1<?php 2/** 3 * kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes 4 * Copyright (C) 2002, 2003, 2005 Ulf Harnhammar 5 * 6 * This program is free software and open source software; you can redistribute 7 * it and/or modify it under the terms of the GNU General Public License as 8 * published by the Free Software Foundation; either version 2 of the License, 9 * or (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 14 * more details. 15 * 16 * You should have received a copy of the GNU General Public License along 17 * with this program; if not, write to the Free Software Foundation, Inc., 18 * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA 19 * http://www.gnu.org/licenses/gpl.html 20 * 21 * [kses strips evil scripts!] 22 * 23 * Added wp_ prefix to avoid conflicts with existing kses users 24 * 25 * @version 0.2.2 26 * @copyright (C) 2002, 2003, 2005 27 * @author Ulf Harnhammar <http://advogato.org/person/metaur/> 28 * 29 * @package External 30 * @subpackage KSES 31 */ 32 33/** 34 * Specifies the default allowable HTML tags. 35 * 36 * Using `CUSTOM_TAGS` is not recommended and should be considered deprecated. The 37 * {@see 'wp_kses_allowed_html'} filter is more powerful and supplies context. 38 * 39 * @see wp_kses_allowed_html() 40 * @since 1.2.0 41 * 42 * @var array[]|false Array of default allowable HTML tags, or false to use the defaults. 43 */ 44if ( ! defined( 'CUSTOM_TAGS' ) ) { 45 define( 'CUSTOM_TAGS', false ); 46} 47 48// Ensure that these variables are added to the global namespace 49// (e.g. if using namespaces / autoload in the current PHP environment). 50global $allowedposttags, $allowedtags, $allowedentitynames, $allowedxmlentitynames; 51 52if ( ! CUSTOM_TAGS ) { 53 /** 54 * KSES global for default allowable HTML tags. 55 * 56 * Can be overridden with the `CUSTOM_TAGS` constant. 57 * 58 * @var array[] $allowedposttags Array of default allowable HTML tags. 59 * @since 2.0.0 60 */ 61 $allowedposttags = array( 62 'address' => array(), 63 'a' => array( 64 'href' => true, 65 'rel' => true, 66 'rev' => true, 67 'name' => true, 68 'target' => true, 69 'download' => array( 70 'valueless' => 'y', 71 ), 72 ), 73 'abbr' => array(), 74 'acronym' => array(), 75 'area' => array( 76 'alt' => true, 77 'coords' => true, 78 'href' => true, 79 'nohref' => true, 80 'shape' => true, 81 'target' => true, 82 ), 83 'article' => array( 84 'align' => true, 85 'dir' => true, 86 'lang' => true, 87 'xml:lang' => true, 88 ), 89 'aside' => array( 90 'align' => true, 91 'dir' => true, 92 'lang' => true, 93 'xml:lang' => true, 94 ), 95 'audio' => array( 96 'autoplay' => true, 97 'controls' => true, 98 'loop' => true, 99 'muted' => true, 100 'preload' => true, 101 'src' => true, 102 ), 103 'b' => array(), 104 'bdo' => array( 105 'dir' => true, 106 ), 107 'big' => array(), 108 'blockquote' => array( 109 'cite' => true, 110 'lang' => true, 111 'xml:lang' => true, 112 ), 113 'br' => array(), 114 'button' => array( 115 'disabled' => true, 116 'name' => true, 117 'type' => true, 118 'value' => true, 119 ), 120 'caption' => array( 121 'align' => true, 122 ), 123 'cite' => array( 124 'dir' => true, 125 'lang' => true, 126 ), 127 'code' => array(), 128 'col' => array( 129 'align' => true, 130 'char' => true, 131 'charoff' => true, 132 'span' => true, 133 'dir' => true, 134 'valign' => true, 135 'width' => true, 136 ), 137 'colgroup' => array( 138 'align' => true, 139 'char' => true, 140 'charoff' => true, 141 'span' => true, 142 'valign' => true, 143 'width' => true, 144 ), 145 'del' => array( 146 'datetime' => true, 147 ), 148 'dd' => array(), 149 'dfn' => array(), 150 'details' => array( 151 'align' => true, 152 'dir' => true, 153 'lang' => true, 154 'open' => true, 155 'xml:lang' => true, 156 ), 157 'div' => array( 158 'align' => true, 159 'dir' => true, 160 'lang' => true, 161 'xml:lang' => true, 162 ), 163 'dl' => array(), 164 'dt' => array(), 165 'em' => array(), 166 'fieldset' => array(), 167 'figure' => array( 168 'align' => true, 169 'dir' => true, 170 'lang' => true, 171 'xml:lang' => true, 172 ), 173 'figcaption' => array( 174 'align' => true, 175 'dir' => true, 176 'lang' => true, 177 'xml:lang' => true, 178 ), 179 'font' => array( 180 'color' => true, 181 'face' => true, 182 'size' => true, 183 ), 184 'footer' => array( 185 'align' => true, 186 'dir' => true, 187 'lang' => true, 188 'xml:lang' => true, 189 ), 190 'h1' => array( 191 'align' => true, 192 ), 193 'h2' => array( 194 'align' => true, 195 ), 196 'h3' => array( 197 'align' => true, 198 ), 199 'h4' => array( 200 'align' => true, 201 ), 202 'h5' => array( 203 'align' => true, 204 ), 205 'h6' => array( 206 'align' => true, 207 ), 208 'header' => array( 209 'align' => true, 210 'dir' => true, 211 'lang' => true, 212 'xml:lang' => true, 213 ), 214 'hgroup' => array( 215 'align' => true, 216 'dir' => true, 217 'lang' => true, 218 'xml:lang' => true, 219 ), 220 'hr' => array( 221 'align' => true, 222 'noshade' => true, 223 'size' => true, 224 'width' => true, 225 ), 226 'i' => array(), 227 'img' => array( 228 'alt' => true, 229 'align' => true, 230 'border' => true, 231 'height' => true, 232 'hspace' => true, 233 'loading' => true, 234 'longdesc' => true, 235 'vspace' => true, 236 'src' => true, 237 'usemap' => true, 238 'width' => true, 239 ), 240 'ins' => array( 241 'datetime' => true, 242 'cite' => true, 243 ), 244 'kbd' => array(), 245 'label' => array( 246 'for' => true, 247 ), 248 'legend' => array( 249 'align' => true, 250 ), 251 'li' => array( 252 'align' => true, 253 'value' => true, 254 ), 255 'main' => array( 256 'align' => true, 257 'dir' => true, 258 'lang' => true, 259 'xml:lang' => true, 260 ), 261 'map' => array( 262 'name' => true, 263 ), 264 'mark' => array(), 265 'menu' => array( 266 'type' => true, 267 ), 268 'nav' => array( 269 'align' => true, 270 'dir' => true, 271 'lang' => true, 272 'xml:lang' => true, 273 ), 274 'p' => array( 275 'align' => true, 276 'dir' => true, 277 'lang' => true, 278 'xml:lang' => true, 279 ), 280 'pre' => array( 281 'width' => true, 282 ), 283 'q' => array( 284 'cite' => true, 285 ), 286 's' => array(), 287 'samp' => array(), 288 'span' => array( 289 'dir' => true, 290 'align' => true, 291 'lang' => true, 292 'xml:lang' => true, 293 ), 294 'section' => array( 295 'align' => true, 296 'dir' => true, 297 'lang' => true, 298 'xml:lang' => true, 299 ), 300 'small' => array(), 301 'strike' => array(), 302 'strong' => array(), 303 'sub' => array(), 304 'summary' => array( 305 'align' => true, 306 'dir' => true, 307 'lang' => true, 308 'xml:lang' => true, 309 ), 310 'sup' => array(), 311 'table' => array( 312 'align' => true, 313 'bgcolor' => true, 314 'border' => true, 315 'cellpadding' => true, 316 'cellspacing' => true, 317 'dir' => true, 318 'rules' => true, 319 'summary' => true, 320 'width' => true, 321 ), 322 'tbody' => array( 323 'align' => true, 324 'char' => true, 325 'charoff' => true, 326 'valign' => true, 327 ), 328 'td' => array( 329 'abbr' => true, 330 'align' => true, 331 'axis' => true, 332 'bgcolor' => true, 333 'char' => true, 334 'charoff' => true, 335 'colspan' => true, 336 'dir' => true, 337 'headers' => true, 338 'height' => true, 339 'nowrap' => true, 340 'rowspan' => true, 341 'scope' => true, 342 'valign' => true, 343 'width' => true, 344 ), 345 'textarea' => array( 346 'cols' => true, 347 'rows' => true, 348 'disabled' => true, 349 'name' => true, 350 'readonly' => true, 351 ), 352 'tfoot' => array( 353 'align' => true, 354 'char' => true, 355 'charoff' => true, 356 'valign' => true, 357 ), 358 'th' => array( 359 'abbr' => true, 360 'align' => true, 361 'axis' => true, 362 'bgcolor' => true, 363 'char' => true, 364 'charoff' => true, 365 'colspan' => true, 366 'headers' => true, 367 'height' => true, 368 'nowrap' => true, 369 'rowspan' => true, 370 'scope' => true, 371 'valign' => true, 372 'width' => true, 373 ), 374 'thead' => array( 375 'align' => true, 376 'char' => true, 377 'charoff' => true, 378 'valign' => true, 379 ), 380 'title' => array(), 381 'tr' => array( 382 'align' => true, 383 'bgcolor' => true, 384 'char' => true, 385 'charoff' => true, 386 'valign' => true, 387 ), 388 'track' => array( 389 'default' => true, 390 'kind' => true, 391 'label' => true, 392 'src' => true, 393 'srclang' => true, 394 ), 395 'tt' => array(), 396 'u' => array(), 397 'ul' => array( 398 'type' => true, 399 ), 400 'ol' => array( 401 'start' => true, 402 'type' => true, 403 'reversed' => true, 404 ), 405 'var' => array(), 406 'video' => array( 407 'autoplay' => true, 408 'controls' => true, 409 'height' => true, 410 'loop' => true, 411 'muted' => true, 412 'playsinline' => true, 413 'poster' => true, 414 'preload' => true, 415 'src' => true, 416 'width' => true, 417 ), 418 ); 419 420 /** 421 * @var array[] $allowedtags Array of KSES allowed HTML elements. 