PageRenderTime 66ms CodeModel.GetById 27ms RepoModel.GetById 0ms app.codeStats 0ms

/wp-includes/kses.php

https://bitbucket.org/abnopanda/wordpress
PHP | 1473 lines | 909 code | 113 blank | 451 comment | 89 complexity | 4ea4529560263d9907c331f8c89ca3c7 MD5 | raw file
  1. <?php
  2. /**
  3. * kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes
  4. * Copyright (C) 2002, 2003, 2005 Ulf Harnhammar
  5. *
  6. * This program is free software and open source software; you can redistribute
  7. * it and/or modify it under the terms of the GNU General Public License as
  8. * published by the Free Software Foundation; either version 2 of the License,
  9. * or (at your option) any later version.
  10. *
  11. * This program is distributed in the hope that it will be useful, but WITHOUT
  12. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13. * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
  14. * more details.
  15. *
  16. * You should have received a copy of the GNU General Public License along
  17. * with this program; if not, write to the Free Software Foundation, Inc.,
  18. * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19. * http://www.gnu.org/licenses/gpl.html
  20. *
  21. * [kses strips evil scripts!]
  22. *
  23. * Added wp_ prefix to avoid conflicts with existing kses users
  24. *
  25. * @version 0.2.2
  26. * @copyright (C) 2002, 2003, 2005
  27. * @author Ulf Harnhammar <http://advogato.org/person/metaur/>
  28. *
  29. * @package External
  30. * @subpackage KSES
  31. *
  32. */
  33. /**
  34. * You can override this in a plugin.
  35. *
  36. * The wp_kses_allowed_html filter is more powerful and supplies context.
  37. * CUSTOM_TAGS is not recommended and should be considered deprecated.
  38. *
  39. * @see wp_kses_allowed_html()
  40. *
  41. * @since 1.2.0
  42. */
  43. if ( ! defined( 'CUSTOM_TAGS' ) )
  44. define( 'CUSTOM_TAGS', false );
  45. if ( ! CUSTOM_TAGS ) {
  46. /**
  47. * Kses global for default allowable HTML tags.
  48. *
  49. * Can be override by using CUSTOM_TAGS constant.
  50. *
  51. * @global array $allowedposttags
  52. * @since 2.0.0
  53. */
  54. $allowedposttags = array(
  55. 'address' => array(),
  56. 'a' => array(
  57. 'href' => true,
  58. 'rel' => true,
  59. 'rev' => true,
  60. 'name' => true,
  61. 'target' => true,
  62. ),
  63. 'abbr' => array(),
  64. 'acronym' => array(),
  65. 'area' => array(
  66. 'alt' => true,
  67. 'coords' => true,
  68. 'href' => true,
  69. 'nohref' => true,
  70. 'shape' => true,
  71. 'target' => true,
  72. ),
  73. 'article' => array(
  74. 'align' => true,
  75. 'dir' => true,
  76. 'lang' => true,
  77. 'xml:lang' => true,
  78. ),
  79. 'aside' => array(
  80. 'align' => true,
  81. 'dir' => true,
  82. 'lang' => true,
  83. 'xml:lang' => true,
  84. ),
  85. 'b' => array(),
  86. 'big' => array(),
  87. 'blockquote' => array(
  88. 'cite' => true,
  89. 'lang' => true,
  90. 'xml:lang' => true,
  91. ),
  92. 'br' => array(),
  93. 'button' => array(
  94. 'disabled' => true,
  95. 'name' => true,
  96. 'type' => true,
  97. 'value' => true,
  98. ),
  99. 'caption' => array(
  100. 'align' => true,
  101. ),
  102. 'cite' => array(
  103. 'dir' => true,
  104. 'lang' => true,
  105. ),
  106. 'code' => array(),
  107. 'col' => array(
  108. 'align' => true,
  109. 'char' => true,
  110. 'charoff' => true,
  111. 'span' => true,
  112. 'dir' => true,
  113. 'valign' => true,
  114. 'width' => true,
  115. ),
  116. 'del' => array(
  117. 'datetime' => true,
  118. ),
  119. 'dd' => array(),
  120. 'details' => array(
  121. 'align' => true,
  122. 'dir' => true,
  123. 'lang' => true,
  124. 'open' => true,
  125. 'xml:lang' => true,
  126. ),
  127. 'div' => array(
  128. 'align' => true,
  129. 'dir' => true,
  130. 'lang' => true,
  131. 'xml:lang' => true,
  132. ),
  133. 'dl' => array(),
  134. 'dt' => array(),
  135. 'em' => array(),
  136. 'fieldset' => array(),
  137. 'figure' => array(
  138. 'align' => true,
  139. 'dir' => true,
  140. 'lang' => true,
  141. 'xml:lang' => true,
  142. ),
  143. 'figcaption' => array(
