PageRenderTime 54ms CodeModel.GetById 23ms RepoModel.GetById 0ms app.codeStats 0ms

/wp-includes/kses.php

https://bitbucket.org/aqge/deptandashboard
PHP | 1416 lines | 876 code | 100 blank | 440 comment | 74 complexity | b99ac7fc4f422b405387c952e88ed5c7 MD5 | raw file
Possible License(s): AGPL-1.0, GPL-2.0, LGPL-2.1
  1. <?php
  2. /**
  3. * kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes
  4. * Copyright (C) 2002, 2003, 2005 Ulf Harnhammar
  5. *
  6. * This program is free software and open source software; you can redistribute
  7. * it and/or modify it under the terms of the GNU General Public License as
  8. * published by the Free Software Foundation; either version 2 of the License,
  9. * or (at your option) any later version.
  10. *
  11. * This program is distributed in the hope that it will be useful, but WITHOUT
  12. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13. * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
  14. * more details.
  15. *
  16. * You should have received a copy of the GNU General Public License along
  17. * with this program; if not, write to the Free Software Foundation, Inc.,
  18. * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19. * http://www.gnu.org/licenses/gpl.html
  20. *
  21. * [kses strips evil scripts!]
  22. *
  23. * Added wp_ prefix to avoid conflicts with existing kses users
  24. *
  25. * @version 0.2.2
  26. * @copyright (C) 2002, 2003, 2005
  27. * @author Ulf Harnhammar <http://advogato.org/person/metaur/>
  28. *
  29. * @package External
  30. * @subpackage KSES
  31. *
  32. */
  33. /**
  34. * You can override this in a plugin.
  35. *
  36. * @since 1.2.0
  37. */
  38. if ( ! defined( 'CUSTOM_TAGS' ) )
  39. define( 'CUSTOM_TAGS', false );
  40. if ( ! CUSTOM_TAGS ) {
  41. /**
  42. * Kses global for default allowable HTML tags.
  43. *
  44. * Can be override by using CUSTOM_TAGS constant.
  45. *
  46. * @global array $allowedposttags
  47. * @since 2.0.0
  48. */
  49. $allowedposttags = array(
  50. 'address' => array(),
  51. 'a' => array(
  52. 'class' => array (),
  53. 'href' => array (),
  54. 'id' => array (),
  55. 'title' => array (),
  56. 'rel' => array (),
  57. 'rev' => array (),
  58. 'name' => array (),
  59. 'target' => array()),
  60. 'abbr' => array(
  61. 'class' => array (),
  62. 'title' => array ()),
  63. 'acronym' => array(
  64. 'title' => array ()),
  65. 'article' => array(
  66. 'align' => array (),
  67. 'class' => array (),
  68. 'dir' => array (),
  69. 'lang' => array(),
  70. 'style' => array (),
  71. 'xml:lang' => array(),
  72. ),
  73. 'aside' => array(
  74. 'align' => array (),
  75. 'class' => array (),
  76. 'dir' => array (),
  77. 'lang' => array(),
  78. 'style' => array (),
  79. 'xml:lang' => array(),
  80. ),
  81. 'b' => array(),
  82. 'big' => array(),
  83. 'blockquote' => array(
  84. 'id' => array (),
  85. 'cite' => array (),
  86. 'class' => array(),
  87. 'lang' => array(),
  88. 'xml:lang' => array()),
  89. 'br' => array (
  90. 'class' => array ()),
  91. 'button' => array(
  92. 'disabled' => array (),
  93. 'name' => array (),
  94. 'type' => array (),
  95. 'value' => array ()),
  96. 'caption' => array(
  97. 'align' => array (),
  98. 'class' => array ()),
  99. 'cite' => array (
  100. 'class' => array(),
  101. 'dir' => array(),
  102. 'lang' => array(),
  103. 'title' => array ()),
  104. 'code' => array (
  105. 'style' => array()),
  106. 'col' => array(
  107. 'align' => array (),
  108. 'char' => array (),
  109. 'charoff' => array (),
  110. 'span' => array (),
  111. 'dir' => array(),
  112. 'style' => array (),
  113. 'valign' => array (),
  114. 'width' => array ()),
  115. 'del' => array(
  116. 'datetime' => array ()),
  117. 'dd' => array(),
  118. 'details' => array(
  119. 'align' => array (),
  120. 'class' => array (),
  121. 'dir' => array (),
  122. 'lang' => array(),
  123. 'open' => array (),
  124. 'style' => array (),
  125. 'xml:lang' => array(),
  126. ),
  127. 'div' => array(
  128. 'align' => array (),
  129. 'class' => array (),
  130. 'dir' => array (),
  131. 'lang' => array(),
  132. 'style' => array (),
  133. 'xml:lang' => array()),
  134. 'dl' => array(),
  135. 'dt' => array(),
  136. 'em' => array(),
  137. 'fieldset' => array(),
  138. 'figure' => array(
  139. 'align' => array (),
  140. 'class' => array (),
  141. 'dir' => array (),
  142. 'lang' => array(),
  143. 'style' => array (),
  144. 'xml:lang' => array(),
  145. ),
  146. 'figcaption' => array(
  147. 'align' => array (),
  148. 'class' => array (),
  149. 'dir' => array (),
  150. 'lang' => array(),
  151. 'style' => array (),
  152. 'xml:lang' => array(),
  153. ),
  154. 'font' => array(
  155. 'color' => array (),
  156. 'face' => array (),
  157. 'size' => array ()),
  158. 'footer' => array(
  159. 'align' => array (),
  160. 'class' => array (),
  161. 'dir' => array (),
  162. 'lang' => array(),
  163. 'style' => array (),
  164. 'xml:lang' => array(),
  165. ),
  166. 'form' => array(
  167. 'action' => array (),
  168. 'accept' => array (),
  169. 'accept-charset' => array (),
  170. 'enctype' => array (),
  171. 'method' => array (),
  172. 'name' => array (),
  173. 'target' => array ()),
  174. 'h1' => array(
  175. 'align' => array (),
  176. 'class' => array (),
  177. 'id' => array (),
  178. 'style' => array ()),
  179. 'h2' => array (
  180. 'align' => array (),
  181. 'class' => array (),
  182. 'id' => array (),
  183. 'style' => array ()),
  184. 'h3' => array (
  185. 'align' => array (),
  186. 'class' => array (),
  187. 'id' => array (),