422 * @since 1.0.0 423 */ 424 $allowedtags = array( 425 'a' => array( 426 'href' => true, 427 'title' => true, 428 ), 429 'abbr' => array( 430 'title' => true, 431 ), 432 'acronym' => array( 433 'title' => true, 434 ), 435 'b' => array(), 436 'blockquote' => array( 437 'cite' => true, 438 ), 439 'cite' => array(), 440 'code' => array(), 441 'del' => array( 442 'datetime' => true, 443 ), 444 'em' => array(), 445 'i' => array(), 446 'q' => array( 447 'cite' => true, 448 ), 449 's' => array(), 450 'strike' => array(), 451 'strong' => array(), 452 ); 453 454 /** 455 * @var string[] $allowedentitynames Array of KSES allowed HTML entitity names. 456 * @since 1.0.0 457 */ 458 $allowedentitynames = array( 459 'nbsp', 460 'iexcl', 461 'cent', 462 'pound', 463 'curren', 464 'yen', 465 'brvbar', 466 'sect', 467 'uml', 468 'copy', 469 'ordf', 470 'laquo', 471 'not', 472 'shy', 473 'reg', 474 'macr', 475 'deg', 476 'plusmn', 477 'acute', 478 'micro', 479 'para', 480 'middot', 481 'cedil', 482 'ordm', 483 'raquo', 484 'iquest', 485 'Agrave', 486 'Aacute', 487 'Acirc', 488 'Atilde', 489 'Auml', 490 'Aring', 491 'AElig', 492 'Ccedil', 493 'Egrave', 494 'Eacute', 495 'Ecirc', 496 'Euml', 497 'Igrave', 498 'Iacute', 499 'Icirc', 500 'Iuml', 501 'ETH', 502 'Ntilde', 503 'Ograve', 504 'Oacute', 505 'Ocirc', 506 'Otilde', 507 'Ouml', 508 'times', 509 'Oslash', 510 'Ugrave', 511 'Uacute', 512 'Ucirc', 513 'Uuml', 514 'Yacute', 515 'THORN', 516 'szlig', 517 'agrave', 518 'aacute', 519 'acirc', 520 'atilde', 521 'auml', 522 'aring', 523 'aelig', 524 'ccedil', 525 'egrave', 526 'eacute', 527 'ecirc', 528 'euml', 529 'igrave', 530 'iacute', 531 'icirc', 532 'iuml', 533 'eth', 534 'ntilde', 535 'ograve', 536 'oacute', 537 'ocirc', 538 'otilde', 539 'ouml', 540 'divide', 541 'oslash', 542 'ugrave', 543 'uacute', 544 'ucirc', 545 'uuml', 546 'yacute', 547 'thorn', 548 'yuml', 549 'quot', 550 'amp', 551 'lt', 552 'gt', 553 'apos', 554 'OElig', 555 'oelig', 556 'Scaron', 557 'scaron', 558 'Yuml', 559 'circ', 560 'tilde', 561 'ensp', 562 'emsp', 563 'thinsp', 564 'zwnj', 565 'zwj', 566 'lrm', 567 'rlm', 568 'ndash', 569 'mdash', 570 'lsquo', 571 'rsquo', 572 'sbquo', 573 'ldquo', 574 'rdquo', 575 'bdquo', 576 'dagger', 577 'Dagger', 578 'permil', 579 'lsaquo', 580 'rsaquo', 581 'euro', 582 'fnof', 583 'Alpha', 584 'Beta', 585 'Gamma', 586 'Delta', 587 'Epsilon', 588 'Zeta', 589 'Eta', 590 'Theta', 591 'Iota', 592 'Kappa', 593 'Lambda', 594 'Mu', 595 'Nu', 596 'Xi', 597 'Omicron', 598 'Pi', 599 'Rho', 600 'Sigma', 601 'Tau', 602 'Upsilon', 603 'Phi', 604 'Chi', 605 'Psi', 606 'Omega', 607 'alpha', 608 'beta', 609 'gamma', 610 'delta', 611 'epsilon', 612 'zeta', 613 'eta', 614 'theta', 615 'iota', 616 'kappa', 617 'lambda', 618 'mu', 619 'nu', 620 'xi', 621 'omicron', 622 'pi', 623 'rho', 624 'sigmaf', 625 'sigma', 626 'tau', 627 'upsilon', 628 'phi', 629 'chi', 630 'psi', 631 'omega', 632 'thetasym', 633 'upsih', 634 'piv', 635 'bull', 636 'hellip', 637 'prime', 638 'Prime', 639 'oline', 640 'frasl', 641 'weierp', 642 'image', 643 'real', 644 'trade', 645 'alefsym', 646 'larr', 647 'uarr', 648 'rarr', 649 'darr', 650 'harr', 651 'crarr', 652 'lArr', 653 'uArr', 654 'rArr', 655 'dArr', 656 'hArr', 657 'forall', 658 'part', 659 'exist', 660 'empty', 661 'nabla', 662 'isin', 663 'notin', 664 'ni', 665 'prod', 666 'sum', 667 'minus', 668 'lowast', 669 'radic', 670 'prop', 671 'infin', 672 'ang', 673 'and', 674 'or', 675 'cap', 676 'cup', 677 'int', 678 'sim', 679 'cong', 680 'asymp', 681 'ne', 682 'equiv', 683 'le', 684 'ge', 685 'sub', 686 'sup', 687 'nsub', 688 'sube', 689 'supe', 690 'oplus', 691 'otimes', 692 'perp', 693 'sdot', 694 'lceil', 695 'rceil', 696 'lfloor', 697 'rfloor', 698 'lang', 699 'rang', 700 'loz', 701 'spades', 702 'clubs', 703 'hearts', 704 'diams', 705 'sup1', 706 'sup2', 707 'sup3', 708 'frac14', 709 'frac12', 710 'frac34', 711 'there4', 712 ); 713 714 /** 715 * @var string[] $allowedxmlentitynames Array of KSES allowed XML entitity names. 716 * @since 5.5.0 717 */ 718 $allowedxmlnamedentities = array( 719 'amp', 720 'lt', 721 'gt', 722 'apos', 723 'quot', 724 ); 725 726 $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags ); 727} else { 728 $allowedtags = wp_kses_array_lc( $allowedtags ); 729 $allowedposttags = wp_kses_array_lc( $allowedposttags ); 730} 731 732/** 733 * Filters text content and strips out disallowed HTML. 734 * 735 * This function makes sure that only the allowed HTML element names, attribute 736 * names, attribute values, and HTML entities will occur in the given text string. 737 * 738 * This function expects unslashed data. 739 * 740 * @see wp_kses_post() for specifically filtering post content and fields. 741 * @see wp_allowed_protocols() for the default allowed protocols in link URLs. 742 * 743 * @since 1.0.0 744 * 745 * @param string $string Text content to filter. 746 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 747 * or a context name such as 'post'. See wp_kses_allowed_html() 748 * for the list of accepted context names. 749 * @param string[] $allowed_protocols Array of allowed URL protocols. 750 * @return string Filtered content containing only the allowed HTML. 751 */ 752function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { 753 if ( empty( $allowed_protocols ) ) { 754 $allowed_protocols = wp_allowed_protocols(); 755 } 756 757 $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 758 $string = wp_kses_normalize_entities( $string ); 759 $string = wp_kses_hook( $string, $allowed_html, $allowed_protocols ); 760 761 return wp_kses_split( $string, $allowed_html, $allowed_protocols ); 762} 763 764/** 765 * Filters one HTML attribute and ensures its value is allowed. 766 * 767 * This function can escape data in some situations where `wp_kses()` must strip the whole attribute. 768 * 769 * @since 4.2.3 770 * 771 * @param string $string The 'whole' attribute, including name and value. 772 * @param string $element The HTML element name to which the attribute belongs. 773 * @return string Filtered attribute. 774 */ 775function wp_kses_one_attr( $string, $element ) { 776 $uris = wp_kses_uri_attributes(); 777 $allowed_html = wp_kses_allowed_html( 'post' ); 778 $allowed_protocols = wp_allowed_protocols(); 779 $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 780 781 // Preserve leading and trailing whitespace. 782 $matches = array(); 783 preg_match( '/^\s*/', $string, $matches ); 784 $lead = $matches[0]; 785 preg_match( '/\s*$/', $string, $matches ); 786 $trail = $matches[0]; 787 if ( empty( $trail ) ) { 788 $string = substr( $string, strlen( $lead ) ); 789 } else { 790 $string = substr( $string, strlen( $lead ), -strlen( $trail ) ); 791 } 792 793 // Parse attribute name and value from input. 794 $split = preg_split( '/\s*=\s*/', $string, 2 ); 795 $name = $split[0]; 796 if ( count( $split ) == 2 ) { 797 $value = $split[1]; 798 799 // Remove quotes surrounding $value. 800 // Also guarantee correct quoting in $string for this one attribute. 801 if ( '' === $value ) { 802 $quote = ''; 803 } else { 804 $quote = $value[0]; 805 } 806 if ( '"' === $quote || "'" === $quote ) { 807 if ( substr( $value, -1 ) != $quote ) { 808 return ''; 809 } 810 $value = substr( $value, 1, -1 ); 811 } else { 812 $quote = '"'; 813 } 814 815 // Sanitize quotes, angle braces, and entities. 816 $value = esc_attr( $value ); 817 818 // Sanitize URI values. 819 if ( in_array( strtolower( $name ), $uris, true ) ) { 820 $value = wp_kses_bad_protocol( $value, $allowed_protocols ); 821 } 822 823 $string = "$name=$quote$value$quote"; 824 $vless = 'n'; 825 } else { 826 $value = ''; 827 $vless = 'y'; 828 } 829 830 // Sanitize attribute by name. 831 wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html ); 832 833 // Restore whitespace. 