From 5eede7436a7938593bdc02b8653aee794b2aee63 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Mon, 6 Dec 2021 11:06:40 +0000
Subject: [PATCH] KSES: Use the polyfilled PHP 8 string functions in
 `_wp_kses_allow_pdf_objects()`:

* `str_contains()`
* `str_ends_with()`
* `str_starts_with()`

Additionally, include a test for a PDF file in an `<object>` tag with an unsupported protocol.

Follow-up to [51963], [52039], [52040], [52304], [52309].

Props TobiasBg, ramonopoly.
See #54261.

git-svn-id: https://develop.svn.wordpress.org/trunk@52326 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/kses.php     | 9 ++++++---
 tests/phpunit/tests/kses.php | 6 +++++-
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
index 3d35eb2c20..5ad504602b 100644
--- a/src/wp-includes/kses.php
+++ b/src/wp-includes/kses.php
@@ -2593,12 +2593,12 @@ function _wp_add_global_attributes( $value ) {
  */
 function _wp_kses_allow_pdf_objects( $url ) {
 	// We're not interested in URLs that contain query strings or fragments.
-	if ( strpos( $url, '?' ) !== false || strpos( $url, '#' ) !== false ) {
+	if ( str_contains( $url, '?' ) || str_contains( $url, '#' ) ) {
 		return false;
 	}
 
 	// If it doesn't have a PDF extension, it's not safe.
-	if ( 0 !== substr_compare( $url, '.pdf', -4, 4, true ) ) {
+	if ( ! str_ends_with( $url, '.pdf' ) ) {
 		return false;
 	}
 
@@ -2607,7 +2607,10 @@ function _wp_kses_allow_pdf_objects( $url ) {
 	$parsed_url  = wp_parse_url( $upload_info['url'] );
 	$upload_host = isset( $parsed_url['host'] ) ? $parsed_url['host'] : '';
 	$upload_port = isset( $parsed_url['port'] ) ? ':' . $parsed_url['port'] : '';
-	if ( 0 === strpos( $url, "http://$upload_host$upload_port/" ) || 0 === strpos( $url, "https://$upload_host$upload_port/" ) ) {
+
+	if ( str_starts_with( $url, "http://$upload_host$upload_port/" )
+		|| str_starts_with( $url, "https://$upload_host$upload_port/" )
+	) {
 		return true;
 	}
 
diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php
index cda6d3d7e4..7968dbecaa 100644
--- a/tests/phpunit/tests/kses.php
+++ b/tests/phpunit/tests/kses.php
@@ -1588,10 +1588,14 @@ EOF;
 				'<object type="application/pdf" data="https://example.org/foo.php" />',
 				'',
 			),
-			'protocol relative url'                   => array(
+			'protocol-relative url'                   => array(
 				'<object type="application/pdf" data="//example.org/foo.pdf" />',
 				'',
 			),
+			'unsupported protocol'                    => array(
+				'<object type="application/pdf" data="ftp://example.org/foo.pdf" />',
+				'',
+			),
 			'relative url'                            => array(
 				'<object type="application/pdf" data="/cat/foo.pdf" />',
 				'',