  188. 'style' => array ()),
  189. 'h4' => array (
  190. 'align' => array (),
  191. 'class' => array (),
  192. 'id' => array (),
  193. 'style' => array ()),
  194. 'h5' => array (
  195. 'align' => array (),
  196. 'class' => array (),
  197. 'id' => array (),
  198. 'style' => array ()),
  199. 'h6' => array (
  200. 'align' => array (),
  201. 'class' => array (),
  202. 'id' => array (),
  203. 'style' => array ()),
  204. 'header' => array(
  205. 'align' => array (),
  206. 'class' => array (),
  207. 'dir' => array (),
  208. 'lang' => array(),
  209. 'style' => array (),
  210. 'xml:lang' => array(),
  211. ),
  212. 'hgroup' => array(
  213. 'align' => array (),
  214. 'class' => array (),
  215. 'dir' => array (),
  216. 'lang' => array(),
  217. 'style' => array (),
  218. 'xml:lang' => array(),
  219. ),
  220. 'hr' => array (
  221. 'align' => array (),
  222. 'class' => array (),
  223. 'noshade' => array (),
  224. 'size' => array (),
  225. 'width' => array ()),
  226. 'i' => array(),
  227. 'img' => array(
  228. 'alt' => array (),
  229. 'align' => array (),
  230. 'border' => array (),
  231. 'class' => array (),
  232. 'height' => array (),
  233. 'hspace' => array (),
  234. 'longdesc' => array (),
  235. 'vspace' => array (),
  236. 'src' => array (),
  237. 'style' => array (),
  238. 'width' => array ()),
  239. 'ins' => array(
  240. 'datetime' => array (),
  241. 'cite' => array ()),
  242. 'kbd' => array(),
  243. 'label' => array(
  244. 'for' => array ()),
  245. 'legend' => array(
  246. 'align' => array ()),
  247. 'li' => array (
  248. 'align' => array (),
  249. 'class' => array ()),
  250. 'menu' => array (
  251. 'class' => array (),
  252. 'style' => array (),
  253. 'type' => array ()),
  254. 'nav' => array(
  255. 'align' => array (),
  256. 'class' => array (),
  257. 'dir' => array (),
  258. 'lang' => array(),
  259. 'style' => array (),
  260. 'xml:lang' => array(),
  261. ),
  262. 'p' => array(
  263. 'class' => array (),
  264. 'align' => array (),
  265. 'dir' => array(),
  266. 'lang' => array(),
  267. 'style' => array (),
  268. 'xml:lang' => array()),
  269. 'pre' => array(
  270. 'style' => array(),
  271. 'width' => array ()),
  272. 'q' => array(
  273. 'cite' => array ()),
  274. 's' => array(),
  275. 'span' => array (
  276. 'class' => array (),
  277. 'dir' => array (),
  278. 'align' => array (),
  279. 'lang' => array (),
  280. 'style' => array (),
  281. 'title' => array (),
  282. 'xml:lang' => array()),
  283. 'section' => array(
  284. 'align' => array (),
  285. 'class' => array (),
  286. 'dir' => array (),
  287. 'lang' => array(),
  288. 'style' => array (),
  289. 'xml:lang' => array(),
  290. ),
  291. 'strike' => array(),
  292. 'strong' => array(),
  293. 'sub' => array(),
  294. 'summary' => array(
  295. 'align' => array (),
  296. 'class' => array (),
  297. 'dir' => array (),
  298. 'lang' => array(),
  299. 'style' => array (),
  300. 'xml:lang' => array(),
  301. ),
  302. 'sup' => array(),
  303. 'table' => array(
  304. 'align' => array (),
  305. 'bgcolor' => array (),
  306. 'border' => array (),
  307. 'cellpadding' => array (),
  308. 'cellspacing' => array (),
  309. 'class' => array (),
  310. 'dir' => array(),
  311. 'id' => array(),
  312. 'rules' => array (),
  313. 'style' => array (),
  314. 'summary' => array (),
  315. 'width' => array ()),
  316. 'tbody' => array(
  317. 'align' => array (),
  318. 'char' => array (),
  319. 'charoff' => array (),
  320. 'valign' => array ()),
  321. 'td' => array(
  322. 'abbr' => array (),
  323. 'align' => array (),
  324. 'axis' => array (),
  325. 'bgcolor' => array (),
  326. 'char' => array (),
  327. 'charoff' => array (),
  328. 'class' => array (),
  329. 'colspan' => array (),
  330. 'dir' => array(),
  331. 'headers' => array (),
  332. 'height' => array (),
  333. 'nowrap' => array (),
  334. 'rowspan' => array (),
  335. 'scope' => array (),
  336. 'style' => array (),
  337. 'valign' => array (),
  338. 'width' => array ()),
  339. 'textarea' => array(
  340. 'cols' => array (),
  341. 'rows' => array (),
  342. 'disabled' => array (),
  343. 'name' => array (),
  344. 'readonly' => array ()),
  345. 'tfoot' => array(
  346. 'align' => array (),
  347. 'char' => array (),
  348. 'class' => array (),
  349. 'charoff' => array (),
  350. 'valign' => array ()),
  351. 'th' => array(
  352. 'abbr' => array (),
  353. 'align' => array (),
  354. 'axis' => array (),
  355. 'bgcolor' => array (),
  356. 'char' => array (),
  357. 'charoff' => array (),
  358. 'class' => array (),
  359. 'colspan' => array (),
  360. 'headers' => array (),
  361. 'height' => array (),
  362. 'nowrap' => array (),
  363. 'rowspan' => array (),
  364. 'scope' => array (),
  365. 'valign' => array (),
  366. 'width' => array ()),
  367. 'thead' => array(
  368. 'align' => array (),
  369. 'char' => array (),
  370. 'charoff' => array (),
  371. 'class' => array (),
  372. 'valign' => array ()),
  373. 'title' => array(),
  374. 'tr' => array(
  375. 'align' => array (),
  376. 'bgcolor' => array (),
  377. 'char' => array (),
  378. 'charoff' => array (),
  379. 'class' => array (),
  380. 'style' => array (),
  381. 'valign' => array ()),
  382. 'tt' => array(),
  383. 'u' => array(),
  384. 'ul' => array (
  385. 'class' => array (),
  386. 'style' => array (),
  387. 'type' => array ()),
  388. 'ol' => array (
  389. 'class' => array (),
  390. 'start' => array (),
  391. 'style' => array (),
  392. 'type' => array ()),
  393. 'var' => array ());
  394. /**
  395. * Kses allowed HTML elements.