834 return $lead . $string . $trail; 835} 836 837/** 838 * Returns an array of allowed HTML tags and attributes for a given context. 839 * 840 * @since 3.5.0 841 * @since 5.0.1 `form` removed as allowable HTML tag. 842 * 843 * @global array $allowedposttags 844 * @global array $allowedtags 845 * @global array $allowedentitynames 846 * 847 * @param string|array $context The context for which to retrieve tags. Allowed values are 'post', 848 * 'strip', 'data', 'entities', or the name of a field filter such as 849 * 'pre_user_description'. 850 * @return array Array of allowed HTML tags and their allowed attributes. 851 */ 852function wp_kses_allowed_html( $context = '' ) { 853 global $allowedposttags, $allowedtags, $allowedentitynames; 854 855 if ( is_array( $context ) ) { 856 /** 857 * Filters the HTML that is allowed for a given context. 858 * 859 * @since 3.5.0 860 * 861 * @param array[]|string $context Context to judge allowed tags by. 862 * @param string $context_type Context name. 863 */ 864 return apply_filters( 'wp_kses_allowed_html', $context, 'explicit' ); 865 } 866 867 switch ( $context ) { 868 case 'post': 869 /** This filter is documented in wp-includes/kses.php */ 870 $tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context ); 871 872 // 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`. 873 if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) { 874 $tags = $allowedposttags; 875 876 $tags['form'] = array( 877 'action' => true, 878 'accept' => true, 879 'accept-charset' => true, 880 'enctype' => true, 881 'method' => true, 882 'name' => true, 883 'target' => true, 884 ); 885 886 /** This filter is documented in wp-includes/kses.php */ 887 $tags = apply_filters( 'wp_kses_allowed_html', $tags, $context ); 888 } 889 890 return $tags; 891 892 case 'user_description': 893 case 'pre_user_description': 894 $tags = $allowedtags; 895 $tags['a']['rel'] = true; 896 /** This filter is documented in wp-includes/kses.php */ 897 return apply_filters( 'wp_kses_allowed_html', $tags, $context ); 898 899 case 'strip': 900 /** This filter is documented in wp-includes/kses.php */ 901 return apply_filters( 'wp_kses_allowed_html', array(), $context ); 902 903 case 'entities': 904 /** This filter is documented in wp-includes/kses.php */ 905 return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context ); 906 907 case 'data': 908 default: 909 /** This filter is documented in wp-includes/kses.php */ 910 return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context ); 911 } 912} 913 914/** 915 * You add any KSES hooks here. 916 * 917 * There is currently only one KSES WordPress hook, {@see 'pre_kses'}, and it is called here. 918 * All parameters are passed to the hooks and expected to receive a string. 919 * 920 * @since 1.0.0 921 * 922 * @param string $string Content to filter through KSES. 923 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 924 * or a context name such as 'post'. See wp_kses_allowed_html() 925 * for the list of accepted context names. 926 * @param string[] $allowed_protocols Array of allowed URL protocols. 927 * @return string Filtered content through {@see 'pre_kses'} hook. 928 */ 929function wp_kses_hook( $string, $allowed_html, $allowed_protocols ) { 930 /** 931 * Filters content to be run through KSES. 932 * 933 * @since 2.3.0 934 * 935 * @param string $string Content to filter through KSES. 936 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 937 * or a context name such as 'post'. See wp_kses_allowed_html() 938 * for the list of accepted context names. 939 * @param string[] $allowed_protocols Array of allowed URL protocols. 940 */ 941 return apply_filters( 'pre_kses', $string, $allowed_html, $allowed_protocols ); 942} 943 944/** 945 * Returns the version number of KSES. 946 * 947 * @since 1.0.0 948 * 949 * @return string KSES version number. 950 */ 951function wp_kses_version() { 952 return '0.2.2'; 953} 954 955/** 956 * Searches for HTML tags, no matter how malformed. 957 * 958 * It also matches stray `>` characters. 959 * 960 * @since 1.0.0 961 * 962 * @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes, 963 * or a context name such as 'post'. 964 * @global string[] $pass_allowed_protocols Array of allowed URL protocols. 965 * 966 * @param string $string Content to filter. 967 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 968 * or a context name such as 'post'. See wp_kses_allowed_html() 969 * for the list of accepted context names. 970 * @param string[] $allowed_protocols Array of allowed URL protocols. 971 * @return string Content with fixed HTML tags 972 */ 973function wp_kses_split( $string, $allowed_html, $allowed_protocols ) { 974 global $pass_allowed_html, $pass_allowed_protocols; 975 976 $pass_allowed_html = $allowed_html; 977 $pass_allowed_protocols = $allowed_protocols; 978 979 return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string ); 980} 981 982/** 983 * Returns an array of HTML attribute names whose value contains a URL. 984 * 985 * This function returns a list of all HTML attributes that must contain 986 * a URL according to the HTML specification. 987 * 988 * This list includes URI attributes both allowed and disallowed by KSES. 989 * 990 * @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes 991 * 992 * @since 5.0.1 993 * 994 * @return string[] HTML attribute names whose value contains a URL. 995 */ 996function wp_kses_uri_attributes() { 997 $uri_attributes = array( 998 'action', 999 'archive', 1000 'background', 1001 'cite', 1002 'classid', 1003 'codebase', 1004 'data', 1005 'formaction', 1006 'href', 1007 'icon', 1008 'longdesc', 1009 'manifest', 1010 'poster', 1011 'profile', 1012 'src', 1013 'usemap', 1014 'xmlns', 1015 ); 1016 1017 /** 1018 * Filters the list of attributes that are required to contain a URL. 1019 * 1020 * Use this filter to add any `data-` attributes that are required to be 1021 * validated as a URL. 1022 * 1023 * @since 5.0.1 1024 * 1025 * @param string[] $uri_attributes HTML attribute names whose value contains a URL. 1026 */ 1027 $uri_attributes = apply_filters( 'wp_kses_uri_attributes', $uri_attributes ); 1028 1029 return $uri_attributes; 1030} 1031 1032/** 1033 * Callback for `wp_kses_split()`. 1034 * 1035 * @since 3.1.0 1036 * @access private 1037 * @ignore 1038 * 1039 * @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes, 1040 * or a context name such as 'post'. 1041 * @global string[] $pass_allowed_protocols Array of allowed URL protocols. 1042 * 1043 * @param array $matches preg_replace regexp matches 1044 * @return string 1045 */ 1046function _wp_kses_split_callback( $match ) { 1047 global $pass_allowed_html, $pass_allowed_protocols; 1048 1049 return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols ); 1050} 1051 1052/** 1053 * Callback for `wp_kses_split()` for fixing malformed HTML tags. 1054 * 1055 * This function does a lot of work. It rejects some very malformed things like 1056 * `<:::>`. It returns an empty string, if the element isn't allowed (look ma, no 1057 * `strip_tags()`!). Otherwise it splits the tag into an element and an attribute 1058 * list. 1059 * 1060 * After the tag is split into an element and an attribute list, it is run 1061 * through another filter which will remove illegal attributes and once that is 1062 * completed, will be returned. 1063 * 1064 * @access private 1065 * @ignore 1066 * @since 1.0.0 1067 * 1068 * @param string $string Content to filter. 1069 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 1070 * or a context name such as 'post'. See wp_kses_allowed_html() 1071 * for the list of accepted context names. 1072 * @param string[] $allowed_protocols Array of allowed URL protocols. 1073 * @return string Fixed HTML element 1074 */ 1075function wp_kses_split2( $string, $allowed_html, $allowed_protocols ) { 1076 $string = wp_kses_stripslashes( $string ); 1077 1078 // It matched a ">" character. 1079 if ( '<' !== substr( $string, 0, 1 ) ) { 1080 return '>'; 1081 } 1082 1083 // Allow HTML comments. 1084 if ( '<!--' === substr( $string, 0, 4 ) ) { 1085 $string = str_replace( array( '<!--', '-->' ), '', $string ); 1086 while ( ( $newstring = wp_kses( $string, $allowed_html, $allowed_protocols ) ) != $string ) { 1087 $string = $newstring; 1088 } 1089 if ( '' === $string ) { 1090 return ''; 1091 } 1092 // Prevent multiple dashes in comments. 