Prevent stored XSS in the block editor.

Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.

Props: aduth, epiqueras, 


git-svn-id: https://develop.svn.wordpress.org/trunk@46896 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Jake Spurlock
2019-12-12 18:00:45 +00:00
parent 39a8eacb5f
commit 7c38cf178a
4 changed files with 271 additions and 3 deletions

View File

@@ -4904,6 +4904,31 @@ function wp_pre_kses_less_than_callback( $matches ) {
return $matches[0];
}
/**
* Remove non-allowable HTML from parsed block attribute values when filtering
* in the post context.
*
* @since 5.3.1
*
* @param string $string Content to be run through KSES.
* @param array[]|string $allowed_html An array of allowed HTML elements
* and attributes, or a context name
* such as 'post'.
* @param string[] $allowed_protocols Array of allowed URL protocols.
* @return string Filtered text to run through KSES.
*/
function wp_pre_kses_block_attributes( $string, $allowed_html, $allowed_protocols ) {
/*
* `filter_block_content` is expected to call `wp_kses`. Temporarily remove
* the filter to avoid recursion.
*/
remove_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10 );
$string = filter_block_content( $string, $allowed_html, $allowed_protocols );
add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 );
return $string;
}
/**
* WordPress implementation of PHP sprintf() with filters.
*