WordPressを読む 51-3 /blog/wp-includes/kses.php 3
2015/01/30
目次
- 1 /blog/wp-includes/kses.php 3
- 2 関数 wp_kses_bad_protocol()
- 3 関数 wp_kses_no_null()
- 4 関数 wp_kses_stripslashes()
- 5 関数 wp_kses_array_lc()
- 6 関数 wp_kses_js_entities()
- 7 関数 wp_kses_html_error()
- 8 関数 wp_kses_bad_protocol_once()
- 9 関数 wp_kses_bad_protocol_once2()
- 10 関数 wp_kses_normalize_entities()
- 11 関数 wp_kses_named_entities()
- 12 関数 wp_kses_normalize_entities2()
- 13 関数 wp_kses_normalize_entities3()
- 14 関数 valid_unicode()
- 15 関数 wp_kses_decode_entities()
- 16 関数 _wp_kses_decode_entities_chr()
- 17 関数 _wp_kses_decode_entities_chr_hexdec()
- 18 関数 wp_filter_kses()
- 19 関数 wp_kses_data()
- 20 関数 wp_filter_post_kses()
- 21 関数 wp_kses_post()
- 22 関数 wp_filter_nohtml_kses()
- 23 関数 kses_init_filters()
- 24 関数 kses_remove_filters()
- 25 関数 kses_init()
- 26 関数間の処理
- 27 関数 safecss_filter_attr()
- 28 関数 _wp_add_global_attributes()
/blog/wp-includes/kses.php 3
関数 wp_kses_bad_protocol()
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | /** * Sanitize string from bad protocols. * * This function removes all non-allowed protocols from the beginning of * $string. It ignores whitespace and the case of the letters, and it does * understand HTML entities. It does its work in a while loop, so it won't be * fooled by a string like "javascript:javascript:alert(57)". * * @since 1.0.0 * * @param string $string Content to filter bad protocols from * @param array $allowed_protocols Allowed protocols to keep * @return string Filtered content */ function wp_kses_bad_protocol($string, $allowed_protocols) { $string = wp_kses_no_null($string); $iterations = 0; do { $original_string = $string; $string = wp_kses_bad_protocol_once($string, $allowed_protocols); } while ( $original_string != $string && ++$iterations < 6 ); if ( $original_string != $string ) return ''; return $string; } |
関数 wp_kses_no_null()
12345678910111213141516 /** * Removes any invalid control characters in $string. * * Also removes any instance of the '\0' string. * * @since 1.0.0 * * @param string $string * @return string */function wp_kses_no_null($string) { $string = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string); $string = preg_replace('/(\\\\0)+/', '', $string); return $string;}
関数 wp_kses_stripslashes()
123456789101112131415 /** * Strips slashes from in front of quotes. * * This function changes the character sequence \" to just ". It leaves all * other slashes alone. It's really weird, but the quoting from * preg_replace(//e) seems to require this. * * @since 1.0.0 * * @param string $string String to strip slashes * @return string Fixed string with quoted slashes */function wp_kses_stripslashes($string) { return preg_replace('%\\\\"%', '"', $string);}
関数 wp_kses_array_lc()
1234567891011121314151617181920212223 /** * Goes through an array and changes the keys to all lower case. * * @since 1.0.0 * * @param array $inarray Unfiltered array * @return array Fixed array with all lowercase keys */function wp_kses_array_lc($inarray) { $outarray = array (); foreach ( (array) $inarray as $inkey => $inval) { $outkey = strtolower($inkey); $outarray[$outkey] = array (); foreach ( (array) $inval as $inkey2 => $inval2) { $outkey2 = strtolower($inkey2); $outarray[$outkey][$outkey2] = $inval2; } # foreach $inval } # foreach $inarray return $outarray;}
関数 wp_kses_js_entities()
1234567891011 /** * Removes the HTML JavaScript entities found in early versions of Netscape 4. * * @since 1.0.0 * * @param string $string * @return string */function wp_kses_js_entities($string) { return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);}
関数 wp_kses_html_error()
1234567891011121314 /** * Handles parsing errors in wp_kses_hair(). * * The general plan is to remove everything to and including some whitespace, * but it deals with quotes and apostrophes as well. * * @since 1.0.0 * * @param string $string * @return string */function wp_kses_html_error($string) { return preg_replace('/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string);}
関数 wp_kses_bad_protocol_once()
1234567891011121314151617181920212223242526272829 /** * Sanitizes content from bad protocols and other characters. * * This function searches for URL protocols at the beginning of $string, while * handling whitespace and HTML entities. * * @since 1.0.0 * * @param string $string Content to check for bad protocols * @param string $allowed_protocols Allowed protocols * @return string Sanitized content */function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) { $string2 = preg_split( '/:|�*58;|�*3a;/i', $string, 2 ); if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) { $string = trim( $string2[1] ); $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ); if ( 'feed:' == $protocol ) { if ( $count > 2 ) return ''; $string = wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count ); if ( empty( $string ) ) return $string; } $string = $protocol . $string; } return $string;}