1093 $string = preg_replace( '/--+/', '-', $string ); 1094 // Prevent three dashes closing a comment. 1095 $string = preg_replace( '/-$/', '', $string ); 1096 return "<!--{$string}-->"; 1097 } 1098 1099 // It's seriously malformed. 1100 if ( ! preg_match( '%^<\s*(/\s*)?([a-zA-Z0-9-]+)([^>]*)>?$%', $string, $matches ) ) { 1101 return ''; 1102 } 1103 1104 $slash = trim( $matches[1] ); 1105 $elem = $matches[2]; 1106 $attrlist = $matches[3]; 1107 1108 if ( ! is_array( $allowed_html ) ) { 1109 $allowed_html = wp_kses_allowed_html( $allowed_html ); 1110 } 1111 1112 // They are using a not allowed HTML element. 1113 if ( ! isset( $allowed_html[ strtolower( $elem ) ] ) ) { 1114 return ''; 1115 } 1116 1117 // No attributes are allowed for closing elements. 1118 if ( '' !== $slash ) { 1119 return "</$elem>"; 1120 } 1121 1122 return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols ); 1123} 1124 1125/** 1126 * Removes all attributes, if none are allowed for this element. 1127 * 1128 * If some are allowed it calls `wp_kses_hair()` to split them further, and then 1129 * it builds up new HTML code from the data that `kses_hair()` returns. It also 1130 * removes `<` and `>` characters, if there are any left. One more thing it does 1131 * is to check if the tag has a closing XHTML slash, and if it does, it puts one 1132 * in the returned code as well. 1133 * 1134 * @since 1.0.0 1135 * 1136 * @param string $element HTML element/tag. 1137 * @param string $attr HTML attributes from HTML element to closing HTML element tag. 1138 * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, 1139 * or a context name such as 'post'. See wp_kses_allowed_html() 1140 * for the list of accepted context names. 1141 * @param string[] $allowed_protocols Array of allowed URL protocols. 1142 * @return string Sanitized HTML element. 1143 */ 1144function wp_kses_attr( $element, $attr, $allowed_html, $allowed_protocols ) { 1145 if ( ! is_array( $allowed_html ) ) { 1146 $allowed_html = wp_kses_allowed_html( $allowed_html ); 1147 } 1148 1149 // Is there a closing XHTML slash at the end of the attributes? 1150 $xhtml_slash = ''; 1151 if ( preg_match( '%\s*/\s*$%', $attr ) ) { 1152 $xhtml_slash = ' /'; 1153 } 1154 1155 // Are any attributes allowed at all for this element? 1156 $element_low = strtolower( $element ); 1157 if ( empty( $allowed_html[ $element_low ] ) || true === $allowed_html[ $element_low ] ) { 1158 return "<$element$xhtml_slash>"; 1159 } 1160 1161 // Split it. 1162 $attrarr = wp_kses_hair( $attr, $allowed_protocols ); 1163 1164 // Go through $attrarr, and save the allowed attributes for this element 1165 // in $attr2. 1166 $attr2 = ''; 1167 foreach ( $attrarr as $arreach ) { 1168 if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) { 1169 $attr2 .= ' ' . $arreach['whole']; 1170 } 1171 } 1172 1173 // Remove any "<" or ">" characters. 1174 $attr2 = preg_replace( '/[<>]/', '', $attr2 ); 1175 1176 return "<$element$attr2$xhtml_slash>"; 1177} 1178 1179/** 1180 * Determines whether an attribute is allowed. 1181 * 1182 * @since 4.2.3 1183 * @since 5.0.0 Add support for `data-*` wildcard attributes. 1184 * 1185 * @param string $name The attribute name. Passed by reference. Returns empty string when not allowed. 1186 * @param string $value The attribute value. Passed by reference. Returns a filtered value. 1187 * @param string $whole The `name=value` input. Passed by reference. Returns filtered input. 1188 * @param string $vless Whether the attribute is valueless. Use 'y' or 'n'. 1189 * @param string $element The name of the element to which this attribute belongs. 1190 * @param array $allowed_html The full list of allowed elements and attributes. 1191 * @return bool Whether or not the attribute is allowed. 1192 */ 1193function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) { 1194 $name_low = strtolower( $name ); 1195 $element_low = strtolower( $element ); 1196 1197 if ( ! isset( $allowed_html[ $element_low ] ) ) { 1198 $name = ''; 1199 $value = ''; 1200 $whole = ''; 1201 return false; 1202 } 1203 1204 $allowed_attr = $allowed_html[ $element_low ]; 1205 1206 if ( ! isset( $allowed_attr[ $name_low ] ) || '' === $allowed_attr[ $name_low ] ) { 1207 /* 1208 * Allow `data-*` attributes. 1209 * 1210 * When specifying `$allowed_html`, the attribute name should be set as 1211 * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see 1212 * https://www.w3.org/TR/html40/struct/objects.html#adef-data). 1213 * 1214 * Note: the attribute name should only contain `A-Za-z0-9_-` chars, 1215 * double hyphens `--` are not accepted by WordPress. 1216 */ 1217 if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] ) && preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match ) ) { 1218 /* 1219 * Add the whole attribute name to the allowed attributes and set any restrictions 1220 * for the `data-*` attribute values for the current element. 1221 */ 1222 $allowed_attr[ $match[0] ] = $allowed_attr['data-*']; 1223 } else { 1224 $name = ''; 1225 $value = ''; 1226 $whole = ''; 1227 return false; 1228 } 1229 } 1230 1231 if ( 'style' === $name_low ) { 1232 $new_value = safecss_filter_attr( $value ); 1233 1234 if ( empty( $new_value ) ) { 1235 $name = ''; 1236 $value = ''; 1237 $whole = ''; 1238 return false; 1239 } 1240 1241 $whole = str_replace( $value, $new_value, $whole ); 1242 $value = $new_value; 1243 } 1244 1245 if ( is_array( $allowed_attr[ $name_low ] ) ) { 1246 // There are some checks. 1247 foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) { 1248 if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) { 1249 $name = ''; 1250 $value = ''; 1251 $whole = ''; 1252 return false; 1253 } 1254 } 1255 } 1256 1257 return true; 1258} 1259 1260/** 1261 * Builds an attribute list from string containing attributes. 1262 * 1263 * This function does a lot of work. It parses an attribute list into an array 1264 * with attribute data, and tries to do the right thing even if it gets weird 1265 * input. It will add quotes around attribute values that don't have any quotes 1266 * or apostrophes around them, to make it easier to produce HTML code that will 1267 * conform to W3C's HTML specification. It will also remove bad URL protocols 1268 * from attribute values. It also reduces duplicate attributes by using the 1269 * attribute defined first (`foo='bar' foo='baz'` will result in `foo='bar'`). 1270 * 1271 * @since 1.0.0 1272 * 1273 * @param string $attr Attribute list from HTML element to closing HTML element tag. 1274 * @param string[] $allowed_protocols Array of allowed URL protocols. 1275 * @return array[] Array of attribute information after parsing. 1276 */ 1277function wp_kses_hair( $attr, $allowed_protocols ) { 1278 $attrarr = array(); 1279 $mode = 0; 1280 $attrname = ''; 1281 $uris = wp_kses_uri_attributes(); 1282 1283 // Loop through the whole attribute list. 1284 1285 while ( strlen( $attr ) != 0 ) { 1286 $working = 0; // Was the last operation successful? 1287 1288 switch ( $mode ) { 1289 case 0: 1290 if ( preg_match( '/^([_a-zA-Z][-_a-zA-Z0-9:.]*)/', $attr, $match ) ) { 1291 $attrname = $match[1]; 1292 $working = 1; 1293 $mode = 1; 1294 $attr = preg_replace( '/^[_a-zA-Z][-_a-zA-Z0-9:.]*/', '', $attr ); 1295 } 1296 1297 break; 1298 1299 case 1: 1300 if ( preg_match( '/^\s*=\s*/', $attr ) ) { // Equals sign. 1301 $working = 1; 1302 $mode = 2; 1303 $attr = preg_replace( '/^\s*=\s*/', '', $attr ); 1304 break; 1305 } 1306 1307 if ( preg_match( '/^\s+/', $attr ) ) { // Valueless. 1308 $working = 1; 1309 $mode = 0; 1310 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1311 $attrarr[ $attrname ] = array( 1312 'name' => $attrname, 1313 'value' => '', 1314 'whole' => $attrname, 1315 'vless' => 'y', 1316 ); 1317 } 1318 $attr = preg_replace( '/^\s+/', '', $attr ); 1319 } 1320 1321 break; 1322 1323 case 2: 1324 if ( preg_match( '%^"([^"]*)"(\s+|/?$)%', $attr, $match ) ) { 1325 // "value" 1326 $thisval = $match[1]; 1327 if ( in_array( strtolower( $attrname ), $uris, true ) ) { 1328 $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols ); 1329 } 1330 1331 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1332 $attrarr[ $attrname ] = array( 1333 'name' => $attrname, 1334 'value' => $thisval, 1335 'whole' => "$attrname=\"$thisval\"", 1336 'vless' => 'n', 1337 ); 1338 } 1339 $working = 1; 1340 $mode = 0; 1341 $attr = preg_replace( '/^"[^"]*"(\s+|$)/', '', $attr ); 1342 break; 1343 } 1344 1345 if ( preg_match( "%^'([^']*)'(\s+|/?