  396. *
  397. * @global array $allowedtags
  398. * @since 1.0.0
  399. */
  400. $allowedtags = array(
  401. 'a' => array(
  402. 'href' => array (),
  403. 'title' => array ()),
  404. 'abbr' => array(
  405. 'title' => array ()),
  406. 'acronym' => array(
  407. 'title' => array ()),
  408. 'b' => array(),
  409. 'blockquote' => array(
  410. 'cite' => array ()),
  411. // 'br' => array(),
  412. 'cite' => array (),
  413. 'code' => array(),
  414. 'del' => array(
  415. 'datetime' => array ()),
  416. // 'dd' => array(),
  417. // 'dl' => array(),
  418. // 'dt' => array(),
  419. 'em' => array (), 'i' => array (),
  420. // 'ins' => array('datetime' => array(), 'cite' => array()),
  421. // 'li' => array(),
  422. // 'ol' => array(),
  423. // 'p' => array(),
  424. 'q' => array(
  425. 'cite' => array ()),
  426. 'strike' => array(),
  427. 'strong' => array(),
  428. // 'sub' => array(),
  429. // 'sup' => array(),
  430. // 'u' => array(),
  431. // 'ul' => array(),
  432. );
  433. $allowedentitynames = array(
  434. 'nbsp', 'iexcl', 'cent', 'pound', 'curren', 'yen',
  435. 'brvbar', 'sect', 'uml', 'copy', 'ordf', 'laquo',
  436. 'not', 'shy', 'reg', 'macr', 'deg', 'plusmn',
  437. 'acute', 'micro', 'para', 'middot', 'cedil', 'ordm',
  438. 'raquo', 'iquest', 'Agrave', 'Aacute', 'Acirc', 'Atilde',
  439. 'Auml', 'Aring', 'AElig', 'Ccedil', 'Egrave', 'Eacute',
  440. 'Ecirc', 'Euml', 'Igrave', 'Iacute', 'Icirc', 'Iuml',
  441. 'ETH', 'Ntilde', 'Ograve', 'Oacute', 'Ocirc', 'Otilde',
  442. 'Ouml', 'times', 'Oslash', 'Ugrave', 'Uacute', 'Ucirc',
  443. 'Uuml', 'Yacute', 'THORN', 'szlig', 'agrave', 'aacute',
  444. 'acirc', 'atilde', 'auml', 'aring', 'aelig', 'ccedil',
  445. 'egrave', 'eacute', 'ecirc', 'euml', 'igrave', 'iacute',
  446. 'icirc', 'iuml', 'eth', 'ntilde', 'ograve', 'oacute',
  447. 'ocirc', 'otilde', 'ouml', 'divide', 'oslash', 'ugrave',
  448. 'uacute', 'ucirc', 'uuml', 'yacute', 'thorn', 'yuml',
  449. 'quot', 'amp', 'lt', 'gt', 'apos', 'OElig',
  450. 'oelig', 'Scaron', 'scaron', 'Yuml', 'circ', 'tilde',
  451. 'ensp', 'emsp', 'thinsp', 'zwnj', 'zwj', 'lrm',
  452. 'rlm', 'ndash', 'mdash', 'lsquo', 'rsquo', 'sbquo',
  453. 'ldquo', 'rdquo', 'bdquo', 'dagger', 'Dagger', 'permil',
  454. 'lsaquo', 'rsaquo', 'euro', 'fnof', 'Alpha', 'Beta',
  455. 'Gamma', 'Delta', 'Epsilon', 'Zeta', 'Eta', 'Theta',
  456. 'Iota', 'Kappa', 'Lambda', 'Mu', 'Nu', 'Xi',
  457. 'Omicron', 'Pi', 'Rho', 'Sigma', 'Tau', 'Upsilon',
  458. 'Phi', 'Chi', 'Psi', 'Omega', 'alpha', 'beta',
  459. 'gamma', 'delta', 'epsilon', 'zeta', 'eta', 'theta',
  460. 'iota', 'kappa', 'lambda', 'mu', 'nu', 'xi',
  461. 'omicron', 'pi', 'rho', 'sigmaf', 'sigma', 'tau',
  462. 'upsilon', 'phi', 'chi', 'psi', 'omega', 'thetasym',
  463. 'upsih', 'piv', 'bull', 'hellip', 'prime', 'Prime',
  464. 'oline', 'frasl', 'weierp', 'image', 'real', 'trade',
  465. 'alefsym', 'larr', 'uarr', 'rarr', 'darr', 'harr',
  466. 'crarr', 'lArr', 'uArr', 'rArr', 'dArr', 'hArr',
  467. 'forall', 'part', 'exist', 'empty', 'nabla', 'isin',
  468. 'notin', 'ni', 'prod', 'sum', 'minus', 'lowast',
  469. 'radic', 'prop', 'infin', 'ang', 'and', 'or',
  470. 'cap', 'cup', 'int', 'sim', 'cong', 'asymp',
  471. 'ne', 'equiv', 'le', 'ge', 'sub', 'sup',
  472. 'nsub', 'sube', 'supe', 'oplus', 'otimes', 'perp',
  473. 'sdot', 'lceil', 'rceil', 'lfloor', 'rfloor', 'lang',
  474. 'rang', 'loz', 'spades', 'clubs', 'hearts', 'diams',
  475. );
  476. }
  477. /**
  478. * Filters content and keeps only allowable HTML elements.
  479. *
  480. * This function makes sure that only the allowed HTML element names, attribute
  481. * names and attribute values plus only sane HTML entities will occur in
  482. * $string. You have to remove any slashes from PHP's magic quotes before you
  483. * call this function.
  484. *
  485. * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
  486. * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
  487. * covers all common link protocols, except for 'javascript' which should not
  488. * be allowed for untrusted users.
  489. *
  490. * @since 1.0.0
  491. *
  492. * @param string $string Content to filter through kses
  493. * @param array $allowed_html List of allowed HTML elements
  494. * @param array $allowed_protocols Optional. Allowed protocol in links.