関数 wp_kses_bad_protocol_once2()
12345678910111213141516171819202122232425262728293031 /** * Callback for wp_kses_bad_protocol_once() regular expression. * * This function processes URL protocols, checks to see if they're in the * whitelist or not, and returns different data depending on the answer. * * @access private * @since 1.0.0 * * @param string $string URI scheme to check against the whitelist * @param string $allowed_protocols Allowed protocols * @return string Sanitized content */function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) { $string2 = wp_kses_decode_entities($string); $string2 = preg_replace('/\s/', '', $string2); $string2 = wp_kses_no_null($string2); $string2 = strtolower($string2); $allowed = false; foreach ( (array) $allowed_protocols as $one_protocol ) if ( strtolower($one_protocol) == $string2 ) { $allowed = true; break; } if ($allowed) return "$string2:"; else return '';}
関数 wp_kses_normalize_entities()
123456789101112131415161718192021222324 /** * Converts and fixes HTML entities. * * This function normalizes HTML entities. It will convert "AT&T" to the correct * "AT&T", ":" to ":", "&#XYZZY;" to "&#XYZZY;" and so on. * * @since 1.0.0 * * @param string $string Content to normalize entities * @return string Content with normalized entities */function wp_kses_normalize_entities($string) { # Disarm all entities by converting & to & $string = str_replace('&', '&', $string); # Change back the allowed entities in our entity whitelist $string = preg_replace_callback('/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string); $string = preg_replace_callback('/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string); $string = preg_replace_callback('/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string); return $string;}
関数 wp_kses_named_entities()
1234567891011121314151617181920 /** * Callback for wp_kses_normalize_entities() regular expression. * * This function only accepts valid named entity references, which are finite, * case-sensitive, and highly scrutinized by HTML and XML validators. * * @since 3.0.0 * * @param array $matches preg_replace_callback() matches array * @return string Correctly encoded entity */function wp_kses_named_entities($matches) { global $allowedentitynames; if ( empty($matches[1]) ) return ''; $i = $matches[1]; return ( ( ! in_array($i, $allowedentitynames) ) ? "&$i;" : "&$i;" );}
関数 wp_kses_normalize_entities2()
1234567891011121314151617181920212223242526 /** * Callback for wp_kses_normalize_entities() regular expression. * * This function helps wp_kses_normalize_entities() to only accept 16-bit values * and nothing more for &#number; entities. * * @access private * @since 1.0.0 * * @param array $matches preg_replace_callback() matches array * @return string Correctly encoded entity */function wp_kses_normalize_entities2($matches) { if ( empty($matches[1]) ) return ''; $i = $matches[1]; if (valid_unicode($i)) { $i = str_pad(ltrim($i,'0'), 3, '0', STR_PAD_LEFT); $i = "&#$i;"; } else { $i = "&#$i;"; } return $i;}
関数 wp_kses_normalize_entities3()
123456789101112131415161718 /** * Callback for wp_kses_normalize_entities() for regular expression. * * This function helps wp_kses_normalize_entities() to only accept valid Unicode * numeric entities in hex form. * * @access private * * @param array $matches preg_replace_callback() matches array * @return string Correctly encoded entity */function wp_kses_normalize_entities3($matches) { if ( empty($matches[1]) ) return ''; $hexchars = $matches[1]; return ( ( ! valid_unicode(hexdec($hexchars)) ) ? "&#x$hexchars;" : '&#x'.ltrim($hexchars,'0').';' );}
関数 valid_unicode()
123456789101112 /** * Helper function to determine if a Unicode value is valid. * * @param int $i Unicode value * @return bool True if the value was a valid Unicode number */function valid_unicode($i) { return ( $i == 0x9 || $i == 0xa || $i == 0xd || ($i >= 0x20 && $i <= 0xd7ff) || ($i >= 0xe000 && $i <= 0xfffd) || ($i >= 0x10000 && $i <= 0x10ffff) );}
関数 wp_kses_decode_entities()