$)%", $attr, $match ) ) { 1346 // 'value' 1347 $thisval = $match[1]; 1348 if ( in_array( strtolower( $attrname ), $uris, true ) ) { 1349 $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols ); 1350 } 1351 1352 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1353 $attrarr[ $attrname ] = array( 1354 'name' => $attrname, 1355 'value' => $thisval, 1356 'whole' => "$attrname='$thisval'", 1357 'vless' => 'n', 1358 ); 1359 } 1360 $working = 1; 1361 $mode = 0; 1362 $attr = preg_replace( "/^'[^']*'(\s+|$)/", '', $attr ); 1363 break; 1364 } 1365 1366 if ( preg_match( "%^([^\s\"']+)(\s+|/?$)%", $attr, $match ) ) { 1367 // value 1368 $thisval = $match[1]; 1369 if ( in_array( strtolower( $attrname ), $uris, true ) ) { 1370 $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols ); 1371 } 1372 1373 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1374 $attrarr[ $attrname ] = array( 1375 'name' => $attrname, 1376 'value' => $thisval, 1377 'whole' => "$attrname=\"$thisval\"", 1378 'vless' => 'n', 1379 ); 1380 } 1381 // We add quotes to conform to W3C's HTML spec. 1382 $working = 1; 1383 $mode = 0; 1384 $attr = preg_replace( "%^[^\s\"']+(\s+|$)%", '', $attr ); 1385 } 1386 1387 break; 1388 } // End switch. 1389 1390 if ( 0 == $working ) { // Not well-formed, remove and try again. 1391 $attr = wp_kses_html_error( $attr ); 1392 $mode = 0; 1393 } 1394 } // End while. 1395 1396 if ( 1 == $mode && false === array_key_exists( $attrname, $attrarr ) ) { 1397 // Special case, for when the attribute list ends with a valueless 1398 // attribute like "selected". 1399 $attrarr[ $attrname ] = array( 1400 'name' => $attrname, 1401 'value' => '', 1402 'whole' => $attrname, 1403 'vless' => 'y', 1404 ); 1405 } 1406 1407 return $attrarr; 1408} 1409 1410/** 1411 * Finds all attributes of an HTML element. 1412 * 1413 * Does not modify input. May return "evil" output. 1414 * 1415 * Based on `wp_kses_split2()` and `wp_kses_attr()`. 1416 * 1417 * @since 4.2.3 1418 * 1419 * @param string $element HTML element. 1420 * @return array|false List of attributes found in the element. Returns false on failure. 1421 */ 1422function wp_kses_attr_parse( $element ) { 1423 $valid = preg_match( '%^(<\s*)(/\s*)?([a-zA-Z0-9]+\s*)([^>]*)(>?)$%', $element, $matches ); 1424 if ( 1 !== $valid ) { 1425 return false; 1426 } 1427 1428 $begin = $matches[1]; 1429 $slash = $matches[2]; 1430 $elname = $matches[3]; 1431 $attr = $matches[4]; 1432 $end = $matches[5]; 1433 1434 if ( '' !== $slash ) { 1435 // Closing elements do not get parsed. 1436 return false; 1437 } 1438 1439 // Is there a closing XHTML slash at the end of the attributes? 1440 if ( 1 === preg_match( '%\s*/\s*$%', $attr, $matches ) ) { 1441 $xhtml_slash = $matches[0]; 1442 $attr = substr( $attr, 0, -strlen( $xhtml_slash ) ); 1443 } else { 1444 $xhtml_slash = ''; 1445 } 1446 1447 // Split it. 1448 $attrarr = wp_kses_hair_parse( $attr ); 1449 if ( false === $attrarr ) { 1450 return false; 1451 } 1452 1453 // Make sure all input is returned by adding front and back matter. 1454 array_unshift( $attrarr, $begin . $slash . $elname ); 1455 array_push( $attrarr, $xhtml_slash . $end ); 1456 1457 return $attrarr; 1458} 1459 1460/** 1461 * Builds an attribute list from string containing attributes. 1462 * 1463 * Does not modify input. May return "evil" output. 1464 * In case of unexpected input, returns false instead of stripping things. 1465 * 1466 * Based on `wp_kses_hair()` but does not return a multi-dimensional array. 1467 * 1468 * @since 4.2.3 1469 * 1470 * @param string $attr Attribute list from HTML element to closing HTML element tag. 1471 * @return array|false List of attributes found in $attr. Returns false on failure. 1472 */ 1473function wp_kses_hair_parse( $attr ) { 1474 if ( '' === $attr ) { 1475 return array(); 1476 } 1477 1478 // phpcs:disable Squiz.Strings.ConcatenationSpacing.PaddingFound -- don't remove regex indentation 1479 $regex = 1480 '(?:' 1481 . '[_a-zA-Z][-_a-zA-Z0-9:.]*' // Attribute name. 1482 . '|' 1483 . '\[\[?[^\[\]]+\]\]?' // Shortcode in the name position implies unfiltered_html. 1484 . ')' 1485 . '(?:' // Attribute value. 1486 . '\s*=\s*' // All values begin with '='. 1487 . '(?:' 1488 . '"[^"]*"' // Double-quoted. 1489 . '|' 1490 . "'[^']*'" // Single-quoted. 1491 . '|' 1492 . '[^\s"\']+' // Non-quoted. 1493 . '(?:\s|$)' // Must have a space. 1494 . ')' 1495 . '|' 1496 . '(?:\s|$)' // If attribute has no value, space is required. 1497 . ')' 1498 . '\s*'; // Trailing space is optional except as mentioned above. 1499 // phpcs:enable 1500 1501 // Although it is possible to reduce this procedure to a single regexp, 1502 // we must run that regexp twice to get exactly the expected result. 1503 1504 $validation = "%^($regex)+$%"; 1505 $extraction = "%$regex%"; 1506 1507 if ( 1 === preg_match( $validation, $attr ) ) { 1508 preg_match_all( $extraction, $attr, $attrarr ); 1509 return $attrarr[0]; 1510 } else { 1511 return false; 1512 } 1513} 1514 1515/** 1516 * Performs different checks for attribute values. 1517 * 1518 * The currently implemented checks are "maxlen", "minlen", "maxval", "minval", 1519 * and "valueless". 1520 * 1521 * @since 1.0.0 1522 * 1523 * @param string $value Attribute value. 1524 * @param string $vless Whether the attribute is valueless. Use 'y' or 'n'. 1525 * @param string $checkname What $checkvalue is checking for. 1526 * @param mixed $checkvalue What constraint the value should pass. 1527 * @return bool Whether check passes. 1528 */ 1529function wp_kses_check_attr_val( $value, $vless, $checkname, $checkvalue ) { 1530 $ok = true; 1531 1532 switch ( strtolower( $checkname ) ) { 1533 case 'maxlen': 1534 /* 1535 * The maxlen check makes sure that the attribute value has a length not 1536 * greater than the given value. This can be used to avoid Buffer Overflows 1537 * in WWW clients and various Internet servers. 1538 */ 1539 1540 if ( strlen( $value ) > $checkvalue ) { 1541 $ok = false; 1542 } 1543 break; 1544 1545 case 'minlen': 1546 /* 1547 * The minlen check makes sure that the attribute value has a length not 1548 * smaller than the given value. 1549 */ 1550 1551 if ( strlen( $value ) < $checkvalue ) { 1552 $ok = false; 1553 } 1554 break; 1555 1556 case 'maxval': 1557 /* 1558 * The maxval check does two things: it checks that the attribute value is 1559 * an integer from 0 and up, without an excessive amount of zeroes or 1560 * whitespace (to avoid Buffer Overflows). It also checks that the attribute 1561 * value is not greater than the given value. 1562 * This check can be used to avoid Denial of Service attacks. 1563 */ 1564 1565 if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) { 1566 $ok = false; 1567 } 1568 if ( $value > $checkvalue ) { 1569 $ok = false; 1570 } 1571 break; 1572 1573 case 'minval': 1574 /* 1575 * The minval check makes sure that the attribute value is a positive integer, 1576 * and that it is not smaller than the given value. 1577 */ 1578 1579 if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) { 1580 $ok = false; 1581 } 1582 if ( $value < $checkvalue ) { 1583 $ok = false; 1584 } 1585 break; 1586 1587 case 'valueless': 1588 /* 1589 * The valueless check makes sure if the attribute has a value 1590 * (like `<a href="blah">`) or not (`<option selected>`). If the given value 1591 * is a "y" or a "Y", the attribute must not have a value. 1592 * If the given value is an "n" or an "N", the attribute must have a value. 1593 */ 1594 1595 if ( strtolower( $checkvalue ) != $vless ) { 1596 $ok = false; 1597 } 1598 break; 1599 } // End switch. 1600 1601 return $ok; 1602} 1603 1604/** 1605 * Sanitizes a string and removed disallowed URL protocols. 1606 * 1607 * This function removes all non-allowed protocols from the beginning of the 1608 * string. It ignores whitespace and the case of the letters, and it does 1609 * understand HTML entities. It does its work recursively, so it won't be 1610 * fooled by a string like `javascript:javascript:alert(57)`. 1611 * 1612 * @since 1.0.0 1613 * 1614 * @param string $string Content to filter bad protocols from. 1615 * @param string[] $allowed_protocols Array of allowed URL protocols. 1616 * @return string Filtered content. 