From 595c76de1a1190bf28ae471f8bdbb6ca50fe3e86 Mon Sep 17 00:00:00 2001 From: Gary Pendergast Date: Thu, 13 Oct 2016 22:24:27 +0000 Subject: [PATCH] KSES: Deprecate `wp_kses_js_entities()`. This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape. I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4. Props dmsnell, desrosj. Fixes #33848. git-svn-id: https://develop.svn.wordpress.org/trunk@38785 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/deprecated.php | 26 ++++++++++++++++++++++++++ src/wp-includes/kses.php | 14 -------------- tests/phpunit/tests/kses.php | 4 ++-- 3 files changed, 28 insertions(+), 16 deletions(-) diff --git a/src/wp-includes/deprecated.php b/src/wp-includes/deprecated.php index 8315702bab..d7598d0755 100644 --- a/src/wp-includes/deprecated.php +++ b/src/wp-includes/deprecated.php @@ -3772,3 +3772,29 @@ function get_paged_template() { return get_query_template( 'paged' ); } + +/** + * Removes the HTML JavaScript entities found in early versions of Netscape 4. + * + * Previously, this function was pulled in from the original + * import of kses and removed a specific vulnerability only + * existent in early version of Netscape 4. However, this + * vulnerability never affected any other browsers and can + * be considered safe for the modern web. + * + * The regular expression which sanitized this vulnerability + * has been removed in consideration of the performance and + * energy demands it placed, now merely passing through its + * input to the return. + * + * @since 1.0.0 + * @deprecated deprecated since 4.7 + * + * @param string $string + * @return string + */ +function wp_kses_js_entities( $string ) { + _deprecated_function( __FUNCTION__, '4.7.0' ); + + return preg_replace( '%&\s*\{[^}]*(\}\s*;?|$)%', '', $string ); +} diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php index fae60cdd95..4745d8d7ef 100644 --- a/src/wp-includes/kses.php +++ b/src/wp-includes/kses.php @@ -527,7 +527,6 @@ function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { if ( empty( $allowed_protocols ) ) $allowed_protocols = wp_allowed_protocols(); $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); - $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook return wp_kses_split($string, $allowed_html, $allowed_protocols); @@ -550,7 +549,6 @@ function wp_kses_one_attr( $string, $element ) { $allowed_html = wp_kses_allowed_html( 'post' ); $allowed_protocols = wp_allowed_protocols(); $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); - $string = wp_kses_js_entities( $string ); // Preserve leading and trailing whitespace. $matches = array(); @@ -1295,18 +1293,6 @@ function wp_kses_array_lc($inarray) { return $outarray; } -/** - * Removes the HTML JavaScript entities found in early versions of Netscape 4. - * - * @since 1.0.0 - * - * @param string $string - * @return string - */ -function wp_kses_js_entities($string) { - return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string); -} - /** * Handles parsing errors in wp_kses_hair(). * diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index c9cf5d01db..bc62c58c6c 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -195,10 +195,10 @@ EOF; switch ( $attack->name ) { case 'XSS Locator': - $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=', $result); + $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=&{}', $result); break; case 'XSS Quick Test': - $this->assertEquals('\'\';!--"=', $result); + $this->assertEquals('\'\';!--"=&{()}', $result); break; case 'SCRIPT w/Alert()': $this->assertEquals( "alert('XSS')", $result );