123456789101112131415161718 /** * Convert all entities to their character counterparts. * * This function decodes numeric HTML entities (A and A). It doesn't do * anything with other entities like ä, but we don't need them in the URL * protocol whitelisting system anyway. * * @since 1.0.0 * * @param string $string Content to change entities * @return string Content after decoded entities */function wp_kses_decode_entities($string) { $string = preg_replace_callback('/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string); $string = preg_replace_callback('/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string); return $string;}
関数 _wp_kses_decode_entities_chr()
123456789 /** * Regex callback for wp_kses_decode_entities() * * @param array $match preg match * @return string */function _wp_kses_decode_entities_chr( $match ) { return chr( $match[1] );}
関数 _wp_kses_decode_entities_chr_hexdec()
123456789 /** * Regex callback for wp_kses_decode_entities() * * @param array $match preg match * @return string */function _wp_kses_decode_entities_chr_hexdec( $match ) { return chr( hexdec( $match[1] ) );}
関数 wp_filter_kses()
123456789101112 /** * Sanitize content with allowed HTML Kses rules. * * @since 1.0.0 * @uses $allowedtags * * @param string $data Content to filter, expected to be escaped with slashes * @return string Filtered content */function wp_filter_kses( $data ) { return addslashes( wp_kses( stripslashes( $data ), current_filter() ) );}
関数 wp_kses_data()
123456789101112 /** * Sanitize content with allowed HTML Kses rules. * * @since 2.9.0 * @uses $allowedtags * * @param string $data Content to filter, expected to not be escaped * @return string Filtered content */function wp_kses_data( $data ) { return wp_kses( $data , current_filter() );}
関数 wp_filter_post_kses()
1234567891011121314 /** * Sanitize content for allowed HTML tags for post content. * * Post content refers to the page contents of the 'post' type and not $_POST * data from forms. * * @since 2.0.0 * * @param string $data Post content to filter, expected to be escaped with slashes * @return string Filtered post content with allowed HTML tags and attributes intact. */function wp_filter_post_kses($data) { return addslashes ( wp_kses( stripslashes( $data ), 'post' ) );}
関数 wp_kses_post()
1234567891011121314 /** * Sanitize content for allowed HTML tags for post content. * * Post content refers to the page contents of the 'post' type and not $_POST * data from forms. * * @since 2.9.0 * * @param string $data Post content to filter * @return string Filtered post content with allowed HTML tags and attributes intact. */function wp_kses_post($data) { return wp_kses( $data , 'post' );}
関数 wp_filter_nohtml_kses()
1234567891011 /** * Strips all of the HTML in the content. * * @since 2.1.0 * * @param string $data Content to strip all HTML from * @return string Filtered content without any HTML */function wp_filter_nohtml_kses( $data ) { return addslashes ( wp_kses( stripslashes( $data ), 'strip' ) );}
関数 kses_init_filters()
123456789101112131415161718192021222324252627 /** * Adds all Kses input form content filters. * * All hooks have default priority. The wp_filter_kses() function is added to * the 'pre_comment_content' and 'title_save_pre' hooks. * * The wp_filter_post_kses() function is added to the 'content_save_pre', * 'excerpt_save_pre', and 'content_filtered_save_pre' hooks. * * @since 2.0.0 * @uses add_filter() See description for what functions are added to what hooks. */function kses_init_filters() { // Normal filtering add_filter('title_save_pre', 'wp_filter_kses'); // Comment filtering if ( current_user_can( 'unfiltered_html' ) ) add_filter( 'pre_comment_content', 'wp_filter_post_kses' ); else add_filter( 'pre_comment_content', 'wp_filter_kses' ); // Post filtering add_filter('content_save_pre', 'wp_filter_post_kses'); add_filter('excerpt_save_pre', 'wp_filter_post_kses'); add_filter('content_filtered_save_pre', 'wp_filter_post_kses');}
関数 kses_remove_filters()
12345678910111213141516171819202122232425 /** * Removes all Kses input form content filters. * * A quick procedural method to removing all of the filters that kses uses for * content in WordPress Loop. * * Does not remove the kses_init() function from 'init' hook (priority is * default). Also does not remove kses_init() function from 'set_current_user' * hook (priority is also default). * * @since 2.0.6 */function kses_remove_filters() { // Normal filtering remove_filter('title_save_pre', 'wp_filter_kses'); // Comment filtering remove_filter( 'pre_comment_content', 'wp_filter_post_kses' ); remove_filter( 'pre_comment_content', 'wp_filter_kses' ); // Post filtering remove_filter('content_save_pre', 'wp_filter_post_kses'); remove_filter('excerpt_save_pre', 'wp_filter_post_kses'); remove_filter('content_filtered_save_pre', 'wp_filter_post_kses');}
関数 kses_init()
