Skip to content

Commit 30ac675

Browse files
committed
Fix for URL sanitization that can lead to cross-site scripting (XSS) attacks.
Props irsdl, sstoqnov, whyisjake. Built from https://develop.svn.wordpress.org/trunk@45997 git-svn-id: http://core.svn.wordpress.org/trunk@45808 1a063a9b-81f0-0310-95a4-ce76da25c4cd
1 parent 62b22b8 commit 30ac675

File tree

2 files changed

+2
-1
lines changed

2 files changed

+2
-1
lines changed

Diff for: wp-includes/kses.php

+1
Original file line numberDiff line numberDiff line change
@@ -1664,6 +1664,7 @@ function wp_kses_html_error( $string ) {
16641664
* @return string Sanitized content.
16651665
*/
16661666
function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
1667+
$string = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
16671668
$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
16681669
if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
16691670
$string = trim( $string2[1] );

Diff for: wp-includes/version.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
*
1414
* @global string $wp_version
1515
*/
16-
$wp_version = '5.3-alpha-45990';
16+
$wp_version = '5.3-alpha-45997';
1717

1818
/**
1919
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

0 commit comments

Comments
 (0)