.wordpress.org/trunk@28740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-01 18:01:17 +00:00
Scott Taylor
38e39c93ea
In kses.php
, ensure that $allowedposttags
, $allowedtags
, and $allowedentitynames
are added to the global namespace.
...
Props Jaza613.
Fixes #28582 .
Built from https://develop.svn.wordpress.org/trunk@28845
git-svn-id: http://core.svn.wordpress.org/trunk@28649 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-26 02:14:15 +00:00
Andrew Nacin
fbbc31f3c5
Inline documentation for hooks in wp-includes/kses.php.
...
props siobhyb, DrewAPicture.
fixes #25800 .
Built from https://develop.svn.wordpress.org/trunk@27739
git-svn-id: http://core.svn.wordpress.org/trunk@27576 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-26 14:57:15 +00:00
Andrew Nacin
f9fd129f28
Allow XML attributes with colons to be read by kses.
...
The attribute would still need to be whitelisted to get through the filters.
props jorbin.
fixes #17847 .
Built from https://develop.svn.wordpress.org/trunk@27707
git-svn-id: http://core.svn.wordpress.org/trunk@27546 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-25 12:53:16 +00:00
Andrew Nacin
5fd175300c
Allow the role attribute in kses for all elements.
...
props mikecorkum.
fixes #24098 .
Built from https://develop.svn.wordpress.org/trunk@27388
git-svn-id: http://core.svn.wordpress.org/trunk@27236 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-04 02:11:16 +00:00
Andrew Nacin
8ec592f244
Add dfn, mark, and samp to kses.
...
props kraftbj.
fixes #24950 .
Built from https://develop.svn.wordpress.org/trunk@26973
git-svn-id: http://core.svn.wordpress.org/trunk@26852 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-01-17 08:38:09 +00:00
Peter Westwood
e1e79ddf64
KSES: Extend support in wp_kses_normalize_entities to named entities with up to two numbers on the end of the name so as to support a wider list of valid entities.
...
Fixes â#26290
Built from https://develop.svn.wordpress.org/trunk@26440
git-svn-id: http://core.svn.wordpress.org/trunk@26338 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-11-27 22:32:09 +00:00