1617 */ 1618function wp_kses_bad_protocol( $string, $allowed_protocols ) { 1619 $string = wp_kses_no_null( $string ); 1620 $iterations = 0; 1621 1622 do { 1623 $original_string = $string; 1624 $string = wp_kses_bad_protocol_once( $string, $allowed_protocols ); 1625 } while ( $original_string != $string && ++$iterations < 6 ); 1626 1627 if ( $original_string != $string ) { 1628 return ''; 1629 } 1630 1631 return $string; 1632} 1633 1634/** 1635 * Removes any invalid control characters in a text string. 1636 * 1637 * Also removes any instance of the `\0` string. 1638 * 1639 * @since 1.0.0 1640 * 1641 * @param string $string Content to filter null characters from. 1642 * @param array $options Set 'slash_zero' => 'keep' when '\0' is allowed. Default is 'remove'. 1643 * @return string Filtered content. 1644 */ 1645function wp_kses_no_null( $string, $options = null ) { 1646 if ( ! isset( $options['slash_zero'] ) ) { 1647 $options = array( 'slash_zero' => 'remove' ); 1648 } 1649 1650 $string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string ); 1651 if ( 'remove' === $options['slash_zero'] ) { 1652 $string = preg_replace( '/\\\\+0+/', '', $string ); 1653 } 1654 1655 return $string; 1656} 1657 1658/** 1659 * Strips slashes from in front of quotes. 1660 * 1661 * This function changes the character sequence `\"` to just `"`. It leaves all other 1662 * slashes alone. The quoting from `preg_replace(//e)` requires this. 1663 * 1664 * @since 1.0.0 1665 * 1666 * @param string $string String to strip slashes from. 1667 * @return string Fixed string with quoted slashes. 1668 */ 1669function wp_kses_stripslashes( $string ) { 1670 return preg_replace( '%\\\\"%', '"', $string ); 1671} 1672 1673/** 1674 * Converts the keys of an array to lowercase. 1675 * 1676 * @since 1.0.0 1677 * 1678 * @param array $inarray Unfiltered array. 1679 * @return array Fixed array with all lowercase keys. 1680 */ 1681function wp_kses_array_lc( $inarray ) { 1682 $outarray = array(); 1683 1684 foreach ( (array) $inarray as $inkey => $inval ) { 1685 $outkey = strtolower( $inkey ); 1686 $outarray[ $outkey ] = array(); 1687 1688 foreach ( (array) $inval as $inkey2 => $inval2 ) { 1689 $outkey2 = strtolower( $inkey2 ); 1690 $outarray[ $outkey ][ $outkey2 ] = $inval2; 1691 } 1692 } 1693 1694 return $outarray; 1695} 1696 1697/** 1698 * Handles parsing errors in `wp_kses_hair()`. 1699 * 1700 * The general plan is to remove everything to and including some whitespace, 1701 * but it deals with quotes and apostrophes as well. 1702 * 1703 * @since 1.0.0 1704 * 1705 * @param string $string 1706 * @return string 1707 */ 1708function wp_kses_html_error( $string ) { 1709 return preg_replace( '/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string ); 1710} 1711 1712/** 1713 * Sanitizes content from bad protocols and other characters. 1714 * 1715 * This function searches for URL protocols at the beginning of the string, while 1716 * handling whitespace and HTML entities. 1717 * 1718 * @since 1.0.0 1719 * 1720 * @param string $string Content to check for bad protocols. 1721 * @param string[] $allowed_protocols Array of allowed URL protocols. 1722 * @param int $count Depth of call recursion to this function. 1723 * @return string Sanitized content. 1724 */ 1725function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) { 1726 $string = preg_replace( '/(�*58(?![;0-9])|�*3a(?![;a-f0-9]))/i', '$1;', $string ); 1727 $string2 = preg_split( '/:|�*58;|�*3a;|:/i', $string, 2 ); 1728 if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) { 1729 $string = trim( $string2[1] ); 1730 $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ); 1731 if ( 'feed:' === $protocol ) { 1732 if ( $count > 2 ) { 1733 return ''; 1734 } 1735 $string = wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count ); 1736 if ( empty( $string ) ) { 1737 return $string; 1738 } 1739 } 1740 $string = $protocol . $string; 1741 } 1742 1743 return $string; 1744} 1745 1746/** 1747 * Callback for `wp_kses_bad_protocol_once()` regular expression. 1748 * 1749 * This function processes URL protocols, checks to see if they're in the 1750 * list of allowed protocols or not, and returns different data depending 1751 * on the answer. 1752 * 1753 * @access private 1754 * @ignore 1755 * @since 1.0.0 1756 * 1757 * @param string $string URI scheme to check against the list of allowed protocols. 1758 * @param string[] $allowed_protocols Array of allowed URL protocols. 1759 * @return string Sanitized content. 1760 */ 1761function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) { 1762 $string2 = wp_kses_decode_entities( $string ); 1763 $string2 = preg_replace( '/\s/', '', $string2 ); 1764 $string2 = wp_kses_no_null( $string2 ); 1765 $string2 = strtolower( $string2 ); 1766 1767 $allowed = false; 1768 foreach ( (array) $allowed_protocols as $one_protocol ) { 1769 if ( strtolower( $one_protocol ) == $string2 ) { 1770 $allowed = true; 1771 break; 1772 } 1773 } 1774 1775 if ( $allowed ) { 1776 return "$string2:"; 1777 } else { 1778 return ''; 1779 } 1780} 1781 1782/** 1783 * Converts and fixes HTML entities. 1784 * 1785 * This function normalizes HTML entities. It will convert `AT&T` to the correct 1786 * `AT&T`, `:` to `:`, `&#XYZZY;` to `&#XYZZY;` and so on. 1787 * 1788 * When `$context` is set to 'xml', HTML entities are converted to their code points. For 1789 * example, `AT&T…&#XYZZY;` is converted to `AT&T…&#XYZZY;`. 1790 * 1791 * @since 1.0.0 1792 * @since 5.5.0 Added `$context` parameter. 1793 * 1794 * @param string $string Content to normalize entities. 1795 * @param string $context Context for normalization. Can be either 'html' or 'xml'. 1796 * Default 'html'. 1797 * @return string Content with normalized entities. 1798 */ 1799function wp_kses_normalize_entities( $string, $context = 'html' ) { 1800 // Disarm all entities by converting & to & 1801 $string = str_replace( '&', '&', $string ); 1802 1803 // Change back the allowed entities in our list of allowed entities. 1804 if ( 'xml' === $context ) { 1805 $string = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_xml_named_entities', $string ); 1806 } else { 1807 $string = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string ); 1808 } 1809 $string = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string ); 1810 $string = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string ); 1811 1812 return $string; 1813} 1814 1815/** 1816 * Callback for `wp_kses_normalize_entities()` regular expression. 1817 * 1818 * This function only accepts valid named entity references, which are finite, 1819 * case-sensitive, and highly scrutinized by HTML and XML validators. 1820 * 1821 * @since 3.0.0 1822 * 1823 * @global array $allowedentitynames 1824 * 1825 * @param array $matches preg_replace_callback() matches array. 1826 * @return string Correctly encoded entity. 1827 */ 1828function wp_kses_named_entities( $matches ) { 1829 global $allowedentitynames; 1830 1831 if ( empty( $matches[1] ) ) { 1832 return ''; 1833 } 1834 1835 $i = $matches[1]; 1836 return ( ! in_array( $i, $allowedentitynames, true ) ) ? "&$i;" : "&$i;"; 1837} 1838 1839/** 1840 * Callback for `wp_kses_normalize_entities()` regular expression. 1841 * 1842 * This function only accepts valid named entity references, which are finite, 1843 * case-sensitive, and highly scrutinized by XML validators. HTML named entity 1844 * references are converted to their code points. 1845 * 1846 * @since 5.5.0 1847 * 1848 * @global array $allowedentitynames 1849 * @global array $allowedxmlnamedentities 1850 * 1851 * @param array $matches preg_replace_callback() matches array. 1852 * @return string Correctly encoded entity. 1853 */ 1854function wp_kses_xml_named_entities( $matches ) { 1855 global $allowedentitynames, $allowedxmlnamedentities; 1856 1857 if ( empty( $matches[1] ) ) { 1858 return ''; 1859 } 1860 1861 $i = $matches[1]; 1862 1863 if ( in_array( $i, $allowedxmlnamedentities, true ) ) { 1864 return "&$i;"; 1865 } elseif ( in_array( $i, $allowedentitynames, true ) ) { 1866 return html_entity_decode( "&$i;", ENT_HTML5 ); 1867 } 1868 1869 return "&$i;"; 1870} 1871 1872/** 1873 * Callback for `wp_kses_normalize_entities()` regular expression. 1874 * 1875 * This function helps `wp_kses_normalize_entities()` to only accept 16-bit 1876 * values and nothing more for `&#number;` entities. 