@@ -539,7 +539,7 @@ function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
539539 * @return string Filtered attribute.
540540 */
541541function wp_kses_one_attr ( $ string , $ element ) {
542- $ uris = array ( ' xmlns ' , ' profile ' , ' href ' , ' src ' , ' cite ' , ' classid ' , ' codebase ' , ' data ' , ' usemap ' , ' longdesc ' , ' action ' );
542+ $ uris = wp_kses_uri_attributes ( );
543543 $ allowed_html = wp_kses_allowed_html ( 'post ' );
544544 $ allowed_protocols = wp_allowed_protocols ();
545545 $ string = wp_kses_no_null ( $ string , array ( 'slash_zero ' => 'keep ' ) );
@@ -736,6 +736,56 @@ function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
736736 return preg_replace_callback ( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)% ' , '_wp_kses_split_callback ' , $ string );
737737}
738738
739+ /**
740+ * Helper function listing HTML attributes containing a URL.
741+ *
742+ * This function returns a list of all HTML attributes that must contain
743+ * a URL according to the HTML specification.
744+ *
745+ * This list includes URI attributes both allowed and disallowed by KSES.
746+ *
747+ * @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes
748+ *
749+ * @since 4.9.9
750+ *
751+ * @return array HTML attributes that must include a URL.
752+ */
753+ function wp_kses_uri_attributes () {
754+ $ uri_attributes = array (
755+ 'action ' ,
756+ 'archive ' ,
757+ 'background ' ,
758+ 'cite ' ,
759+ 'classid ' ,
760+ 'codebase ' ,
761+ 'data ' ,
762+ 'formaction ' ,
763+ 'href ' ,
764+ 'icon ' ,
765+ 'longdesc ' ,
766+ 'manifest ' ,
767+ 'poster ' ,
768+ 'profile ' ,
769+ 'src ' ,
770+ 'usemap ' ,
771+ 'xmlns ' ,
772+ );
773+
774+ /**
775+ * Filters the list of attributes that are required to contain a URL.
776+ *
777+ * Use this filter to add any `data-` attributes that are required to be
778+ * validated as a URL.
779+ *
780+ * @since 4.9.9
781+ *
782+ * @param array $uri_attributes HTML attributes requiring validation as a URL.
783+ */
784+ $ uri_attributes = apply_filters ( 'wp_kses_uri_attributes ' , $ uri_attributes );
785+
786+ return $ uri_attributes ;
787+ }
788+
739789/**
740790 * Callback for wp_kses_split.
741791 *
@@ -953,7 +1003,7 @@ function wp_kses_hair($attr, $allowed_protocols) {
9531003 $ attrarr = array ();
9541004 $ mode = 0 ;
9551005 $ attrname = '' ;
956- $ uris = array ( ' xmlns ' , ' profile ' , ' href ' , ' src ' , ' cite ' , ' classid ' , ' codebase ' , ' data ' , ' usemap ' , ' longdesc ' , ' action ' );
1006+ $ uris = wp_kses_uri_attributes ( );
9571007
9581008 // Loop through the whole attribute list
9591009
0 commit comments