  495. * @return string Filtered content with only allowed HTML elements
  496. */
  497. function wp_kses($string, $allowed_html, $allowed_protocols = array ()) {
  498. if ( empty( $allowed_protocols ) )
  499. $allowed_protocols = wp_allowed_protocols();
  500. $string = wp_kses_no_null($string);
  501. $string = wp_kses_js_entities($string);
  502. $string = wp_kses_normalize_entities($string);
  503. $allowed_html_fixed = wp_kses_array_lc($allowed_html);
  504. $string = wp_kses_hook($string, $allowed_html_fixed, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook
  505. return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);
  506. }
  507. /**
  508. * You add any kses hooks here.
  509. *
  510. * There is currently only one kses WordPress hook and it is called here. All
  511. * parameters are passed to the hooks and expected to receive a string.
  512. *
  513. * @since 1.0.0
  514. *
  515. * @param string $string Content to filter through kses
  516. * @param array $allowed_html List of allowed HTML elements
  517. * @param array $allowed_protocols Allowed protocol in links
  518. * @return string Filtered content through 'pre_kses' hook
  519. */
  520. function wp_kses_hook($string, $allowed_html, $allowed_protocols) {
  521. $string = apply_filters('pre_kses', $string, $allowed_html, $allowed_protocols);
  522. return $string;
  523. }
  524. /**
  525. * This function returns kses' version number.
  526. *
  527. * @since 1.0.0
  528. *
  529. * @return string KSES Version Number
  530. */
  531. function wp_kses_version() {
  532. return '0.2.2';
  533. }
  534. /**
  535. * Searches for HTML tags, no matter how malformed.
  536. *
  537. * It also matches stray ">" characters.
  538. *
  539. * @since 1.0.0
  540. *
  541. * @param string $string Content to filter
  542. * @param array $allowed_html Allowed HTML elements
  543. * @param array $allowed_protocols Allowed protocols to keep
  544. * @return string Content with fixed HTML tags
  545. */
  546. function wp_kses_split($string, $allowed_html, $allowed_protocols) {
  547. global $pass_allowed_html, $pass_allowed_protocols;
  548. $pass_allowed_html = $allowed_html;
  549. $pass_allowed_protocols = $allowed_protocols;
  550. return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
  551. }
  552. /**
  553. * Callback for wp_kses_split.
  554. *
  555. * @since 3.1.0
  556. * @access private
  557. */
  558. function _wp_kses_split_callback( $match ) {
  559. global $pass_allowed_html, $pass_allowed_protocols;
  560. return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
  561. }
  562. /**
  563. * Callback for wp_kses_split for fixing malformed HTML tags.
  564. *
  565. * This function does a lot of work. It rejects some very malformed things like
  566. * <:::>. It returns an empty string, if the element isn't allowed (look ma, no
  567. * strip_tags()!). Otherwise it splits the tag into an element and an attribute
  568. * list.
  569. *
  570. * After the tag is split into an element and an attribute list, it is run
  571. * through another filter which will remove illegal attributes and once that is
  572. * completed, will be returned.
  573. *
  574. * @access private
  575. * @since 1.0.0
  576. * @uses wp_kses_attr()
  577. *
  578. * @param string $string Content to filter
  579. * @param array $allowed_html Allowed HTML elements
  580. * @param array $allowed_protocols Allowed protocols to keep
  581. * @return string Fixed HTML element
  582. */
  583. function wp_kses_split2($string, $allowed_html, $allowed_protocols) {
  584. $string = wp_kses_stripslashes($string);
  585. if (substr($string, 0, 1) != '<')
  586. return '&gt;';
  587. # It matched a ">" character
  588. if ( '<!--' == substr( $string, 0, 4 ) ) {
  589. $string = str_replace( array('<!--', '-->'), '', $string );
  590. while ( $string != ($newstring = wp_kses($string, $allowed_html, $allowed_protocols)) )
  591. $string = $newstring;
  592. if ( $string == '' )
  593. return '';
  594. // prevent multiple dashes in comments
  595. $string = preg_replace('/--+/', '-', $string);
  596. // prevent three dashes closing a comment
  597. $string = preg_replace('/-$/', '', $string);
  598. return "<!--{$string}-->";
  599. }
  600. # Allow HTML comments
  601. if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches))
  602. return '';
  603. # It's seriously malformed
  604. $slash = trim($matches[1]);
  605. $elem = $matches[2];
  606. $attrlist = $matches[3];
  607. if ( ! isset($allowed_html[strtolower($elem)]) )
  608. return '';
  609. # They are using a not allowed HTML element
  610. if ($slash != '')
  611. return "</$elem>";
  612. # No attributes are allowed for closing elements
  613. return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols );
  614. }
  615. /**
  616. * Removes all attributes, if none are allowed for this element.
  617. *
  618. * If some are allowed it calls wp_kses_hair() to split them further, and then
  619. * it builds up new HTML code from the data that kses_hair() returns. It also
  620. * removes "<" and ">" characters, if there are any left. One more thing it does
  621. * is to check if the tag has a closing XHTML slash, and if it does, it puts one
  622. * in the returned code as well.
  623. *
  624. * @since 1.0.0
  625. *
  626. * @param string $element HTML element/tag
  627. * @param string $attr HTML attributes from HTML element to closing HTML element tag
  628. * @param array $allowed_html Allowed HTML elements
  629. * @param array $allowed_protocols Allowed protocols to keep
  630. * @return string Sanitized HTML element
  631. */
  632. function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) {
  633. # Is there a closing XHTML slash at the end of the attributes?
  634. $xhtml_slash = '';
  635. if (preg_match('%\s*/\s*$%', $attr))
  636. $xhtml_slash = ' /';
  637. # Are any attributes allowed at all for this element?
