sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

KSES: Deprecate wp_kses_js_entities().

Browse Source 
This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.

I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.

Props dmsnell, desrosj.
Fixes #33848.



git-svn-id: https://develop.svn.wordpress.org/trunk@38785 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Gary Pendergast 2016-10-13 22:24:27 +00:00
parent 7e8e642ead
commit 595c76de1a
3 changed files with 28 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/wp-includes/deprecated.php
View File

@ -3772,3 +3772,29 @@ function get_paged_template() {
return get_query_template( 'paged' );
}
/**
* Removes the HTML JavaScript entities found in early versions of Netscape 4.
*
* Previously, this function was pulled in from the original
* import of kses and removed a specific vulnerability only
* existent in early version of Netscape 4. However, this
* vulnerability never affected any other browsers and can
* be considered safe for the modern web.
*
* The regular expression which sanitized this vulnerability
* has been removed in consideration of the performance and
* energy demands it placed, now merely passing through its
* input to the return.
*
* @since 1.0.0
* @deprecated deprecated since 4.7
*
* @param string $string
* @return string
*/
function wp_kses_js_entities( $string ) {
_deprecated_function( __FUNCTION__, '4.7.0' );
return preg_replace( '%&\s*\{[^}]*(\}\s*;?|$)%', '', $string );
}

14
src/wp-includes/kses.php
View File

@ -527,7 +527,6 @@ function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
if ( empty( $allowed_protocols ) )
$allowed_protocols = wp_allowed_protocols();
$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook
return wp_kses_split($string, $allowed_html, $allowed_protocols);
@ -550,7 +549,6 @@ function wp_kses_one_attr( $string, $element ) {
$allowed_html = wp_kses_allowed_html( 'post' );
$allowed_protocols = wp_allowed_protocols();
$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
$string = wp_kses_js_entities( $string );
// Preserve leading and trailing whitespace.
$matches = array();
@ -1295,18 +1293,6 @@ function wp_kses_array_lc($inarray) {
return $outarray;
}
/**
* Removes the HTML JavaScript entities found in early versions of Netscape 4.
*
* @since 1.0.0
*
* @param string $string
* @return string
*/
function wp_kses_js_entities($string) {
return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
}
/**
* Handles parsing errors in wp_kses_hair().
*

4
tests/phpunit/tests/kses.php
View File

@ -195,10 +195,10 @@ EOF;
switch ( $attack->name ) {
case 'XSS Locator':
$this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=', $result);
$this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=&{}', $result);
break;
case 'XSS Quick Test':
$this->assertEquals('\'\';!--"=', $result);
$this->assertEquals('\'\';!--"=&{()}', $result);
break;
case 'SCRIPT w/Alert()':
$this->assertEquals( "alert('XSS')", $result );