Fix for URL sanitization that can lead to cross-site scripting (XSS) attacks.

Props irsdl, sstoqnov, whyisjake.

git-svn-id: https://develop.svn.wordpress.org/trunk@45997 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/kses.php

@@ -1664,6 +1664,7 @@ function wp_kses_html_error( $string ) {
  * @return string Sanitized content.
  */
 function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
+	$string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
 	$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
 	if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
 		$string   = trim( $string2[1] );

tests/phpunit/tests/kses.php

@@ -145,6 +145,8 @@ EOF;
 			'javascript&#0000058alert(1)//?:',
 			'feed:javascript:alert(1)',
 			'feed:javascript:feed:javascript:feed:javascript:alert(1)',
+			'javascript&#58alert(1)',
+			'javascript&#x3ax=1;alert(1)',
 		);
 		foreach ( $bad as $k => $x ) {
 			$result = wp_kses_bad_protocol( wp_kses_normalize_entities( $x ), wp_allowed_protocols() );
@@ -165,8 +167,14 @@ EOF;
 					case 24:
 						$this->assertEquals( 'feed:alert(1)', $result );
 						break;
+					case 26:
+						$this->assertEquals( 'javascript&#58alert(1)', $result );
+						break;
+					case 27:
+						$this->assertEquals( 'javascript&#x3ax=1;alert(1)', $result );
+						break;
 					default:
-						$this->fail( "wp_kses_bad_protocol failed on $x. Result: $result" );
+						$this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
 				}
 			}
 		}