  638. if ( ! isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0 )
  639. return "<$element$xhtml_slash>";
  640. # Split it
  641. $attrarr = wp_kses_hair($attr, $allowed_protocols);
  642. # Go through $attrarr, and save the allowed attributes for this element
  643. # in $attr2
  644. $attr2 = '';
  645. $allowed_attr = $allowed_html[strtolower($element)];
  646. foreach ($attrarr as $arreach) {
  647. if ( ! isset( $allowed_attr[strtolower($arreach['name'])] ) )
  648. continue; # the attribute is not allowed
  649. $current = $allowed_attr[strtolower($arreach['name'])];
  650. if ( $current == '' )
  651. continue; # the attribute is not allowed
  652. if ( ! is_array($current) ) {
  653. $attr2 .= ' '.$arreach['whole'];
  654. # there are no checks
  655. } else {
  656. # there are some checks
  657. $ok = true;
  658. foreach ($current as $currkey => $currval) {
  659. if ( ! wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval) ) {
  660. $ok = false;
  661. break;
  662. }
  663. }
  664. if ( strtolower($arreach['name']) == 'style' ) {
  665. $orig_value = $arreach['value'];
  666. $value = safecss_filter_attr($orig_value);
  667. if ( empty($value) )
  668. continue;
  669. $arreach['value'] = $value;
  670. $arreach['whole'] = str_replace($orig_value, $value, $arreach['whole']);
  671. }
  672. if ($ok)
  673. $attr2 .= ' '.$arreach['whole']; # it passed them
  674. } # if !is_array($current)
  675. } # foreach
  676. # Remove any "<" or ">" characters
  677. $attr2 = preg_replace('/[<>]/', '', $attr2);
  678. return "<$element$attr2$xhtml_slash>";
  679. }
  680. /**
  681. * Builds an attribute list from string containing attributes.
  682. *
  683. * This function does a lot of work. It parses an attribute list into an array
  684. * with attribute data, and tries to do the right thing even if it gets weird
  685. * input. It will add quotes around attribute values that don't have any quotes
  686. * or apostrophes around them, to make it easier to produce HTML code that will
  687. * conform to W3C's HTML specification. It will also remove bad URL protocols
  688. * from attribute values. It also reduces duplicate attributes by using the
  689. * attribute defined first (foo='bar' foo='baz' will result in foo='bar').
  690. *
  691. * @since 1.0.0
  692. *
  693. * @param string $attr Attribute list from HTML element to closing HTML element tag
  694. * @param array $allowed_protocols Allowed protocols to keep
  695. * @return array List of attributes after parsing
  696. */
  697. function wp_kses_hair($attr, $allowed_protocols) {
  698. $attrarr = array ();
  699. $mode = 0;
  700. $attrname = '';
  701. $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
  702. # Loop through the whole attribute list
  703. while (strlen($attr) != 0) {
  704. $working = 0; # Was the last operation successful?
  705. switch ($mode) {
  706. case 0 : # attribute name, href for instance
  707. if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) {
  708. $attrname = $match[1];
  709. $working = $mode = 1;
  710. $attr = preg_replace('/^[-a-zA-Z]+/', '', $attr);
  711. }
  712. break;
  713. case 1 : # equals sign or valueless ("selected")
  714. if (preg_match('/^\s*=\s*/', $attr)) # equals sign
  715. {
  716. $working = 1;
  717. $mode = 2;
  718. $attr = preg_replace('/^\s*=\s*/', '', $attr);
  719. break;
  720. }
  721. if (preg_match('/^\s+/', $attr)) # valueless
  722. {
  723. $working = 1;
  724. $mode = 0;
  725. if(FALSE === array_key_exists($attrname, $attrarr)) {
  726. $attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
  727. }
  728. $attr = preg_replace('/^\s+/', '', $attr);
  729. }
  730. break;
  731. case 2 : # attribute value, a URL after href= for instance
  732. if (preg_match('%^"([^"]*)"(\s+|/?$)%', $attr, $match))
  733. # "value"
  734. {
  735. $thisval = $match[1];
  736. if ( in_array(strtolower($attrname), $uris) )
  737. $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
  738. if(FALSE === array_key_exists($attrname, $attrarr)) {
  739. $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');
  740. }
  741. $working = 1;
  742. $mode = 0;
  743. $attr = preg_replace('/^"[^"]*"(\s+|$)/', '', $attr);
  744. break;
  745. }
  746. if (preg_match("%^'([^']*)'(\s+|/?$)%", $attr, $match))
  747. # 'value'
  748. {
  749. $thisval = $match[1];
  750. if ( in_array(strtolower($attrname), $uris) )
  751. $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
  752. if(FALSE === array_key_exists($attrname, $attrarr)) {
  753. $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname='$thisval'", 'vless' => 'n');
  754. }
  755. $working = 1;
  756. $mode = 0;
  757. $attr = preg_replace("/^'[^']*'(\s+|$)/", '', $attr);
  758. break;
  759. }
  760. if (preg_match("%^([^\s\"']+)(\s+|/?$)%", $attr, $match))
  761. # value
  762. {
  763. $thisval = $match[1];
  764. if ( in_array(strtolower($attrname), $uris) )
  765. $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
  766. if(FALSE === array_key_exists($attrname, $attrarr)) {
  767. $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');
  768. }
  769. # We add quotes to conform to W3C's HTML spec.
  770. $working = 1;
  771. $mode = 0;
  772. $attr = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attr);
  773. }
  774. break;
  775. } # switch
  776. if ($working == 0) # not well formed, remove and try again
  777. {
  778. $attr = wp_kses_html_error($attr);
  779. $mode = 0;
  780. }
  781. } # while
  782. if ($mode == 1 && FALSE === array_key_exists($attrname, $attrarr))
  783. # special case, for when the attribute list ends with a valueless
  784. # attribute like "selected"
  785. $attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
  786. return $attrarr;
  787. }
  788. /**
  789. * Performs different checks for attribute values.
  790. *
  791. * The currently implemented checks are "maxlen", "minlen", "maxval", "minval"
  792. * and "valueless".
  793. *
  794. * @since 1.0.0
  795. *
  796. * @param string $value Attribute value
  797. * @param string $vless Whether the value is valueless. Use 'y' or 'n'
  798. * @param string $checkname What $checkvalue is checking for.
  799. * @param mixed $checkvalue What constraint the value should pass
  800. * @return bool Whether check passes
  801. */
  802. function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) {
  803. $ok = true;
  804. switch (strtolower($checkname)) {
  805. case 'maxlen' :
  806. # The maxlen check makes sure that the attribute value has a length not
  807. # greater than the given value. This can be used to avoid Buffer Overflows
  808. # in WWW clients and various Internet servers.
  809. if (strlen($value) > $checkvalue)
  810. $ok = false;
  811. break;
  812. case 'minlen' :
  813. # The minlen check makes sure that the attribute value has a length not
  814. # smaller than the given value.
  815. if (strlen($value) < $checkvalue)
  816. $ok = false;
  817. break;
  818. case 'maxval' :
  819. # The maxval check does two things: it checks that the attribute value is
  820. # an integer from 0 and up, without an excessive amount of zeroes or
  821. # whitespace (to avoid Buffer Overflows). It also checks that the attribute
  822. # value is not greater than the given value.
