Fix for URL sanitization that can lead to cross-site scripting (XSS) attacks.

Props irsdl, sstoqnov, whyisjake.

git-svn-id: https://develop.svn.wordpress.org/trunk@45997 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Jonathan Desrosiers
2019-09-04 17:51:33 +00:00
parent b91c405069
commit cda102f72f
2 changed files with 10 additions and 1 deletions

View File

@@ -145,6 +145,8 @@ EOF;
'javascript&#0000058alert(1)//?:',
'feed:javascript:alert(1)',
'feed:javascript:feed:javascript:feed:javascript:alert(1)',
'javascript&#58alert(1)',
'javascript&#x3ax=1;alert(1)',
);
foreach ( $bad as $k => $x ) {
$result = wp_kses_bad_protocol( wp_kses_normalize_entities( $x ), wp_allowed_protocols() );
@@ -165,8 +167,14 @@ EOF;
case 24:
$this->assertEquals( 'feed:alert(1)', $result );
break;
case 26:
$this->assertEquals( 'javascript&#58alert(1)', $result );
break;
case 27:
$this->assertEquals( 'javascript&#x3ax=1;alert(1)', $result );
break;
default:
$this->fail( "wp_kses_bad_protocol failed on $x. Result: $result" );
$this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
}
}
}