From ba95a9a7199f59e9da56511d51ad8f55236c4484 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Thu, 12 Dec 2019 18:51:18 +0000
Subject: [PATCH] Ensure that a user can publish_posts before making a post
 sticky.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Props: danielbachhuber, whyisjake, peterwilson, xknown.

Brings r46893 to the 4.7 branch.

Update `wp_kses_bad_protocol()` to recognize `&colon;` on uri attributes,

`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 4.7 branch.

Props: xknown, nickdaugherty, peterwilsoncc.

git-svn-id: https://develop.svn.wordpress.org/branches/4.7@46916 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/kses.php                      |  2 +-
 .../class-wp-rest-posts-controller.php        |  6 ++---
 tests/phpunit/tests/kses.php                  | 22 +++++++++++++++++++
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
index 212ccc043d..ce292f0439 100644
--- a/src/wp-includes/kses.php
+++ b/src/wp-includes/kses.php
@@ -1384,7 +1384,7 @@ function wp_kses_html_error($string) {
  */
 function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) {
 	$string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
-	$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
+	$string2 = preg_split( '/:|&#0*58;|&#x0*3a;|&colon;/i', $string, 2 );
 	if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {
 		$string = trim( $string2[1] );
 		$protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
index 5aa7c78b72..f0e6e30259 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@@ -496,7 +496,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 			return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to create posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
-		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
+		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
 			return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
@@ -640,7 +640,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 			return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to update posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
-		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
+		if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
 			return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
@@ -933,7 +933,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 	 * @return stdClass|WP_Error Post object or WP_Error.
 	 */
 	protected function prepare_item_for_database( $request ) {
-		$prepared_post = new stdClass;
+		$prepared_post = new stdClass();
 
 		// Post ID.
 		if ( isset( $request['id'] ) ) {
diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php
index 5e40b46d3c..c02adba761 100644
--- a/tests/phpunit/tests/kses.php
+++ b/tests/phpunit/tests/kses.php
@@ -169,6 +169,28 @@ EOF;
 			}
 		}
 
+		$bad_not_normalized = array(
+			'dummy&colon;alert(1)',
+			'javascript&colon;alert(1)',
+			'javascript&CoLon;alert(1)',
+			'javascript&COLON;alert(1);',
+			'javascript&#58;alert(1);',
+			'javascript&#0058;alert(1);',
+			'javascript&#0000058alert(1);',
+			'jav	ascript&COLON;alert(1);',
+			'javascript&#58;javascript&colon;alert(1);',
+			'javascript&#58;javascript&colon;alert(1);',
+			'javascript&#0000058javascript&colon;alert(1);',
+			'javascript&#58;javascript&#0000058alert(1);',
+			'javascript&#58alert(1)',
+		);
+		foreach ( $bad_not_normalized as $k => $x ) {
+			$result = wp_kses_bad_protocol( $x, wp_allowed_protocols() );
+			if ( ! empty( $result ) && 'alert(1);' !== $result && 'alert(1)' !== $result ) {
+				$this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
+			}
+		}
+
 		$safe = array(
 			'dummy:alert(1)',
 			'HTTP://example.org/',