  823. # This check can be used to avoid Denial of Service attacks.
  824. if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))
  825. $ok = false;
  826. if ($value > $checkvalue)
  827. $ok = false;
  828. break;
  829. case 'minval' :
  830. # The minval check makes sure that the attribute value is a positive integer,
  831. # and that it is not smaller than the given value.
  832. if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))
  833. $ok = false;
  834. if ($value < $checkvalue)
  835. $ok = false;
  836. break;
  837. case 'valueless' :
  838. # The valueless check makes sure if the attribute has a value
  839. # (like <a href="blah">) or not (<option selected>). If the given value
  840. # is a "y" or a "Y", the attribute must not have a value.
  841. # If the given value is an "n" or an "N", the attribute must have one.
  842. if (strtolower($checkvalue) != $vless)
  843. $ok = false;
  844. break;
  845. } # switch
  846. return $ok;
  847. }
  848. /**
  849. * Sanitize string from bad protocols.
  850. *
  851. * This function removes all non-allowed protocols from the beginning of
  852. * $string. It ignores whitespace and the case of the letters, and it does
  853. * understand HTML entities. It does its work in a while loop, so it won't be
  854. * fooled by a string like "javascript:javascript:alert(57)".
  855. *
  856. * @since 1.0.0
  857. *
  858. * @param string $string Content to filter bad protocols from
  859. * @param array $allowed_protocols Allowed protocols to keep
  860. * @return string Filtered content
  861. */
  862. function wp_kses_bad_protocol($string, $allowed_protocols) {
  863. $string = wp_kses_no_null($string);
  864. $string2 = $string.'a';
  865. while ($string != $string2) {
  866. $string2 = $string;
  867. $string = wp_kses_bad_protocol_once($string, $allowed_protocols);
  868. } # while
  869. return $string;
  870. }
  871. /**
  872. * Removes any NULL characters in $string.
  873. *
  874. * @since 1.0.0
  875. *
  876. * @param string $string
  877. * @return string
  878. */
  879. function wp_kses_no_null($string) {
  880. $string = preg_replace('/\0+/', '', $string);
  881. $string = preg_replace('/(\\\\0)+/', '', $string);
  882. return $string;
  883. }
  884. /**
  885. * Strips slashes from in front of quotes.
  886. *
  887. * This function changes the character sequence \" to just ". It leaves all
  888. * other slashes alone. It's really weird, but the quoting from
  889. * preg_replace(//e) seems to require this.
  890. *
  891. * @since 1.0.0
  892. *
  893. * @param string $string String to strip slashes
  894. * @return string Fixed string with quoted slashes
  895. */
  896. function wp_kses_stripslashes($string) {
  897. return preg_replace('%\\\\"%', '"', $string);
  898. }
  899. /**
  900. * Goes through an array and changes the keys to all lower case.
  901. *
  902. * @since 1.0.0
  903. *
  904. * @param array $inarray Unfiltered array
  905. * @return array Fixed array with all lowercase keys
  906. */
  907. function wp_kses_array_lc($inarray) {
  908. $outarray = array ();
  909. foreach ( (array) $inarray as $inkey => $inval) {
  910. $outkey = strtolower($inkey);
  911. $outarray[$outkey] = array ();
  912. foreach ( (array) $inval as $inkey2 => $inval2) {
  913. $outkey2 = strtolower($inkey2);
  914. $outarray[$outkey][$outkey2] = $inval2;
  915. } # foreach $inval
  916. } # foreach $inarray
  917. return $outarray;
  918. }
  919. /**
  920. * Removes the HTML JavaScript entities found in early versions of Netscape 4.
  921. *
  922. * @since 1.0.0
  923. *
  924. * @param string $string
  925. * @return string
  926. */
  927. function wp_kses_js_entities($string) {
  928. return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
  929. }
  930. /**
  931. * Handles parsing errors in wp_kses_hair().
  932. *
  933. * The general plan is to remove everything to and including some whitespace,
  934. * but it deals with quotes and apostrophes as well.
  935. *
  936. * @since 1.0.0
  937. *
  938. * @param string $string
  939. * @return string
  940. */
  941. function wp_kses_html_error($string) {
  942. return preg_replace('/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string);
  943. }
  944. /**
  945. * Sanitizes content from bad protocols and other characters.
  946. *
  947. * This function searches for URL protocols at the beginning of $string, while
  948. * handling whitespace and HTML entities.
  949. *
  950. * @since 1.0.0
  951. *
  952. * @param string $string Content to check for bad protocols
  953. * @param string $allowed_protocols Allowed protocols
  954. * @return string Sanitized content
  955. */
  956. function wp_kses_bad_protocol_once($string, $allowed_protocols) {
  957. $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
  958. if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) )
  959. $string = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ) . trim( $string2[1] );
  960. return $string;
  961. }
  962. /**
  963. * Callback for wp_kses_bad_protocol_once() regular expression.
  964. *
  965. * This function processes URL protocols, checks to see if they're in the
  966. * whitelist or not, and returns different data depending on the answer.
  967. *
  968. * @access private
  969. * @since 1.0.0
  970. *
  971. * @param string $string URI scheme to check against the whitelist
  972. * @param string $allowed_protocols Allowed protocols
  973. * @return string Sanitized content
  974. */
  975. function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {
  976. $string2 = wp_kses_decode_entities($string);
  977. $string2 = preg_replace('/\s/', '', $string2);
  978. $string2 = wp_kses_no_null($string2);
  979. $string2 = strtolower($string2);
  980. $allowed = false;
  981. foreach ( (array) $allowed_protocols as $one_protocol )
  982. if ( strtolower($one_protocol) == $string2 ) {
  983. $allowed = true;
  984. break;
  985. }
  986. if ($allowed)
  987. return "$string2:";
  988. else
  989. return '';
  990. }
  991. /**
  992. * Converts and fixes HTML entities.
  993. *
  994. * This function normalizes HTML entities. It will convert "AT&T" to the correct
  995. * "AT&amp;T", "&#00058;" to "&#58;", "&#XYZZY;" to "&amp;#XYZZY;" and so on.