1877 * 1878 * @access private 1879 * @ignore 1880 * @since 1.0.0 1881 * 1882 * @param array $matches `preg_replace_callback()` matches array. 1883 * @return string Correctly encoded entity. 1884 */ 1885function wp_kses_normalize_entities2( $matches ) { 1886 if ( empty( $matches[1] ) ) { 1887 return ''; 1888 } 1889 1890 $i = $matches[1]; 1891 if ( valid_unicode( $i ) ) { 1892 $i = str_pad( ltrim( $i, '0' ), 3, '0', STR_PAD_LEFT ); 1893 $i = "&#$i;"; 1894 } else { 1895 $i = "&#$i;"; 1896 } 1897 1898 return $i; 1899} 1900 1901/** 1902 * Callback for `wp_kses_normalize_entities()` for regular expression. 1903 * 1904 * This function helps `wp_kses_normalize_entities()` to only accept valid Unicode 1905 * numeric entities in hex form. 1906 * 1907 * @since 2.7.0 1908 * @access private 1909 * @ignore 1910 * 1911 * @param array $matches `preg_replace_callback()` matches array. 1912 * @return string Correctly encoded entity. 1913 */ 1914function wp_kses_normalize_entities3( $matches ) { 1915 if ( empty( $matches[1] ) ) { 1916 return ''; 1917 } 1918 1919 $hexchars = $matches[1]; 1920 return ( ! valid_unicode( hexdec( $hexchars ) ) ) ? "&#x$hexchars;" : '&#x' . ltrim( $hexchars, '0' ) . ';'; 1921} 1922 1923/** 1924 * Determines if a Unicode codepoint is valid. 1925 * 1926 * @since 2.7.0 1927 * 1928 * @param int $i Unicode codepoint. 1929 * @return bool Whether or not the codepoint is a valid Unicode codepoint. 1930 */ 1931function valid_unicode( $i ) { 1932 return ( 0x9 == $i || 0xa == $i || 0xd == $i || 1933 ( 0x20 <= $i && $i <= 0xd7ff ) || 1934 ( 0xe000 <= $i && $i <= 0xfffd ) || 1935 ( 0x10000 <= $i && $i <= 0x10ffff ) ); 1936} 1937 1938/** 1939 * Converts all numeric HTML entities to their named counterparts. 1940 * 1941 * This function decodes numeric HTML entities (`A` and `A`). 1942 * It doesn't do anything with named entities like `ä`, but we don't 1943 * need them in the allowed URL protocols system anyway. 1944 * 1945 * @since 1.0.0 1946 * 1947 * @param string $string Content to change entities. 1948 * @return string Content after decoded entities. 1949 */ 1950function wp_kses_decode_entities( $string ) { 1951 $string = preg_replace_callback( '/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string ); 1952 $string = preg_replace_callback( '/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string ); 1953 1954 return $string; 1955} 1956 1957/** 1958 * Regex callback for `wp_kses_decode_entities()`. 1959 * 1960 * @since 2.9.0 1961 * @access private 1962 * @ignore 1963 * 1964 * @param array $match preg match 1965 * @return string 1966 */ 1967function _wp_kses_decode_entities_chr( $match ) { 1968 return chr( $match[1] ); 1969} 1970 1971/** 1972 * Regex callback for `wp_kses_decode_entities()`. 1973 * 1974 * @since 2.9.0 1975 * @access private 1976 * @ignore 1977 * 1978 * @param array $match preg match 1979 * @return string 1980 */ 1981function _wp_kses_decode_entities_chr_hexdec( $match ) { 1982 return chr( hexdec( $match[1] ) ); 1983} 1984 1985/** 1986 * Sanitize content with allowed HTML KSES rules. 1987 * 1988 * This function expects slashed data. 1989 * 1990 * @since 1.0.0 1991 * 1992 * @param string $data Content to filter, expected to be escaped with slashes. 1993 * @return string Filtered content. 1994 */ 1995function wp_filter_kses( $data ) { 1996 return addslashes( wp_kses( stripslashes( $data ), current_filter() ) ); 1997} 1998 1999/** 2000 * Sanitize content with allowed HTML KSES rules. 2001 * 2002 * This function expects unslashed data. 2003 * 2004 * @since 2.9.0 2005 * 2006 * @param string $data Content to filter, expected to not be escaped. 2007 * @return string Filtered content. 2008 */ 2009function wp_kses_data( $data ) { 2010 return wp_kses( $data, current_filter() ); 2011} 2012 2013/** 2014 * Sanitizes content for allowed HTML tags for post content. 2015 * 2016 * Post content refers to the page contents of the 'post' type and not `$_POST` 2017 * data from forms. 2018 * 2019 * This function expects slashed data. 2020 * 2021 * @since 2.0.0 2022 * 2023 * @param string $data Post content to filter, expected to be escaped with slashes. 2024 * @return string Filtered post content with allowed HTML tags and attributes intact. 2025 */ 2026function wp_filter_post_kses( $data ) { 2027 return addslashes( wp_kses( stripslashes( $data ), 'post' ) ); 2028} 2029 2030/** 2031 * Sanitizes content for allowed HTML tags for post content. 2032 * 2033 * Post content refers to the page contents of the 'post' type and not `$_POST` 2034 * data from forms. 2035 * 2036 * This function expects unslashed data. 2037 * 2038 * @since 2.9.0 2039 * 2040 * @param string $data Post content to filter. 2041 * @return string Filtered post content with allowed HTML tags and attributes intact. 2042 */ 2043function wp_kses_post( $data ) { 2044 return wp_kses( $data, 'post' ); 2045} 2046 2047/** 2048 * Navigates through an array, object, or scalar, and sanitizes content for 2049 * allowed HTML tags for post content. 2050 * 2051 * @since 4.4.2 2052 * 2053 * @see map_deep() 2054 * 2055 * @param mixed $data The array, object, or scalar value to inspect. 2056 * @return mixed The filtered content. 2057 */ 2058function wp_kses_post_deep( $data ) { 2059 return map_deep( $data, 'wp_kses_post' ); 2060} 2061 2062/** 2063 * Strips all HTML from a text string. 2064 * 2065 * This function expects slashed data. 2066 * 2067 * @since 2.1.0 2068 * 2069 * @param string $data Content to strip all HTML from. 2070 * @return string Filtered content without any HTML. 2071 */ 2072function wp_filter_nohtml_kses( $data ) { 2073 return addslashes( wp_kses( stripslashes( $data ), 'strip' ) ); 2074} 2075 2076/** 2077 * Adds all KSES input form content filters. 2078 * 2079 * All hooks have default priority. The `wp_filter_kses()` function is added to 2080 * the 'pre_comment_content' and 'title_save_pre' hooks. 2081 * 2082 * The `wp_filter_post_kses()` function is added to the 'content_save_pre', 2083 * 'excerpt_save_pre', and 'content_filtered_save_pre' hooks. 2084 * 2085 * @since 2.0.0 2086 */ 2087function kses_init_filters() { 2088 // Normal filtering. 2089 add_filter( 'title_save_pre', 'wp_filter_kses' ); 2090 2091 // Comment filtering. 2092 if ( current_user_can( 'unfiltered_html' ) ) { 2093 add_filter( 'pre_comment_content', 'wp_filter_post_kses' ); 2094 } else { 2095 add_filter( 'pre_comment_content', 'wp_filter_kses' ); 2096 } 2097 2098 // Post filtering. 2099 add_filter( 'content_save_pre', 'wp_filter_post_kses' ); 2100 add_filter( 'excerpt_save_pre', 'wp_filter_post_kses' ); 2101 add_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' ); 2102} 2103 2104/** 2105 * Removes all KSES input form content filters. 2106 * 2107 * A quick procedural method to removing all of the filters that KSES uses for 2108 * content in WordPress Loop. 2109 * 2110 * Does not remove the `kses_init()` function from {@see 'init'} hook (priority is 2111 * default). Also does not remove `kses_init()` function from {@see 'set_current_user'} 2112 * hook (priority is also default). 2113 * 2114 * @since 2.0.6 2115 */ 2116function kses_remove_filters() { 2117 // Normal filtering. 2118 remove_filter( 'title_save_pre', 'wp_filter_kses' ); 2119 2120 // Comment filtering. 2121 remove_filter( 'pre_comment_content', 'wp_filter_post_kses' ); 2122 remove_filter( 'pre_comment_content', 'wp_filter_kses' ); 2123 2124 // Post filtering. 2125 remove_filter( 'content_save_pre', 'wp_filter_post_kses' ); 2126 remove_filter( 'excerpt_save_pre', 'wp_filter_post_kses' ); 2127 remove_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' ); 2128} 2129 2130/** 2131 * Sets up most of the KSES filters for input form content. 2132 * 2133 * First removes all of the KSES filters in case the current user does not need 2134 * to have KSES filter the content. If the user does not have `unfiltered_html` 2135 * capability, then KSES filters are added. 2136 * 2137 * @since 2.0.0 2138 */ 2139function kses_init() { 2140 kses_remove_filters(); 2141 2142 if ( ! current_user_can( 'unfiltered_html' ) ) { 2143 kses_init_filters(); 2144 } 2145} 2146 2147/** 2148 * Filters an inline style attribute and removes disallowed rules. 2149 * 2150 * @since 2.8.1 2151 * 2152 * @param string $css A string of CSS rules. 