12345678910111213141516171819202122 /** * Sets up most of the Kses filters for input form content. * * If you remove the kses_init() function from 'init' hook and * 'set_current_user' (priority is default), then none of the Kses filter hooks * will be added. * * First removes all of the Kses filters in case the current user does not need * to have Kses filter the content. If the user does not have unfiltered_html * capability, then Kses filters are added. * * @uses kses_remove_filters() Removes the Kses filters * @uses kses_init_filters() Adds the Kses filters back if the user * does not have unfiltered HTML capability. * @since 2.0.0 */function kses_init() { kses_remove_filters(); if (current_user_can('unfiltered_html') == false) kses_init_filters();}
関数間の処理
12 add_action('init', 'kses_init');add_action('set_current_user', 'kses_init');
関数 safecss_filter_attr()
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061 /** * Inline CSS filter * * @since 2.8.1 */function safecss_filter_attr( $css, $deprecated = '' ) { if ( !empty( $deprecated ) ) _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented $css = wp_kses_no_null($css); $css = str_replace(array("\n","\r","\t"), '', $css); if ( preg_match( '%[\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments return ''; $css_array = explode( ';', trim( $css ) ); /** * Filter list of allowed CSS attributes. * * @since 2.8.1 * * @param array $attr List of allowed CSS attributes. */ $allowed_attr = apply_filters( 'safe_style_css', array( 'text-align', 'margin', 'color', 'float', 'border', 'background', 'background-color', 'border-bottom', 'border-bottom-color', 'border-bottom-style', 'border-bottom-width', 'border-collapse', 'border-color', 'border-left', 'border-left-color', 'border-left-style', 'border-left-width', 'border-right', 'border-right-color', 'border-right-style', 'border-right-width', 'border-spacing', 'border-style', 'border-top', 'border-top-color', 'border-top-style', 'border-top-width', 'border-width', 'caption-side', 'clear', 'cursor', 'direction', 'font', 'font-family', 'font-size', 'font-style', 'font-variant', 'font-weight', 'height', 'letter-spacing', 'line-height', 'margin-bottom', 'margin-left', 'margin-right', 'margin-top', 'overflow', 'padding', 'padding-bottom', 'padding-left', 'padding-right', 'padding-top', 'text-decoration', 'text-indent', 'vertical-align', 'width' ) ); if ( empty($allowed_attr) ) return $css; $css = ''; foreach ( $css_array as $css_item ) { if ( $css_item == '' ) continue; $css_item = trim( $css_item ); $found = false; if ( strpos( $css_item, ':' ) === false ) { $found = true; } else { $parts = explode( ':', $css_item ); if ( in_array( trim( $parts[0] ), $allowed_attr ) ) $found = true; } if ( $found ) { if( $css != '' ) $css .= ';'; $css .= $css_item; } } return $css;}
関数 _wp_add_global_attributes()
1234567891011121314151617181920212223242526 /** * Helper function to add global attributes to a tag in the allowed html list. * * @since 3.5.0 * @access private * * @param array $value An array of attributes. * @return array The array of attributes with global attributes added. */function _wp_add_global_attributes( $value ) { $global_attributes = array( 'class' => true, 'id' => true, 'style' => true, 'title' => true, 'role' => true, ); if ( true === $value ) $value = array(); if ( is_array( $value ) ) return array_merge( $value, $global_attributes ); return $value;}
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | /** * Removes any invalid control characters in $string. * * Also removes any instance of the '\0' string. * * @since 1.0.0 * * @param string $string * @return string */ function wp_kses_no_null($string) { $string = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string); $string = preg_replace('/(\\\\0)+/', '', $string); return $string; } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | /** * Strips slashes from in front of quotes. * * This function changes the character sequence \" to just ". It leaves all * other slashes alone. It's really weird, but the quoting from * preg_replace(//e) seems to require this. * * @since 1.0.0 * * @param string $string String to strip slashes * @return string Fixed string with quoted slashes */ function wp_kses_stripslashes($string) { return preg_replace('%\\\\"%', '"', $string); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | /** * Goes through an array and changes the keys to all lower case. * * @since 1.0.0 * * @param array $inarray Unfiltered array * @return array Fixed array with all lowercase keys */ function wp_kses_array_lc($inarray) { $outarray = array (); foreach ( (array) $inarray as $inkey => $inval) { $outkey = strtolower($inkey); $outarray[$outkey] = array (); foreach ( (array) $inval as $inkey2 => $inval2) { $outkey2 = strtolower($inkey2); $outarray[$outkey][$outkey2] = $inval2; } # foreach $inval } # foreach $inarray return $outarray; } |
