KSES: Deprecate wp_kses_js_entities().

This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.

I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.

Props dmsnell, desrosj.
Fixes #33848.



git-svn-id: https://develop.svn.wordpress.org/trunk@38785 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Gary Pendergast
2016-10-13 22:24:27 +00:00
parent 7e8e642ead
commit 595c76de1a
3 changed files with 28 additions and 16 deletions

View File

@@ -195,10 +195,10 @@ EOF;
switch ( $attack->name ) {
case 'XSS Locator':
$this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=', $result);
$this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=&{}', $result);
break;
case 'XSS Quick Test':
$this->assertEquals('\'\';!--"=', $result);
$this->assertEquals('\'\';!--"=&{()}', $result);
break;
case 'SCRIPT w/Alert()':
$this->assertEquals( "alert('XSS')", $result );