From a3fc848cb649fbbae6af1e59644dbd6f5633c002 Mon Sep 17 00:00:00 2001 From: Ian Dunn Date: Thu, 13 Dec 2018 00:43:21 +0000 Subject: [PATCH] KSES: Make the URI attributes DRY. This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes. Merges [44014] and [44017] to the `4.7` branch. git-svn-id: https://develop.svn.wordpress.org/branches/4.7@44027 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/kses.php | 54 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 52 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php index 3cf2a4885b..0a10d6be7e 100644 --- a/src/wp-includes/kses.php +++ b/src/wp-includes/kses.php @@ -536,7 +536,7 @@ function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { * @return string Filtered attribute. */ function wp_kses_one_attr( $string, $element ) { - $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action'); + $uris = wp_kses_uri_attributes(); $allowed_html = wp_kses_allowed_html( 'post' ); $allowed_protocols = wp_allowed_protocols(); $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); @@ -734,6 +734,56 @@ function wp_kses_split( $string, $allowed_html, $allowed_protocols ) { return preg_replace_callback( '%(|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string ); } +/** + * Helper function listing HTML attributes containing a URL. + * + * This function returns a list of all HTML attributes that must contain + * a URL according to the HTML specification. + * + * This list includes URI attributes both allowed and disallowed by KSES. + * + * @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes + * + * @since 5.0.1 + * + * @return array HTML attributes that must include a URL. + */ +function wp_kses_uri_attributes() { + $uri_attributes = array( + 'action', + 'archive', + 'background', + 'cite', + 'classid', + 'codebase', + 'data', + 'formaction', + 'href', + 'icon', + 'longdesc', + 'manifest', + 'poster', + 'profile', + 'src', + 'usemap', + 'xmlns', + ); + + /** + * Filters the list of attributes that are required to contain a URL. + * + * Use this filter to add any `data-` attributes that are required to be + * validated as a URL. + * + * @since 5.0.1 + * + * @param array $uri_attributes HTML attributes requiring validation as a URL. + */ + $uri_attributes = apply_filters( 'wp_kses_uri_attributes', $uri_attributes ); + + return $uri_attributes; +} + /** * Callback for wp_kses_split. * @@ -929,7 +979,7 @@ function wp_kses_hair($attr, $allowed_protocols) { $attrarr = array(); $mode = 0; $attrname = ''; - $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action'); + $uris = wp_kses_uri_attributes(); // Loop through the whole attribute list