Skip to content
Permalink
Browse files

Fix for URL sanitization in `wp_kses_bad_protocol_once()`.

Merges [45997] to the 5.1 branch.

Props irsdl, sstoqnov, whyisjake.

git-svn-id: https://develop.svn.wordpress.org/branches/5.1@46002 602fd350-edb4-49c9-b593-d223f7449a82
  • Loading branch information...
desrosj committed Sep 4, 2019
1 parent 678aa83 commit 19a8957bd073a1cfc1f75000e41b48d5676e36f7
Showing with 10 additions and 1 deletion.
  1. +1 −0 src/wp-includes/kses.php
  2. +9 −1 tests/phpunit/tests/kses.php
@@ -1657,6 +1657,7 @@ function wp_kses_html_error( $string ) {
* @return string Sanitized content.
*/
function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
$string = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
$string = trim( $string2[1] );
@@ -144,6 +144,8 @@ function test_wp_kses_bad_protocol() {
'javascript&#0000058alert(1)//?:',
'feed:javascript:alert(1)',
'feed:javascript:feed:javascript:feed:javascript:alert(1)',
'javascript&#58alert(1)',
'javascript&#x3ax=1;alert(1)',
);
foreach ( $bad as $k => $x ) {
$result = wp_kses_bad_protocol( wp_kses_normalize_entities( $x ), wp_allowed_protocols() );
@@ -164,8 +166,14 @@ function test_wp_kses_bad_protocol() {
case 24:
$this->assertEquals( 'feed:alert(1)', $result );
break;
case 26:
$this->assertEquals( 'javascript&#58alert(1)', $result );
break;
case 27:
$this->assertEquals( 'javascript&#x3ax=1;alert(1)', $result );
break;
default:
$this->fail( "wp_kses_bad_protocol failed on $x. Result: $result" );
$this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
}
}
}

0 comments on commit 19a8957

Please sign in to comment.
You can’t perform that action at this time.