mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2026-07-09 11:40:04 +00:00
Prevent stored XSS in the block editor.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding. Props: aduth, epiqueras, git-svn-id: https://develop.svn.wordpress.org/trunk@46896 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
@@ -4904,6 +4904,31 @@ function wp_pre_kses_less_than_callback( $matches ) {
|
||||
return $matches[0];
|
||||
}
|
||||
|
||||
/**
|
||||
* Remove non-allowable HTML from parsed block attribute values when filtering
|
||||
* in the post context.
|
||||
*
|
||||
* @since 5.3.1
|
||||
*
|
||||
* @param string $string Content to be run through KSES.
|
||||
* @param array[]|string $allowed_html An array of allowed HTML elements
|
||||
* and attributes, or a context name
|
||||
* such as 'post'.
|
||||
* @param string[] $allowed_protocols Array of allowed URL protocols.
|
||||
* @return string Filtered text to run through KSES.
|
||||
*/
|
||||
function wp_pre_kses_block_attributes( $string, $allowed_html, $allowed_protocols ) {
|
||||
/*
|
||||
* `filter_block_content` is expected to call `wp_kses`. Temporarily remove
|
||||
* the filter to avoid recursion.
|
||||
*/
|
||||
remove_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10 );
|
||||
$string = filter_block_content( $string, $allowed_html, $allowed_protocols );
|
||||
add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 );
|
||||
|
||||
return $string;
|
||||
}
|
||||
|
||||
/**
|
||||
* WordPress implementation of PHP sprintf() with filters.
|
||||
*
|
||||
|
||||
Reference in New Issue
Block a user