  996. *
  997. * @since 1.0.0
  998. *
  999. * @param string $string Content to normalize entities
  1000. * @return string Content with normalized entities
  1001. */
  1002. function wp_kses_normalize_entities($string) {
  1003. # Disarm all entities by converting & to &amp;
  1004. $string = str_replace('&', '&amp;', $string);
  1005. # Change back the allowed entities in our entity whitelist
  1006. $string = preg_replace_callback('/&amp;([A-Za-z]{2,8});/', 'wp_kses_named_entities', $string);
  1007. $string = preg_replace_callback('/&amp;#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string);
  1008. $string = preg_replace_callback('/&amp;#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string);
  1009. return $string;
  1010. }
  1011. /**
  1012. * Callback for wp_kses_normalize_entities() regular expression.
  1013. *
  1014. * This function only accepts valid named entity references, which are finite,
  1015. * case-sensitive, and highly scrutinized by HTML and XML validators.
  1016. *
  1017. * @since 3.0.0
  1018. *
  1019. * @param array $matches preg_replace_callback() matches array
  1020. * @return string Correctly encoded entity
  1021. */
  1022. function wp_kses_named_entities($matches) {
  1023. global $allowedentitynames;
  1024. if ( empty($matches[1]) )
  1025. return '';
  1026. $i = $matches[1];
  1027. return ( ( ! in_array($i, $allowedentitynames) ) ? "&amp;$i;" : "&$i;" );
  1028. }
  1029. /**
  1030. * Callback for wp_kses_normalize_entities() regular expression.
  1031. *
  1032. * This function helps wp_kses_normalize_entities() to only accept 16-bit values
  1033. * and nothing more for &#number; entities.
  1034. *
  1035. * @access private
  1036. * @since 1.0.0
  1037. *
  1038. * @param array $matches preg_replace_callback() matches array
  1039. * @return string Correctly encoded entity
  1040. */
  1041. function wp_kses_normalize_entities2($matches) {
  1042. if ( empty($matches[1]) )
  1043. return '';
  1044. $i = $matches[1];
  1045. if (valid_unicode($i)) {
  1046. $i = str_pad(ltrim($i,'0'), 3, '0', STR_PAD_LEFT);
  1047. $i = "&#$i;";
  1048. } else {
  1049. $i = "&amp;#$i;";
  1050. }
  1051. return $i;
  1052. }
  1053. /**
  1054. * Callback for wp_kses_normalize_entities() for regular expression.
  1055. *
  1056. * This function helps wp_kses_normalize_entities() to only accept valid Unicode
  1057. * numeric entities in hex form.
  1058. *
  1059. * @access private
  1060. *
  1061. * @param array $matches preg_replace_callback() matches array
  1062. * @return string Correctly encoded entity
  1063. */
  1064. function wp_kses_normalize_entities3($matches) {
  1065. if ( empty($matches[1]) )
  1066. return '';
  1067. $hexchars = $matches[1];
  1068. return ( ( ! valid_unicode(hexdec($hexchars)) ) ? "&amp;#x$hexchars;" : '&#x'.ltrim($hexchars,'0').';' );
  1069. }
  1070. /**
  1071. * Helper function to determine if a Unicode value is valid.
  1072. *
  1073. * @param int $i Unicode value
  1074. * @return bool True if the value was a valid Unicode number
  1075. */
  1076. function valid_unicode($i) {
  1077. return ( $i == 0x9 || $i == 0xa || $i == 0xd ||
  1078. ($i >= 0x20 && $i <= 0xd7ff) ||
  1079. ($i >= 0xe000 && $i <= 0xfffd) ||
  1080. ($i >= 0x10000 && $i <= 0x10ffff) );
  1081. }
  1082. /**
  1083. * Convert all entities to their character counterparts.
  1084. *
  1085. * This function decodes numeric HTML entities (&#65; and &#x41;). It doesn't do
  1086. * anything with other entities like &auml;, but we don't need them in the URL
  1087. * protocol whitelisting system anyway.
  1088. *
  1089. * @since 1.0.0
  1090. *
  1091. * @param string $string Content to change entities
  1092. * @return string Content after decoded entities
  1093. */
  1094. function wp_kses_decode_entities($string) {
  1095. $string = preg_replace_callback('/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string);
  1096. $string = preg_replace_callback('/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string);
  1097. return $string;
  1098. }
  1099. /**
  1100. * Regex callback for wp_kses_decode_entities()
  1101. *
  1102. * @param array $match preg match
  1103. * @return string
  1104. */
  1105. function _wp_kses_decode_entities_chr( $match ) {
  1106. return chr( $match[1] );
  1107. }
  1108. /**
  1109. * Regex callback for wp_kses_decode_entities()
  1110. *
  1111. * @param array $match preg match
  1112. * @return string
  1113. */
  1114. function _wp_kses_decode_entities_chr_hexdec( $match ) {
  1115. return chr( hexdec( $match[1] ) );
  1116. }
  1117. /**
  1118. * Sanitize content with allowed HTML Kses rules.
  1119. *
  1120. * @since 1.0.0
  1121. * @uses $allowedtags
  1122. *
  1123. * @param string $data Content to filter, expected to be escaped with slashes
  1124. * @return string Filtered content
  1125. */
  1126. function wp_filter_kses($data) {
  1127. global $allowedtags;
  1128. return addslashes( wp_kses(stripslashes( $data ), $allowedtags) );
  1129. }
  1130. /**
  1131. * Sanitize content with allowed HTML Kses rules.
  1132. *
  1133. * @since 2.9.0
  1134. * @uses $allowedtags
  1135. *
  1136. * @param string $data Content to filter, expected to not be escaped
  1137. * @return string Filtered content
  1138. */
  1139. function wp_kses_data($data) {
  1140. global $allowedtags;
  1141. return wp_kses( $data , $allowedtags );
  1142. }
  1143. /**
  1144. * Sanitize content for allowed HTML tags for post content.
  1145. *
  1146. * Post content refers to the page contents of the 'post' type and not $_POST
  1147. * data from forms.
  1148. *
  1149. * @since 2.0.0
  1150. * @uses $allowedposttags
  1151. *
  1152. * @param string $data Post content to filter, expected to be escaped with slashes
  1153. * @return string Filtered post content with allowed HTML tags and attributes intact.
  1154. */
  1155. function wp_filter_post_kses($data) {
  1156. global $allowedposttags;
  1157. return addslashes ( wp_kses(stripslashes( $data ), $allowedposttags) );
  1158. }
  1159. /**
  1160. * Sanitize content for allowed HTML tags for post content.
