rebase on oct-10-2023
This commit is contained in:
Rachit Bhargava
@@ -788,18 +788,20 @@ function wp_kses_one_attr( $attr, $element ) {
|
||||
// Parse attribute name and value from input.
|
||||
$split = preg_split( '/\s*=\s*/', $attr, 2 );
|
||||
$name = $split[0];
|
||||
if ( count( $split ) == 2 ) {
|
||||
if ( count( $split ) === 2 ) {
|
||||
$value = $split[1];
|
||||
|
||||
// Remove quotes surrounding $value.
|
||||
// Also guarantee correct quoting in $attr for this one attribute.
|
||||
/*
|
||||
* Remove quotes surrounding $value.
|
||||
* Also guarantee correct quoting in $attr for this one attribute.
|
||||
*/
|
||||
if ( '' === $value ) {
|
||||
$quote = '';
|
||||
} else {
|
||||
$quote = $value[0];
|
||||
}
|
||||
if ( '"' === $quote || "'" === $quote ) {
|
||||
if ( substr( $value, -1 ) != $quote ) {
|
||||
if ( ! str_ends_with( $value, $quote ) ) {
|
||||
return '';
|
||||
}
|
||||
$value = substr( $value, 1, -1 );
|
||||
@@ -1079,12 +1081,12 @@ function wp_kses_split2( $content, $allowed_html, $allowed_protocols ) {
|
||||
$content = wp_kses_stripslashes( $content );
|
||||
|
||||
// It matched a ">" character.
|
||||
if ( '<' !== substr( $content, 0, 1 ) ) {
|
||||
if ( ! str_starts_with( $content, '<' ) ) {
|
||||
return '>';
|
||||
}
|
||||
|
||||
// Allow HTML comments.
|
||||
if ( '<!--' === substr( $content, 0, 4 ) ) {
|
||||
if ( str_starts_with( $content, '<!--' ) ) {
|
||||
$content = str_replace( array( '<!--', '-->' ), '', $content );
|
||||
while ( ( $newstring = wp_kses( $content, $allowed_html, $allowed_protocols ) ) != $content ) {
|
||||
$content = $newstring;
|
||||
@@ -1177,7 +1179,7 @@ function wp_kses_attr( $element, $attr, $allowed_html, $allowed_protocols ) {
|
||||
// Check if there are attributes that are required.
|
||||
$required_attrs = array_filter(
|
||||
$allowed_html[ $element_low ],
|
||||
function( $required_attr_limits ) {
|
||||
static function( $required_attr_limits ) {
|
||||
return isset( $required_attr_limits['required'] ) && true === $required_attr_limits['required'];
|
||||
}
|
||||
);
|
||||
@@ -1260,7 +1262,7 @@ function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowe
|
||||
* Note: the attribute name should only contain `A-Za-z0-9_-` chars,
|
||||
* double hyphens `--` are not accepted by WordPress.
|
||||
*/
|
||||
if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] )
|
||||
if ( str_starts_with( $name_low, 'data-' ) && ! empty( $allowed_attr['data-*'] )
|
||||
&& preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match )
|
||||
) {
|
||||
/*
|
||||
@@ -1330,7 +1332,7 @@ function wp_kses_hair( $attr, $allowed_protocols ) {
|
||||
|
||||
// Loop through the whole attribute list.
|
||||
|
||||
while ( strlen( $attr ) != 0 ) {
|
||||
while ( strlen( $attr ) !== 0 ) {
|
||||
$working = 0; // Was the last operation successful?
|
||||
|
||||
switch ( $mode ) {
|
||||
@@ -1442,8 +1444,10 @@ function wp_kses_hair( $attr, $allowed_protocols ) {
|
||||
} // End while.
|
||||
|
||||
if ( 1 == $mode && false === array_key_exists( $attrname, $attrarr ) ) {
|
||||
// Special case, for when the attribute list ends with a valueless
|
||||
// attribute like "selected".
|
||||
/*
|
||||
* Special case, for when the attribute list ends with a valueless
|
||||
* attribute like "selected".
|
||||
*/
|
||||
$attrarr[ $attrname ] = array(
|
||||
'name' => $attrname,
|
||||
'value' => '',
|
||||
@@ -1546,8 +1550,10 @@ function wp_kses_hair_parse( $attr ) {
|
||||
. '\s*'; // Trailing space is optional except as mentioned above.
