vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-04-01 11:14:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

KSES: Allow attributes to be restricted via callbacks.

Browse Source 
Add callback validation to HTML tag attributes for increased flexibility over an array of values only.

In `object` tags, validate the `data` attribute via a callback to ensure it is a PDF and matches the `type` attribute. This prevents mime type mismatches in browsers.

Follow up to [51963].

Props Pento, dd32, swissspidy, xknown, peterwilsoncc.
Fixes #54261.



git-svn-id: https://develop.svn.wordpress.org/trunk@52304 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Peter Wilson
2021-12-02 00:54:03 +00:00
parent 77059b1723
commit 5fa8d73b1b
2 changed files with 90 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
tests/phpunit/tests/kses.php
View File

@@ -1517,59 +1517,83 @@ EOF;
function data_wp_kses_object_tag_allowed() {
return array(
'valid value for type' => array(
'<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
'<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
'<object type="application/pdf" data="https://example.org/foo.pdf" />',
'<object type="application/pdf" data="https://example.org/foo.pdf" />',
),
'invalid value for type' => array(
'<object type="application/exe" data="https://wordpress.org/foo.exe" />',
'<object type="application/exe" data="https://example.org/foo.exe" />',
'',
),
'multiple type attributes, last invalid' => array(
'<object type="application/pdf" type="application/exe" data="https://wordpress.org/foo.pdf" />',
'<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
'<object type="application/pdf" type="application/exe" data="https://example.org/foo.pdf" />',
'<object type="application/pdf" data="https://example.org/foo.pdf" />',
),
'multiple type attributes, first uppercase, last invalid' => array(
'<object TYPE="application/pdf" type="application/exe" data="https://wordpress.org/foo.pdf" />',
'<object TYPE="application/pdf" data="https://wordpress.org/foo.pdf" />',
'<object TYPE="application/pdf" type="application/exe" data="https://example.org/foo.pdf" />',
'<object TYPE="application/pdf" data="https://example.org/foo.pdf" />',
),
'multiple type attributes, last upper case and invalid' => array(
'<object type="application/pdf" TYPE="application/exe" data="https://wordpress.org/foo.pdf" />',
'<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
'<object type="application/pdf" TYPE="application/exe" data="https://example.org/foo.pdf" />',
'<object type="application/pdf" data="https://example.org/foo.pdf" />',
),
'multiple type attributes, first invalid' => array(
'<object type="application/exe" type="application/pdf" data="https://wordpress.org/foo.pdf" />',
'<object type="application/exe" type="application/pdf" data="https://example.org/foo.pdf" />',
'',
),
'multiple type attributes, first upper case and invalid' => array(
'<object TYPE="application/exe" type="application/pdf" data="https://wordpress.org/foo.pdf" />',
'<object TYPE="application/exe" type="application/pdf" data="https://example.org/foo.pdf" />',
'',
),
'multiple type attributes, first invalid, last uppercase' => array(
'<object type="application/exe" TYPE="application/pdf" data="https://wordpress.org/foo.pdf" />',
'<object type="application/exe" TYPE="application/pdf" data="https://example.org/foo.pdf" />',
'',
),
'multiple object tags, last invalid' => array(
'<object type="application/pdf" data="https://wordpress.org/foo.pdf" /><object type="application/exe" data="https://wordpress.org/foo.exe" />',
'<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
'<object type="application/pdf" data="https://example.org/foo.pdf" /><object type="application/exe" data="https://example.org/foo.exe" />',
'<object type="application/pdf" data="https://example.org/foo.pdf" />',
),
'multiple object tags, first invalid' => array(
'<object type="application/exe" data="https://wordpress.org/foo.exe" /><object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
'<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
'<object type="application/exe" data="https://example.org/foo.exe" /><object type="application/pdf" data="https://example.org/foo.pdf" />',
'<object type="application/pdf" data="https://example.org/foo.pdf" />',
),
'type attribute with partially incorrect value' => array(
'<object type="application/pdfa" data="https://wordpress.org/foo.pdf" />',
'<object type="application/pdfa" data="https://example.org/foo.pdf" />',
'',
),
'type attribute with empty value' => array(
'<object type="" data="https://wordpress.org/foo.pdf" />',
'<object type="" data="https://example.org/foo.pdf" />',
'',
),
'type attribute with no value' => array(
'<object type data="https://wordpress.org/foo.pdf" />',
'<object type data="https://example.org/foo.pdf" />',
'',
),
'no type attribute' => array(
'<object data="https://wordpress.org/foo.pdf" />',
'<object data="https://example.org/foo.pdf" />',
'',
),
'different protocol in url' => array(
'<object type="application/pdf" data="http://example.org/foo.pdf" />',
'<object type="application/pdf" data="http://example.org/foo.pdf" />',
),
'query string on url' => array(
'<object type="application/pdf" data="https://example.org/foo.pdf?lol=.pdf" />',
'',
),
'fragment on url' => array(
'<object type="application/pdf" data="https://example.org/foo.pdf#lol.pdf" />',
'',
),
'wrong extension' => array(
'<object type="application/pdf" data="https://example.org/foo.php" />',
'',
),
'protocol relative url' => array(
'<object type="application/pdf" data="//example.org/foo.pdf" />',
'',
),
'relative url' => array(
'<object type="application/pdf" data="/cat/foo.pdf" />',
'',
),
);