diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index abdb701665..2f9bc8613f 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -2299,8 +2299,8 @@ function esc_url( $url, $protocols = null, $_context = 'display' ) { $url = str_replace( "'", ''', $url ); } - if ( !is_array($protocols) ) - $protocols = array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn'); + if ( ! is_array( $protocols ) ) + $protocols = wp_allowed_protocols(); if ( wp_kses_bad_protocol( $url, $protocols ) != $url ) return ''; diff --git a/wp-includes/functions.php b/wp-includes/functions.php index dc9a66157d..bc14a239c0 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -4610,4 +4610,24 @@ function send_frame_options_header() { @header( 'X-Frame-Options: SAMEORIGIN' ); } +/** + * Retrieve a list of protocols to allow in HTML attributes. + * + * @since 3.3.0 + * @see wp_kses() + * @see esc_url() + * + * @return array Array of allowed protocols + */ +function wp_allowed_protocols() { + static $protocols; + + if ( empty( $protocols ) ) { + $protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' ); + $protocols = apply_filters( 'kses_allowed_protocols', $protocols ); + } + + return $protocols; +} + ?> diff --git a/wp-includes/kses.php b/wp-includes/kses.php index 3a4da1e392..1e0ee13679 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -500,7 +500,7 @@ if ( ! CUSTOM_TAGS ) { * @return string Filtered content with only allowed HTML elements */ function wp_kses($string, $allowed_html, $allowed_protocols = array ()) { - $allowed_protocols = wp_parse_args( $allowed_protocols, apply_filters('kses_allowed_protocols', array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn') )); + $allowed_protocols = wp_parse_args( $allowed_protocols, wp_allowed_protocols() ); $string = wp_kses_no_null($string); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string);