vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-02-27 03:02:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

KSES: Use the polyfilled PHP 8 string functions in _wp_kses_allow_pdf_objects():

Browse Source 
* `str_contains()`
* `str_ends_with()`
* `str_starts_with()`

Additionally, include a test for a PDF file in an `<object>` tag with an unsupported protocol.

Follow-up to [51963], [52039], [52040], [52304], [52309].

Props TobiasBg, ramonopoly.
See #54261.

git-svn-id: https://develop.svn.wordpress.org/trunk@52326 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Sergey Biryukov 2021-12-06 11:06:40 +00:00
parent 8bfdd80f46
commit 5eede7436a
2 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/wp-includes/kses.php
View File

@ -2593,12 +2593,12 @@ function _wp_add_global_attributes( $value ) {
*/
function _wp_kses_allow_pdf_objects( $url ) {
// We're not interested in URLs that contain query strings or fragments.
if ( strpos( $url, '?' ) !== false || strpos( $url, '#' ) !== false ) {
if ( str_contains( $url, '?' ) || str_contains( $url, '#' ) ) {
return false;
}
// If it doesn't have a PDF extension, it's not safe.
if ( 0 !== substr_compare( $url, '.pdf', -4, 4, true ) ) {
if ( ! str_ends_with( $url, '.pdf' ) ) {
return false;
}
@ -2607,7 +2607,10 @@ function _wp_kses_allow_pdf_objects( $url ) {
$parsed_url = wp_parse_url( $upload_info['url'] );
$upload_host = isset( $parsed_url['host'] ) ? $parsed_url['host'] : '';
$upload_port = isset( $parsed_url['port'] ) ? ':' . $parsed_url['port'] : '';
if ( 0 === strpos( $url, "http://$upload_host$upload_port/" ) || 0 === strpos( $url, "https://$upload_host$upload_port/" ) ) {
if ( str_starts_with( $url, "http://$upload_host$upload_port/" )
|| str_starts_with( $url, "https://$upload_host$upload_port/" )
) {
return true;
}

6
tests/phpunit/tests/kses.php
View File

@ -1588,10 +1588,14 @@ EOF;
'<object type="application/pdf" data="https://example.org/foo.php" />',
'',
),
'protocol relative url' => array(
'protocol-relative url' => array(
'<object type="application/pdf" data="//example.org/foo.pdf" />',
'',
),
'unsupported protocol' => array(
'<object type="application/pdf" data="ftp://example.org/foo.pdf" />',
'',
),
'relative url' => array(
'<object type="application/pdf" data="/cat/foo.pdf" />',
'',