1 2 3 4 5 6 7 8 9 10 11 | /** * Removes the HTML JavaScript entities found in early versions of Netscape 4. * * @since 1.0.0 * * @param string $string * @return string */ function wp_kses_js_entities($string) { return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | /** * Handles parsing errors in wp_kses_hair(). * * The general plan is to remove everything to and including some whitespace, * but it deals with quotes and apostrophes as well. * * @since 1.0.0 * * @param string $string * @return string */ function wp_kses_html_error($string) { return preg_replace('/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | /** * Sanitizes content from bad protocols and other characters. * * This function searches for URL protocols at the beginning of $string, while * handling whitespace and HTML entities. * * @since 1.0.0 * * @param string $string Content to check for bad protocols * @param string $allowed_protocols Allowed protocols * @return string Sanitized content */ function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) { $string2 = preg_split( '/:|�*58;|�*3a;/i', $string, 2 ); if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) { $string = trim( $string2[1] ); $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ); if ( 'feed:' == $protocol ) { if ( $count > 2 ) return ''; $string = wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count ); if ( empty( $string ) ) return $string; } $string = $protocol . $string; } return $string; } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | /** * Callback for wp_kses_bad_protocol_once() regular expression. * * This function processes URL protocols, checks to see if they're in the * whitelist or not, and returns different data depending on the answer. * * @access private * @since 1.0.0 * * @param string $string URI scheme to check against the whitelist * @param string $allowed_protocols Allowed protocols * @return string Sanitized content */ function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) { $string2 = wp_kses_decode_entities($string); $string2 = preg_replace('/\s/', '', $string2); $string2 = wp_kses_no_null($string2); $string2 = strtolower($string2); $allowed = false; foreach ( (array) $allowed_protocols as $one_protocol ) if ( strtolower($one_protocol) == $string2 ) { $allowed = true; break; } if ($allowed) return "$string2:"; else return ''; } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | /** * Converts and fixes HTML entities. * * This function normalizes HTML entities. It will convert "AT&T" to the correct * "AT&T", ":" to ":", "&#XYZZY;" to "&#XYZZY;" and so on. * * @since 1.0.0 * * @param string $string Content to normalize entities * @return string Content with normalized entities */ function wp_kses_normalize_entities($string) { # Disarm all entities by converting & to & $string = str_replace('&', '&', $string); # Change back the allowed entities in our entity whitelist $string = preg_replace_callback('/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string); $string = preg_replace_callback('/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string); $string = preg_replace_callback('/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string); return $string; } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | /** * Callback for wp_kses_normalize_entities() regular expression. * * This function only accepts valid named entity references, which are finite, * case-sensitive, and highly scrutinized by HTML and XML validators. * * @since 3.0.0 * * @param array $matches preg_replace_callback() matches array * @return string Correctly encoded entity */ function wp_kses_named_entities($matches) { global $allowedentitynames; if ( empty($matches[1]) ) return ''; $i = $matches[1]; return ( ( ! in_array($i, $allowedentitynames) ) ? "&$i;" : "&$i;" ); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | /** * Callback for wp_kses_normalize_entities() regular expression. * * This function helps wp_kses_normalize_entities() to only accept 16-bit values * and nothing more for &#number; entities. * * @access private * @since 1.0.0 * * @param array $matches preg_replace_callback() matches array * @return string Correctly encoded entity */ function wp_kses_normalize_entities2($matches) { if ( empty($matches[1]) ) return ''; $i = $matches[1]; if (valid_unicode($i)) { $i = str_pad(ltrim($i,'0'), 3, '0', STR_PAD_LEFT); $i = "&#$i;"; } else { $i = "&#$i;"; } return $i; } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | /** * Callback for wp_kses_normalize_entities() for regular expression. * * This function helps wp_kses_normalize_entities() to only accept valid Unicode * numeric entities in hex form. * * @access private * * @param array $matches preg_replace_callback() matches array * @return string Correctly encoded entity */ function wp_kses_normalize_entities3($matches) { if ( empty($matches[1]) ) return ''; $hexchars = $matches[1]; return ( ( ! valid_unicode(hexdec($hexchars)) ) ? "&#x$hexchars;" : '&#x'.ltrim($hexchars,'0').';' ); } |
