sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

KSES: Allow the download attribute on <a> tags.

Browse Source 
To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.

Merges [43813] from the 5.0 branch to trunk.

Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
Fixes #44724.



git-svn-id: https://develop.svn.wordpress.org/trunk@44156 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Gary Pendergast 2018-12-14 03:27:55 +00:00
parent 466ec7483a
commit 524f5be4c6
2 changed files with 26 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/wp-includes/kses.php
View File

@ -61,11 +61,14 @@ if ( ! CUSTOM_TAGS ) {
$allowedposttags = array( $allowedposttags = array(
'address' => array(), 'address' => array(),
'a' => array( 'a' => array(
'href' => true, 'href' => true,
'rel' => true, 'rel' => true,
'rev' => true, 'rev' => true,
'name' => true, 'name' => true,
'target' => true, 'target' => true,
'download' => array(
'valueless' => 'y',
),
), ),
'abbr' => array(), 'abbr' => array(),
'acronym' => array(), 'acronym' => array(),

29
tests/phpunit/tests/kses.php
View File

@ -37,20 +37,27 @@ class Tests_Kses extends WP_UnitTestCase {
global $allowedposttags; global $allowedposttags;
$attributes = array( $attributes = array(
'class' => 'classname', 'class' => 'classname',
'id' => 'id', 'id' => 'id',
'style' => 'color: red;', 'style' => 'color: red;',
'title' => 'title', 'title' => 'title',
'href' => 'http://example.com', 'href' => 'http://example.com',
'rel' => 'related', 'rel' => 'related',
'rev' => 'revision', 'rev' => 'revision',
'name' => 'name', 'name' => 'name',
'target' => '_blank', 'target' => '_blank',
'download' => '',
); );
foreach ( $attributes as $name => $value ) { foreach ( $attributes as $name => $value ) {
$string = "<a $name='$value'>I link this</a>"; if ( $value ) {
$expect_string = "<a $name='" . trim( $value, ';' ) . "'>I link this</a>"; $attr = "$name='$value'";
$expected_attr = "$name='" . trim( $value, ';' ) . "'";
} else {
$attr = $expected_attr = $name;
}
$string = "<a $attr>I link this</a>";
$expect_string = "<a $expected_attr>I link this</a>";
$this->assertEquals( $expect_string, wp_kses( $string, $allowedposttags ) ); $this->assertEquals( $expect_string, wp_kses( $string, $allowedposttags ) );
} }
} }