Skip to content

Commit fb3c6ea

Browse files
committed
KSES: Make the URI attributes DRY.
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes. Built from https://develop.svn.wordpress.org/branches/5.0@44014 git-svn-id: http://core.svn.wordpress.org/branches/5.0@43844 1a063a9b-81f0-0310-95a4-ce76da25c4cd
1 parent d82b02e commit fb3c6ea

File tree

2 files changed

+53
-3
lines changed

2 files changed

+53
-3
lines changed

Diff for: wp-includes/kses.php

+52-2
Original file line numberDiff line numberDiff line change
@@ -539,7 +539,7 @@ function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
539539
* @return string Filtered attribute.
540540
*/
541541
function wp_kses_one_attr( $string, $element ) {
542-
$uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
542+
$uris = wp_kses_uri_attributes();
543543
$allowed_html = wp_kses_allowed_html( 'post' );
544544
$allowed_protocols = wp_allowed_protocols();
545545
$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
@@ -736,6 +736,56 @@ function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
736736
return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
737737
}
738738

739+
/**
740+
* Helper function listing HTML attributes containing a URL.
741+
*
742+
* This function returns a list of all HTML attributes that must contain
743+
* a URL according to the HTML specification.
744+
*
745+
* This list includes URI attributes both allowed and disallowed by KSES.
746+
*
747+
* @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes
748+
*
749+
* @since 4.9.9
750+
*
751+
* @return array HTML attributes that must include a URL.
752+
*/
753+
function wp_kses_uri_attributes() {
754+
$uri_attributes = array(
755+
'action',
756+
'archive',
757+
'background',
758+
'cite',
759+
'classid',
760+
'codebase',
761+
'data',
762+
'formaction',
763+
'href',
764+
'icon',
765+
'longdesc',
766+
'manifest',
767+
'poster',
768+
'profile',
769+
'src',
770+
'usemap',
771+
'xmlns',
772+
);
773+
774+
/**
775+
* Filters the list of attributes that are required to contain a URL.
776+
*
777+
* Use this filter to add any `data-` attributes that are required to be
778+
* validated as a URL.
779+
*
780+
* @since 4.9.9
781+
*
782+
* @param array $uri_attributes HTML attributes requiring validation as a URL.
783+
*/
784+
$uri_attributes = apply_filters( 'wp_kses_uri_attributes', $uri_attributes );
785+
786+
return $uri_attributes;
787+
}
788+
739789
/**
740790
* Callback for wp_kses_split.
741791
*
@@ -953,7 +1003,7 @@ function wp_kses_hair($attr, $allowed_protocols) {
9531003
$attrarr = array();
9541004
$mode = 0;
9551005
$attrname = '';
956-
$uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
1006+
$uris = wp_kses_uri_attributes();
9571007

9581008
// Loop through the whole attribute list
9591009

Diff for: wp-includes/version.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
*
55
* @global string $wp_version
66
*/
7-
$wp_version = '5.0.1-alpha-43994';
7+
$wp_version = '5.0.1-alpha-44014';
88

99
/**
1010
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

0 commit comments

Comments
 (0)