1 2 3 4 5 6 7 8 9 10 11 12 | /** * Helper function to determine if a Unicode value is valid. * * @param int $i Unicode value * @return bool True if the value was a valid Unicode number */ function valid_unicode($i) { return ( $i == 0x9 || $i == 0xa || $i == 0xd || ($i >= 0x20 && $i <= 0xd7ff) || ($i >= 0xe000 && $i <= 0xfffd) || ($i >= 0x10000 && $i <= 0x10ffff) ); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | /** * Convert all entities to their character counterparts. * * This function decodes numeric HTML entities (A and A). It doesn't do * anything with other entities like ä, but we don't need them in the URL * protocol whitelisting system anyway. * * @since 1.0.0 * * @param string $string Content to change entities * @return string Content after decoded entities */ function wp_kses_decode_entities($string) { $string = preg_replace_callback('/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string); $string = preg_replace_callback('/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string); return $string; } |
1 2 3 4 5 6 7 8 9 | /** * Regex callback for wp_kses_decode_entities() * * @param array $match preg match * @return string */ function _wp_kses_decode_entities_chr( $match ) { return chr( $match[1] ); } |
1 2 3 4 5 6 7 8 9 | /** * Regex callback for wp_kses_decode_entities() * * @param array $match preg match * @return string */ function _wp_kses_decode_entities_chr_hexdec( $match ) { return chr( hexdec( $match[1] ) ); } |
1 2 3 4 5 6 7 8 9 10 11 12 | /** * Sanitize content with allowed HTML Kses rules. * * @since 1.0.0 * @uses $allowedtags * * @param string $data Content to filter, expected to be escaped with slashes * @return string Filtered content */ function wp_filter_kses( $data ) { return addslashes( wp_kses( stripslashes( $data ), current_filter() ) ); } |
1 2 3 4 5 6 7 8 9 10 11 12 | /** * Sanitize content with allowed HTML Kses rules. * * @since 2.9.0 * @uses $allowedtags * * @param string $data Content to filter, expected to not be escaped * @return string Filtered content */ function wp_kses_data( $data ) { return wp_kses( $data , current_filter() ); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | /** * Sanitize content for allowed HTML tags for post content. * * Post content refers to the page contents of the 'post' type and not $_POST * data from forms. * * @since 2.0.0 * * @param string $data Post content to filter, expected to be escaped with slashes * @return string Filtered post content with allowed HTML tags and attributes intact. */ function wp_filter_post_kses($data) { return addslashes ( wp_kses( stripslashes( $data ), 'post' ) ); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | /** * Sanitize content for allowed HTML tags for post content. * * Post content refers to the page contents of the 'post' type and not $_POST * data from forms. * * @since 2.9.0 * * @param string $data Post content to filter * @return string Filtered post content with allowed HTML tags and attributes intact. */ function wp_kses_post($data) { return wp_kses( $data , 'post' ); } |
1 2 3 4 5 6 7 8 9 10 11 | /** * Strips all of the HTML in the content. * * @since 2.1.0 * * @param string $data Content to strip all HTML from * @return string Filtered content without any HTML */ function wp_filter_nohtml_kses( $data ) { return addslashes ( wp_kses( stripslashes( $data ), 'strip' ) ); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | /** * Adds all Kses input form content filters. * * All hooks have default priority. The wp_filter_kses() function is added to * the 'pre_comment_content' and 'title_save_pre' hooks. * * The wp_filter_post_kses() function is added to the 'content_save_pre', * 'excerpt_save_pre', and 'content_filtered_save_pre' hooks. * * @since 2.0.0 * @uses add_filter() See description for what functions are added to what hooks. */ function kses_init_filters() { // Normal filtering add_filter('title_save_pre', 'wp_filter_kses'); // Comment filtering