|
||||
// phpcs:enable
|
||||
|
||||
// Although it is possible to reduce this procedure to a single regexp,
|
||||
// we must run that regexp twice to get exactly the expected result.
|
||||
/*
|
||||
* Although it is possible to reduce this procedure to a single regexp,
|
||||
* we must run that regexp twice to get exactly the expected result.
|
||||
*/
|
||||
|
||||
$validation = "%^($regex)+$%";
|
||||
$extraction = "%$regex%";
|
||||
@@ -1640,7 +1646,7 @@ function wp_kses_check_attr_val( $value, $vless, $checkname, $checkvalue ) {
|
||||
* If the given value is an "n" or an "N", the attribute must have a value.
|
||||
*/
|
||||
|
||||
if ( strtolower( $checkvalue ) != $vless ) {
|
||||
if ( strtolower( $checkvalue ) !== $vless ) {
|
||||
$ok = false;
|
||||
}
|
||||
break;
|
||||
@@ -1846,7 +1852,7 @@ function wp_kses_bad_protocol_once2( $scheme, $allowed_protocols ) {
|
||||
|
||||
$allowed = false;
|
||||
foreach ( (array) $allowed_protocols as $one_protocol ) {
|
||||
if ( strtolower( $one_protocol ) == $scheme ) {
|
||||
if ( strtolower( $one_protocol ) === $scheme ) {
|
||||
$allowed = true;
|
||||
break;
|
||||
}
|
||||
@@ -2279,6 +2285,8 @@ function kses_init() {
|
||||
* Extended `margin-*` and `padding-*` support for logical properties.
|
||||
* @since 6.2.0 Added support for `aspect-ratio`, `position`, `top`, `right`, `bottom`, `left`,
|
||||
* and `z-index` CSS properties.
|
||||
* @since 6.3.0 Extended support for `filter` to accept a URL and added support for repeat().
|
||||
* Added support for `box-shadow`.
|
||||
*
|
||||
* @param string $css A string of CSS rules.
|
||||
* @param string $deprecated Not used.
|
||||
@@ -2446,6 +2454,7 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
|
||||
'bottom',
|
||||
'left',
|
||||
'z-index',
|
||||
'box-shadow',
|
||||
'aspect-ratio',
|
||||
|
||||
// Custom CSS properties.
|
||||
@@ -2466,6 +2475,7 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
|
||||
'background-image',
|
||||
|
||||
'cursor',
|
||||
'filter',
|
||||
|
||||
'list-style',
|
||||
'list-style-image',
|
||||
@@ -2497,7 +2507,7 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
|
||||
$gradient_attr = false;
|
||||
$is_custom_var = false;
|
||||
|
||||
if ( strpos( $css_item, ':' ) === false ) {
|
||||
if ( ! str_contains( $css_item, ':' ) ) {
|
||||
$found = true;
|
||||
} else {
|
||||
$parts = explode( ':', $css_item, 2 );
|
||||
@@ -2561,7 +2571,7 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
|
||||
* Nested functions and parentheses are also removed, so long as the parentheses are balanced.
|
||||
*/
|
||||
$css_test_string = preg_replace(
|
||||
'/\b(?:var|calc|min|max|minmax|clamp)(\((?:[^()]|(?1))*\))/',
|
||||
'/\b(?:var|calc|min|max|minmax|clamp|repeat)(\((?:[^()]|(?1))*\))/',
|
||||
'',
|
||||
$css_test_string
|
||||
);
|
||||
@@ -2606,6 +2616,7 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
|
||||
* @since 3.5.0
|
||||
* @since 5.0.0 Added support for `data-*` wildcard attributes.
|
||||
* @since 6.0.0 Added `dir`, `lang`, and `xml:lang` to global attributes.
|
||||
* @since 6.3.0 Added `aria-controls`, `aria-current`, and `aria-expanded` attributes.
|
||||
*
|
||||
* @access private
|
||||
* @ignore
|
||||
@@ -2615,8 +2626,11 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
|
||||
*/
|
||||
function _wp_add_global_attributes( $value ) {
|
||||
$global_attributes = array(
|
||||
'aria-controls' => true,
|
||||
'aria-current' => true,
|
||||
'aria-describedby' => true,
|
||||
'aria-details' => true,
|
||||
'aria-expanded' => true,
|
||||
'aria-label' => true,
|
||||
'aria-labelledby' => true,
|
||||
'aria-hidden' => true,
|
||||
|
||||
Reference in New Issue
Block a user