mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2026-07-05 17:50:03 +00:00
Fix for URL sanitization that can lead to cross-site scripting (XSS) attacks.
Props irsdl, sstoqnov, whyisjake. git-svn-id: https://develop.svn.wordpress.org/trunk@45997 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
@@ -145,6 +145,8 @@ EOF;
|
||||
'javascript:alert(1)//?:',
|
||||
'feed:javascript:alert(1)',
|
||||
'feed:javascript:feed:javascript:feed:javascript:alert(1)',
|
||||
'javascript:alert(1)',
|
||||
'javascript:x=1;alert(1)',
|
||||
);
|
||||
foreach ( $bad as $k => $x ) {
|
||||
$result = wp_kses_bad_protocol( wp_kses_normalize_entities( $x ), wp_allowed_protocols() );
|
||||
@@ -165,8 +167,14 @@ EOF;
|
||||
case 24:
|
||||
$this->assertEquals( 'feed:alert(1)', $result );
|
||||
break;
|
||||
case 26:
|
||||
$this->assertEquals( 'javascript&#58alert(1)', $result );
|
||||
break;
|
||||
case 27:
|
||||
$this->assertEquals( 'javascript&#x3ax=1;alert(1)', $result );
|
||||
break;
|
||||
default:
|
||||
$this->fail( "wp_kses_bad_protocol failed on $x. Result: $result" );
|
||||
$this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user