From eb6ec0d66938f4a93259d395e6a5c086b9f60005 Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Thu, 22 Nov 2012 07:23:43 +0000 Subject: [PATCH] Do SimplePie sanitization with wp_kses_post() rather than DOMDocument, which cannot be guaranteed to be available. Overrides SimplePie_Sanitize with WP_SimplePie_Sanitize_KSES. props markjaquith, rmccue. see #21990. git-svn-id: https://develop.svn.wordpress.org/trunk@22811 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-includes/class-feed.php | 35 +++++++++++++++++++++++++++++++++++ wp-includes/feed.php | 5 +++++ 2 files changed, 40 insertions(+) diff --git a/wp-includes/class-feed.php b/wp-includes/class-feed.php index a60955de29..c442050c12 100644 --- a/wp-includes/class-feed.php +++ b/wp-includes/class-feed.php @@ -92,3 +92,38 @@ class WP_SimplePie_File extends SimplePie_File { } } } + +/** + * WordPress SimplePie Sanitization Class + * + * Extension of the SimplePie_Sanitize class to use KSES, because + * we cannot universally count on DOMDocument being available + * + * @package WordPress + * @since 3.5.0 + */ +class WP_SimplePie_Sanitize_KSES extends SimplePie_Sanitize { + public function sanitize( $data, $type, $base = '' ) { + $data = trim( $data ); + if ( $type & SIMPLEPIE_CONSTRUCT_MAYBE_HTML ) { + if (preg_match('/(&(#(x[0-9a-fA-F]+|[0-9]+)|[a-zA-Z0-9]+)|<\/[A-Za-z][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E]*' . SIMPLEPIE_PCRE_HTML_ATTRIBUTE . '>)/', $data)) { + $type |= SIMPLEPIE_CONSTRUCT_HTML; + } + else { + $type |= SIMPLEPIE_CONSTRUCT_TEXT; + } + } + if ( $type & SIMPLEPIE_CONSTRUCT_BASE64 ) { + $data = base64_decode( $data ); + } + if ( $type & ( SIMPLEPIE_CONSTRUCT_HTML | SIMPLEPIE_CONSTRUCT_XHTML ) ) { + $data = wp_kses_post( $data ); + if ( $this->output_encoding !== 'UTF-8' ) { + $data = $this->registry->call( 'Misc', 'change_encoding', array( $data, 'UTF-8', $this->output_encoding ) ); + } + return $data; + } else { + return parent::sanitize( $data, $type, $base ); + } + } +} diff --git a/wp-includes/feed.php b/wp-includes/feed.php index 262acd727f..61825f8958 100644 --- a/wp-includes/feed.php +++ b/wp-includes/feed.php @@ -528,6 +528,11 @@ function fetch_feed($url) { $feed = new SimplePie(); + $feed->set_sanitize_class( 'WP_SimplePie_Sanitize_KSES' ); + // We must manually overwrite $feed->sanitize because SimplePie's + // constructor sets it before we have a chance to set the sanitization class + $feed->sanitize = new WP_SimplePie_Sanitize_KSES(); + $feed->set_cache_class( 'WP_Feed_Cache' ); $feed->set_file_class( 'WP_SimplePie_File' );