  1161. *
  1162. * Post content refers to the page contents of the 'post' type and not $_POST
  1163. * data from forms.
  1164. *
  1165. * @since 2.9.0
  1166. * @uses $allowedposttags
  1167. *
  1168. * @param string $data Post content to filter
  1169. * @return string Filtered post content with allowed HTML tags and attributes intact.
  1170. */
  1171. function wp_kses_post($data) {
  1172. global $allowedposttags;
  1173. return wp_kses( $data , $allowedposttags );
  1174. }
  1175. /**
  1176. * Strips all of the HTML in the content.
  1177. *
  1178. * @since 2.1.0
  1179. *
  1180. * @param string $data Content to strip all HTML from
  1181. * @return string Filtered content without any HTML
  1182. */
  1183. function wp_filter_nohtml_kses($data) {
  1184. return addslashes ( wp_kses(stripslashes( $data ), array()) );
  1185. }
  1186. /**
  1187. * Adds all Kses input form content filters.
  1188. *
  1189. * All hooks have default priority. The wp_filter_kses() function is added to
  1190. * the 'pre_comment_content' and 'title_save_pre' hooks.
  1191. *
  1192. * The wp_filter_post_kses() function is added to the 'content_save_pre',
  1193. * 'excerpt_save_pre', and 'content_filtered_save_pre' hooks.
  1194. *
  1195. * @since 2.0.0
  1196. * @uses add_filter() See description for what functions are added to what hooks.
  1197. */
  1198. function kses_init_filters() {
  1199. // Normal filtering.
  1200. add_filter('pre_comment_content', 'wp_filter_kses');
  1201. add_filter('title_save_pre', 'wp_filter_kses');
  1202. // Post filtering
  1203. add_filter('content_save_pre', 'wp_filter_post_kses');
  1204. add_filter('excerpt_save_pre', 'wp_filter_post_kses');
  1205. add_filter('content_filtered_save_pre', 'wp_filter_post_kses');
  1206. }
  1207. /**
  1208. * Removes all Kses input form content filters.
  1209. *
  1210. * A quick procedural method to removing all of the filters that kses uses for
  1211. * content in WordPress Loop.
  1212. *
  1213. * Does not remove the kses_init() function from 'init' hook (priority is
  1214. * default). Also does not remove kses_init() function from 'set_current_user'
  1215. * hook (priority is also default).
  1216. *
  1217. * @since 2.0.6
  1218. */
  1219. function kses_remove_filters() {
  1220. // Normal filtering.
  1221. remove_filter('pre_comment_content', 'wp_filter_kses');
  1222. remove_filter('title_save_pre', 'wp_filter_kses');
  1223. // Post filtering
  1224. remove_filter('content_save_pre', 'wp_filter_post_kses');
  1225. remove_filter('excerpt_save_pre', 'wp_filter_post_kses');
  1226. remove_filter('content_filtered_save_pre', 'wp_filter_post_kses');
  1227. }
  1228. /**
  1229. * Sets up most of the Kses filters for input form content.
  1230. *
  1231. * If you remove the kses_init() function from 'init' hook and
  1232. * 'set_current_user' (priority is default), then none of the Kses filter hooks
  1233. * will be added.
  1234. *
  1235. * First removes all of the Kses filters in case the current user does not need
  1236. * to have Kses filter the content. If the user does not have unfiltered_html
  1237. * capability, then Kses filters are added.
  1238. *
  1239. * @uses kses_remove_filters() Removes the Kses filters
  1240. * @uses kses_init_filters() Adds the Kses filters back if the user
  1241. * does not have unfiltered HTML capability.
  1242. * @since 2.0.0
  1243. */
  1244. function kses_init() {
  1245. kses_remove_filters();
  1246. if (current_user_can('unfiltered_html') == false)
  1247. kses_init_filters();
  1248. }
  1249. add_action('init', 'kses_init');
  1250. add_action('set_current_user', 'kses_init');
  1251. /**
  1252. * Inline CSS filter
  1253. *
  1254. * @since 2.8.1
  1255. */
  1256. function safecss_filter_attr( $css, $deprecated = '' ) {
  1257. if ( !empty( $deprecated ) )
  1258. _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented
  1259. $css = wp_kses_no_null($css);
  1260. $css = str_replace(array("\n","\r","\t"), '', $css);
  1261. if ( preg_match( '%[\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments
  1262. return '';
  1263. $css_array = explode( ';', trim( $css ) );
  1264. $allowed_attr = apply_filters( 'safe_style_css', array( 'text-align', 'margin', 'color', 'float',
  1265. 'border', 'background', 'background-color', 'border-bottom', 'border-bottom-color',
  1266. 'border-bottom-style', 'border-bottom-width', 'border-collapse', 'border-color', 'border-left',
  1267. 'border-left-color', 'border-left-style', 'border-left-width', 'border-right', 'border-right-color',
  1268. 'border-right-style', 'border-right-width', 'border-spacing', 'border-style', 'border-top',
  1269. 'border-top-color', 'border-top-style', 'border-top-width', 'border-width', 'caption-side',
  1270. 'clear', 'cursor', 'direction', 'font', 'font-family', 'font-size', 'font-style',
  1271. 'font-variant', 'font-weight', 'height', 'letter-spacing', 'line-height', 'margin-bottom',
  1272. 'margin-left', 'margin-right', 'margin-top', 'overflow', 'padding', 'padding-bottom',
  1273. 'padding-left', 'padding-right', 'padding-top', 'text-decoration', 'text-indent', 'vertical-align',
  1274. 'width' ) );
  1275. if ( empty($allowed_attr) )
  1276. return $css;
  1277. $css = '';
  1278. foreach ( $css_array as $css_item ) {
  1279. if ( $css_item == '' )
  1280. continue;
  1281. $css_item = trim( $css_item );
  1282. $found = false;
  1283. if ( strpos( $css_item, ':' ) === false ) {
  1284. $found = true;
  1285. } else {
  1286. $parts = split( ':', $css_item );
  1287. if ( in_array( trim( $parts[0] ), $allowed_attr ) )
  1288. $found = true;
  1289. }
  1290. if ( $found ) {
  1291. if( $css != '' )
  1292. $css .= ';';
  1293. $css .= $css_item;
  1294. }
  1295. }
  1296. return $css;
  1297. }