2153 * @param string $deprecated Not used. 2154 * @return string Filtered string of CSS rules. 2155 */ 2156function safecss_filter_attr( $css, $deprecated = '' ) { 2157 if ( ! empty( $deprecated ) ) { 2158 _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented. 2159 } 2160 2161 $css = wp_kses_no_null( $css ); 2162 $css = str_replace( array( "\n", "\r", "\t" ), '', $css ); 2163 2164 $allowed_protocols = wp_allowed_protocols(); 2165 2166 $css_array = explode( ';', trim( $css ) ); 2167 2168 /** 2169 * Filters list of allowed CSS attributes. 2170 * 2171 * @since 2.8.1 2172 * @since 4.4.0 Added support for `min-height`, `max-height`, `min-width`, and `max-width`. 2173 * @since 4.6.0 Added support for `list-style-type`. 2174 * @since 5.0.0 Added support for `background-image`. 2175 * @since 5.1.0 Added support for `text-transform`. 2176 * @since 5.2.0 Added support for `background-position` and `grid-template-columns`. 2177 * @since 5.3.0 Added support for `grid`, `flex` and `column` layout properties. 2178 * Extend `background-*` support of individual properties. 2179 * @since 5.3.1 Added support for gradient backgrounds. 2180 * @since 5.7.1 Added support for `object-position`. 2181 * @since 5.8.0 Added support for `calc()` and `var()` values. 2182 * 2183 * @param string[] $attr Array of allowed CSS attributes. 2184 */ 2185 $allowed_attr = apply_filters( 2186 'safe_style_css', 2187 array( 2188 'background', 2189 'background-color', 2190 'background-image', 2191 'background-position', 2192 'background-size', 2193 'background-attachment', 2194 'background-blend-mode', 2195 2196 'border', 2197 'border-radius', 2198 'border-width', 2199 'border-color', 2200 'border-style', 2201 'border-right', 2202 'border-right-color', 2203 'border-right-style', 2204 'border-right-width', 2205 'border-bottom', 2206 'border-bottom-color', 2207 'border-bottom-style', 2208 'border-bottom-width', 2209 'border-left', 2210 'border-left-color', 2211 'border-left-style', 2212 'border-left-width', 2213 'border-top', 2214 'border-top-color', 2215 'border-top-style', 2216 'border-top-width', 2217 2218 'border-spacing', 2219 'border-collapse', 2220 'caption-side', 2221 2222 'columns', 2223 'column-count', 2224 'column-fill', 2225 'column-gap', 2226 'column-rule', 2227 'column-span', 2228 'column-width', 2229 2230 'color', 2231 'font', 2232 'font-family', 2233 'font-size', 2234 'font-style', 2235 'font-variant', 2236 'font-weight', 2237 'letter-spacing', 2238 'line-height', 2239 'text-align', 2240 'text-decoration', 2241 'text-indent', 2242 'text-transform', 2243 2244 'height', 2245 'min-height', 2246 'max-height', 2247 2248 'width', 2249 'min-width', 2250 'max-width', 2251 2252 'margin', 2253 'margin-right', 2254 'margin-bottom', 2255 'margin-left', 2256 'margin-top', 2257 2258 'padding', 2259 'padding-right', 2260 'padding-bottom', 2261 'padding-left', 2262 'padding-top', 2263 2264 'flex', 2265 'flex-basis', 2266 'flex-direction', 2267 'flex-flow', 2268 'flex-grow', 2269 'flex-shrink', 2270 2271 'grid-template-columns', 2272 'grid-auto-columns', 2273 'grid-column-start', 2274 'grid-column-end', 2275 'grid-column-gap', 2276 'grid-template-rows', 2277 'grid-auto-rows', 2278 'grid-row-start', 2279 'grid-row-end', 2280 'grid-row-gap', 2281 'grid-gap', 2282 2283 'justify-content', 2284 'justify-items', 2285 'justify-self', 2286 'align-content', 2287 'align-items', 2288 'align-self', 2289 2290 'clear', 2291 'cursor', 2292 'direction', 2293 'float', 2294 'list-style-type', 2295 'object-position', 2296 'overflow', 2297 'vertical-align', 2298 ) 2299 ); 2300 2301 /* 2302 * CSS attributes that accept URL data types. 2303 * 2304 * This is in accordance to the CSS spec and unrelated to 2305 * the sub-set of supported attributes above. 2306 * 2307 * See: https://developer.mozilla.org/en-US/docs/Web/CSS/url 2308 */ 2309 $css_url_data_types = array( 2310 'background', 2311 'background-image', 2312 2313 'cursor', 2314 2315 'list-style', 2316 'list-style-image', 2317 ); 2318 2319 /* 2320 * CSS attributes that accept gradient data types. 2321 * 2322 */ 2323 $css_gradient_data_types = array( 2324 'background', 2325 'background-image', 2326 ); 2327 2328 if ( empty( $allowed_attr ) ) { 2329 return $css; 2330 } 2331 2332 $css = ''; 2333 foreach ( $css_array as $css_item ) { 2334 if ( '' === $css_item ) { 2335 continue; 2336 } 2337 2338 $css_item = trim( $css_item ); 2339 $css_test_string = $css_item; 2340 $found = false; 2341 $url_attr = false; 2342 $gradient_attr = false; 2343 2344 if ( strpos( $css_item, ':' ) === false ) { 2345 $found = true; 2346 } else { 2347 $parts = explode( ':', $css_item, 2 ); 2348 $css_selector = trim( $parts[0] ); 2349 2350 if ( in_array( $css_selector, $allowed_attr, true ) ) { 2351 $found = true; 2352 $url_attr = in_array( $css_selector, $css_url_data_types, true ); 2353 $gradient_attr = in_array( $css_selector, $css_gradient_data_types, true ); 2354 } 2355 } 2356 2357 if ( $found && $url_attr ) { 2358 // Simplified: matches the sequence `url(*)`. 2359 preg_match_all( '/url\([^)]+\)/', $parts[1], $url_matches ); 2360 2361 foreach ( $url_matches[0] as $url_match ) { 2362 // Clean up the URL from each of the matches above. 2363 preg_match( '/^url\(\s*([\'\"]?)(.*)(\g1)\s*\)$/', $url_match, $url_pieces ); 2364 2365 if ( empty( $url_pieces[2] ) ) { 2366 $found = false; 2367 break; 2368 } 2369 2370 $url = trim( $url_pieces[2] ); 2371 2372 if ( empty( $url ) || wp_kses_bad_protocol( $url, $allowed_protocols ) !== $url ) { 2373 $found = false; 2374 break; 2375 } else { 2376 // Remove the whole `url(*)` bit that was matched above from the CSS. 2377 $css_test_string = str_replace( $url_match, '', $css_test_string ); 2378 } 2379 } 2380 } 2381 2382 if ( $found && $gradient_attr ) { 2383 $css_value = trim( $parts[1] ); 2384 if ( preg_match( '/^(repeating-)?(linear|radial|conic)-gradient\(([^()]|rgb[a]?\([^()]*\))*\)$/', $css_value ) ) { 2385 // Remove the whole `gradient` bit that was matched above from the CSS. 2386 $css_test_string = str_replace( $css_value, '', $css_test_string ); 2387 } 2388 } 2389 2390 if ( $found ) { 2391 // Allow CSS calc(). 2392 $css_test_string = preg_replace( '/calc\(((?:\([^()]*\)?|[^()])*)\)/', '', $css_test_string ); 2393 // Allow CSS var(). 2394 $css_test_string = preg_replace( '/\(?var\(--[a-zA-Z0-9_-]*\)/', '', $css_test_string ); 2395 2396 // Check for any CSS containing \ ( & } = or comments, 2397 // except for url(), calc(), or var() usage checked above. 2398 $allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ); 2399 2400 /** 2401 * Filters the check for unsafe CSS in `safecss_filter_attr`. 2402 * 2403 * Enables developers to determine whether a section of CSS should be allowed or discarded. 2404 * By default, the value will be false if the part contains \ ( & } = or comments. 2405 * Return true to allow the CSS part to be included in the output. 2406 * 2407 * @since 5.5.0 2408 * 2409 * @param bool $allow_css Whether the CSS in the test string is considered safe. 2410 * @param string $css_test_string The CSS string to test. 2411 */ 2412 $allow_css = apply_filters( 'safecss_filter_attr_allow_css', $allow_css, $css_test_string ); 2413 2414 // Only add the CSS part if it passes the regex check. 2415 if ( $allow_css ) { 2416 if ( '' !== $css ) { 2417 $css .= ';'; 2418 } 2419 2420 $css .= $css_item; 2421 } 2422 } 2423 } 2424 2425 return $css; 2426} 2427 2428/** 2429 * Helper function to add global attributes to a tag in the allowed HTML list. 2430 * 2431 * @since 3.5.0 2432 * @since 5.0.0 Add support for `data-*` wildcard attributes. 2433 * @access private 2434 * @ignore 2435 * 2436 * @param array $value An array of attributes. 2437 * @return array The array of attributes with global attributes added. 2438 */ 2439function _wp_add_global_attributes( $value ) { 2440 $global_attributes = array( 2441 'aria-describedby' => true, 2442 'aria-details' => true, 2443 'aria-label' => true, 2444 'aria-labelledby' => true, 2445 'aria-hidden' => true, 2446 'class' => true, 2447 'id' => true, 2448 'style' => true, 2449 'title' => true, 2450 'role' => true, 2451 'data-*' => true, 2452 ); 2453 2454 if ( true === $value ) { 2455 $value = array(); 2456 } 2457 2458 if ( is_array( $value ) ) { 2459 return array_merge( $value, $global_attributes ); 2460 } 2461 2462 return $value; 2463} 2464