From 524f5be4c62baf6d33ec20aa9ab18656d375a4ca Mon Sep 17 00:00:00 2001
From: Gary Pendergast <pento@git.wordpress.org>
Date: Fri, 14 Dec 2018 03:27:55 +0000
Subject: [PATCH] KSES: Allow the `download` attribute on `<a>` tags.

To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.

Merges [43813] from the 5.0 branch to trunk.

Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
Fixes #44724.



git-svn-id: https://develop.svn.wordpress.org/trunk@44156 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/kses.php     | 13 ++++++++-----
 tests/phpunit/tests/kses.php | 29 ++++++++++++++++++-----------
 2 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
index 964ef7fd6e..18c76c5222 100644
--- a/src/wp-includes/kses.php
+++ b/src/wp-includes/kses.php
@@ -61,11 +61,14 @@ if ( ! CUSTOM_TAGS ) {
 	$allowedposttags = array(
 		'address'    => array(),
 		'a'          => array(
-			'href'   => true,
-			'rel'    => true,
-			'rev'    => true,
-			'name'   => true,
-			'target' => true,
+			'href'     => true,
+			'rel'      => true,
+			'rev'      => true,
+			'name'     => true,
+			'target'   => true,
+			'download' => array(
+				'valueless' => 'y',
+			),
 		),
 		'abbr'       => array(),
 		'acronym'    => array(),
diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php
index ae1ccd342f..b359452b88 100644
--- a/tests/phpunit/tests/kses.php
+++ b/tests/phpunit/tests/kses.php
@@ -37,20 +37,27 @@ class Tests_Kses extends WP_UnitTestCase {
 		global $allowedposttags;
 
 		$attributes = array(
-			'class'  => 'classname',
-			'id'     => 'id',
-			'style'  => 'color: red;',
-			'title'  => 'title',
-			'href'   => 'http://example.com',
-			'rel'    => 'related',
-			'rev'    => 'revision',
-			'name'   => 'name',
-			'target' => '_blank',
+			'class'    => 'classname',
+			'id'       => 'id',
+			'style'    => 'color: red;',
+			'title'    => 'title',
+			'href'     => 'http://example.com',
+			'rel'      => 'related',
+			'rev'      => 'revision',
+			'name'     => 'name',
+			'target'   => '_blank',
+			'download' => '',
 		);
 
 		foreach ( $attributes as $name => $value ) {
-			$string        = "<a $name='$value'>I link this</a>";
-			$expect_string = "<a $name='" . trim( $value, ';' ) . "'>I link this</a>";
+			if ( $value ) {
+				$attr          = "$name='$value'";
+				$expected_attr = "$name='" . trim( $value, ';' ) . "'";
+			} else {
+				$attr = $expected_attr = $name;
+			}
+			$string        = "<a $attr>I link this</a>";
+			$expect_string = "<a $expected_attr>I link this</a>";
 			$this->assertEquals( $expect_string, wp_kses( $string, $allowedposttags ) );
 		}
 	}