From a1fd329682192ebf7706d8f79fe630c0232ecd93 Mon Sep 17 00:00:00 2001
From: Adam Silverstein <adamsilverstein@git.wordpress.org>
Date: Thu, 18 Jun 2020 20:59:43 +0000
Subject: [PATCH] Formatting: new filter `safecss_filter_attr_allow_css` on css
 parts.

Enables developers to determine whether a section of CSS should be allowed or discarded. By default, the value will be false if the part contains \ ( & } = or comments. Returning true allows the CSS part to be included in the output.

Replaces the `safe_style_disallowed_chars` filter introduced in r47891.

Props azaozz.
Fixes #37134.



git-svn-id: https://develop.svn.wordpress.org/trunk@48086 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/kses.php     | 22 ++++++++++++++--------
 tests/phpunit/tests/kses.php | 27 ++++++++++-----------------
 2 files changed, 24 insertions(+), 25 deletions(-)

diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
index 703d7c0002..45452ae5b4 100644
--- a/src/wp-includes/kses.php
+++ b/src/wp-includes/kses.php
@@ -2357,23 +2357,29 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
 		}
 
 		if ( $found ) {
+			// Check for any CSS containing \ ( & } = or comments, except for url() usage checked above.
+			$allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
+
 			/**
-			 * Filters the regex limiting the list of characters not allowed in CSS rules.
+			 * Filters the check for unsafe CSS in `safecss_filter_attr`.
 			 *
-			 * Default behaviour is to remove any CSS containing \ ( & } = or comments,
-			 * except for url() usage.
+			 * Enables developers to determine whether a section of CSS should be allowed or discarded.
+			 * By default, the value will be false if the part contains \ ( & } = or comments.
+			 * Return true to allow the CSS part to be included in the output.
 			 *
 			 * @since 5.5.0
 			 *
-			 * @param string $regex           Regex pattern of disallowed characters in CSS rules.
-			 *                                Default is '%[\\\(&=}]|/\*%'.
-			 * @param string $css_test_string CSS value to test.
+			 * @param bool   $allow_css       Whether the CSS in the test string is considered safe.
+			 * @param string $css_test_string The css string to test.
 			 */
-			$disallowed_chars = apply_filters( 'safe_style_disallowed_chars', '%[\\\(&=}]|/\*%', $css_test_string );
-			if ( ! preg_match( $disallowed_chars, $css_test_string ) ) {
+			$allow_css = apply_filters( 'safecss_filter_attr_allow_css', $allow_css, $css_test_string );
+
+			 // Only add the css part if it passes the regex check.
+			if ( $allow_css ) {
 				if ( '' !== $css ) {
 					$css .= ';';
 				}
+
 				$css .= $css_item;
 			}
 		}
diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php
index 7a846d5292..0665c09e90 100644
--- a/tests/phpunit/tests/kses.php
+++ b/tests/phpunit/tests/kses.php
@@ -1263,14 +1263,7 @@ EOF;
 	}
 
 	/**
-	 * Filter for disallowed characters never matches thus allowing all characters.
-	 */
-	function _safe_style_disallowed_chars_filter( $regex ) {
-		return '%a^%'; // Regex with no matches.
-
-	}
-	/**
-	 * Testing the safecss_filter_attr() function with the safe_style_disallowed_chars filter.
+	 * Testing the safecss_filter_attr() function with the safecss_filter_attr_allow_css filter.
 	 *
 	 * @ticket 37134
 	 *
@@ -1280,9 +1273,9 @@ EOF;
 	 * @param string $expected Expected string of CSS rules.
 	 */
 	public function test_safecss_filter_attr_filtered( $css, $expected ) {
-		add_filter( 'safe_style_disallowed_chars', array( $this, '_safe_style_disallowed_chars_filter' ) );
+		add_filter( 'safecss_filter_attr_allow_css', '__return_true' );
 		$this->assertSame( $expected, safecss_filter_attr( $css ) );
-		remove_filter( 'safe_style_disallowed_chars', array( $this, '_safe_style_disallowed_chars_filter' ) );
+		remove_filter( 'safecss_filter_attr_allow_css', '__return_true' );
 	}
 
 	/**
@@ -1303,37 +1296,37 @@ EOF;
 				'css'      => 'margin-top: 2px',
 				'expected' => 'margin-top: 2px',
 			),
-			// Backslash \ can be allowed with the 'safe_style_disallowed_chars' filter.
+			// Backslash \ can be allowed with the 'safecss_filter_attr_allow_css' filter.
 			array(
 				'css'      => 'margin-top: \2px',
 				'expected' => 'margin-top: \2px',
 			),
-			// Curly bracket } can be allowed with the 'safe_style_disallowed_chars' filter.
+			// Curly bracket } can be allowed with the 'safecss_filter_attr_allow_css' filter.
 			array(
 				'css'      => 'margin-bottom: 2px}',
 				'expected' => 'margin-bottom: 2px}',
 			),
-			// Parenthesis ) can be allowed with the 'safe_style_disallowed_chars' filter.
+			// Parenthesis ) can be allowed with the 'safecss_filter_attr_allow_css' filter.
 			array(
 				'css'      => 'margin-bottom: 2px)',
 				'expected' => 'margin-bottom: 2px)',
 			),
-			// Ampersand & can be allowed with the 'safe_style_disallowed_chars' filter.
+			// Ampersand & can be allowed with the 'safecss_filter_attr_allow_css' filter.
 			array(
 				'css'      => 'margin-bottom: 2px&',
 				'expected' => 'margin-bottom: 2px&',
 			),
-			// Expressions can be allowed with the 'safe_style_disallowed_chars' filter.
+			// Expressions can be allowed with the 'safecss_filter_attr_allow_css' filter.
 			array(
 				'css'      => 'height: expression( body.scrollTop + 50 + "px" )',
 				'expected' => 'height: expression( body.scrollTop + 50 + "px" )',
 			),
-			// RGB color values can be allowed with the 'safe_style_disallowed_chars' filter.
+			// RGB color values can be allowed with the 'safecss_filter_attr_allow_css' filter.
 			array(
 				'css'      => 'color: rgb( 100, 100, 100 )',
 				'expected' => 'color: rgb( 100, 100, 100 )',
 			),
-			// RGBA color values can be allowed with the 'safe_style_disallowed_chars' filter.
+			// RGBA color values can be allowed with the 'safecss_filter_attr_allow_css' filter.
 			array(
 				'css'      => 'color: rgb( 100, 100, 100, .4 )',
 				'expected' => 'color: rgb( 100, 100, 100, .4 )',