if ( current_user_can( 'unfiltered_html' ) ) add_filter( 'pre_comment_content', 'wp_filter_post_kses' ); else add_filter( 'pre_comment_content', 'wp_filter_kses' ); // Post filtering add_filter('content_save_pre', 'wp_filter_post_kses'); add_filter('excerpt_save_pre', 'wp_filter_post_kses'); add_filter('content_filtered_save_pre', 'wp_filter_post_kses'); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | /** * Removes all Kses input form content filters. * * A quick procedural method to removing all of the filters that kses uses for * content in WordPress Loop. * * Does not remove the kses_init() function from 'init' hook (priority is * default). Also does not remove kses_init() function from 'set_current_user' * hook (priority is also default). * * @since 2.0.6 */ function kses_remove_filters() { // Normal filtering remove_filter('title_save_pre', 'wp_filter_kses'); // Comment filtering remove_filter( 'pre_comment_content', 'wp_filter_post_kses' ); remove_filter( 'pre_comment_content', 'wp_filter_kses' ); // Post filtering remove_filter('content_save_pre', 'wp_filter_post_kses'); remove_filter('excerpt_save_pre', 'wp_filter_post_kses'); remove_filter('content_filtered_save_pre', 'wp_filter_post_kses'); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | /** * Sets up most of the Kses filters for input form content. * * If you remove the kses_init() function from 'init' hook and * 'set_current_user' (priority is default), then none of the Kses filter hooks * will be added. * * First removes all of the Kses filters in case the current user does not need * to have Kses filter the content. If the user does not have unfiltered_html * capability, then Kses filters are added. * * @uses kses_remove_filters() Removes the Kses filters * @uses kses_init_filters() Adds the Kses filters back if the user * does not have unfiltered HTML capability. * @since 2.0.0 */ function kses_init() { kses_remove_filters(); if (current_user_can('unfiltered_html') == false) kses_init_filters(); } |
1 2 | add_action('init', 'kses_init'); add_action('set_current_user', 'kses_init'); |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 | /** * Inline CSS filter * * @since 2.8.1 */ function safecss_filter_attr( $css, $deprecated = '' ) { if ( !empty( $deprecated ) ) _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented $css = wp_kses_no_null($css); $css = str_replace(array("\n","\r","\t"), '', $css); if ( preg_match( '%[\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments return ''; $css_array = explode( ';', trim( $css ) ); /** * Filter list of allowed CSS attributes. * * @since 2.8.1 * * @param array $attr List of allowed CSS attributes. */ $allowed_attr = apply_filters( 'safe_style_css', array( 'text-align', 'margin', 'color', 'float', 'border', 'background', 'background-color', 'border-bottom', 'border-bottom-color', 'border-bottom-style', 'border-bottom-width', 'border-collapse', 'border-color', 'border-left', 'border-left-color', 'border-left-style', 'border-left-width', 'border-right', 'border-right-color', 'border-right-style', 'border-right-width', 'border-spacing', 'border-style', 'border-top', 'border-top-color', 'border-top-style', 'border-top-width', 'border-width', 'caption-side', 'clear', 'cursor', 'direction', 'font', 'font-family', 'font-size', 'font-style', 'font-variant', 'font-weight', 'height', 'letter-spacing', 'line-height', 'margin-bottom', 'margin-left', 'margin-right', 'margin-top', 'overflow', 'padding', 'padding-bottom', 'padding-left', 'padding-right', 'padding-top', 'text-decoration', 'text-indent', 'vertical-align', 'width' ) ); if ( empty($allowed_attr) ) return $css; $css = ''; foreach ( $css_array as $css_item ) { if ( $css_item == '' ) continue; $css_item = trim( $css_item ); $found = false; if ( strpos( $css_item, ':' ) === false ) { $found = true; } else { $parts = explode( ':', $css_item ); if ( in_array( trim( $parts[0] ), $allowed_attr ) ) $found = true; } if ( $found ) { if( $css != '' ) $css .= ';'; $css .= $css_item; } } return $css; } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | /** * Helper function to add global attributes to a tag in the allowed html list. * * @since 3.5.0 * @access private * * @param array $value An array of attributes. * @return array The array of attributes with global attributes added. */ function _wp_add_global_attributes( $value ) { $global_attributes = array( 'class' => true, 'id' => true, 'style' => true, 'title' => true, 'role' => true, ); if ( true === $value ) $value = array(); if ( is_array( $value ) ) return array_merge( $value, $global_attributes ); return $value; } |