  144. 'align' => true,
  145. 'dir' => true,
  146. 'lang' => true,
  147. 'xml:lang' => true,
  148. ),
  149. 'font' => array(
  150. 'color' => true,
  151. 'face' => true,
  152. 'size' => true,
  153. ),
  154. 'footer' => array(
  155. 'align' => true,
  156. 'dir' => true,
  157. 'lang' => true,
  158. 'xml:lang' => true,
  159. ),
  160. 'form' => array(
  161. 'action' => true,
  162. 'accept' => true,
  163. 'accept-charset' => true,
  164. 'enctype' => true,
  165. 'method' => true,
  166. 'name' => true,
  167. 'target' => true,
  168. ),
  169. 'h1' => array(
  170. 'align' => true,
  171. ),
  172. 'h2' => array(
  173. 'align' => true,
  174. ),
  175. 'h3' => array(
  176. 'align' => true,
  177. ),
  178. 'h4' => array(
  179. 'align' => true,
  180. ),
  181. 'h5' => array(
  182. 'align' => true,
  183. ),
  184. 'h6' => array(
  185. 'align' => true,
  186. ),
  187. 'header' => array(
  188. 'align' => true,
  189. 'dir' => true,
  190. 'lang' => true,
  191. 'xml:lang' => true,
  192. ),
  193. 'hgroup' => array(
  194. 'align' => true,
  195. 'dir' => true,
  196. 'lang' => true,
  197. 'xml:lang' => true,
  198. ),
  199. 'hr' => array(
  200. 'align' => true,
  201. 'noshade' => true,
  202. 'size' => true,
  203. 'width' => true,
  204. ),
  205. 'i' => array(),
  206. 'img' => array(
  207. 'alt' => true,
  208. 'align' => true,
  209. 'border' => true,
  210. 'height' => true,
  211. 'hspace' => true,
  212. 'longdesc' => true,
  213. 'vspace' => true,
  214. 'src' => true,
  215. 'usemap' => true,
  216. 'width' => true,
  217. ),
  218. 'ins' => array(
  219. 'datetime' => true,
  220. 'cite' => true,
  221. ),
  222. 'kbd' => array(),
  223. 'label' => array(
  224. 'for' => true,
  225. ),
  226. 'legend' => array(
  227. 'align' => true,
  228. ),
  229. 'li' => array(
  230. 'align' => true,
  231. ),
  232. 'map' => array(
  233. 'name' => true,
  234. ),
  235. 'menu' => array(
  236. 'type' => true,
  237. ),
  238. 'nav' => array(
  239. 'align' => true,
  240. 'dir' => true,
  241. 'lang' => true,
  242. 'xml:lang' => true,
  243. ),
  244. 'p' => array(
  245. 'align' => true,
  246. 'dir' => true,
  247. 'lang' => true,
  248. 'xml:lang' => true,
  249. ),
  250. 'pre' => array(
  251. 'width' => true,
  252. ),
  253. 'q' => array(
  254. 'cite' => true,
  255. ),
  256. 's' => array(),
  257. 'span' => array(
  258. 'dir' => true,
  259. 'align' => true,
  260. 'lang' => true,
  261. 'xml:lang' => true,
  262. ),
  263. 'section' => array(
  264. 'align' => true,
  265. 'dir' => true,
  266. 'lang' => true,
  267. 'xml:lang' => true,
  268. ),
  269. 'small' => array(),
  270. 'strike' => array(),
  271. 'strong' => array(),
  272. 'sub' => array(),
  273. 'summary' => array(
  274. 'align' => true,
  275. 'dir' => true,
  276. 'lang' => true,
  277. 'xml:lang' => true,
  278. ),
  279. 'sup' => array(),
  280. 'table' => array(
  281. 'align' => true,
  282. 'bgcolor' => true,
  283. 'border' => true,
  284. 'cellpadding' => true,
  285. 'cellspacing' => true,
  286. 'dir' => true,
  287. 'rules' => true,
  288. 'summary' => true,
  289. 'width' => true,
  290. ),
  291. 'tbody' => array(
  292. 'align' => true,
  293. 'char' => true,
  294. 'charoff' => true,
  295. 'valign' => true,
  296. ),
  297. 'td' => array(
  298. 'abbr' => true,
  299. 'align' => true,
  300. 'axis' => true,
  301. 'bgcolor' => true,
  302. 'char' => true,
  303. 'charoff' => true,
  304. 'colspan' => true,
  305. 'dir' => true,
  306. 'headers' => true,
  307. 'height' => true,
  308. 'nowrap' => true,
  309. 'rowspan' => true,
  310. 'scope' => true,
  311. 'valign' => true,
  312. 'width' => true,
  313. ),
  314. 'textarea' => array(
  315. 'cols' => true,
  316. 'rows' => true,
  317. 'disabled' => true,
  318. 'name' => true,
  319. 'readonly' => true,
  320. ),
  321. 'tfoot' => array(
  322. 'align' => true,
  323. 'char' => true,
  324. 'charoff' => true,
  325. 'valign' => true,
  326. ),
  327. 'th' => array(
  328. 'abbr' => true,
  329. 'align' => true,
  330. 'axis' => true,
  331. 'bgcolor' => true,
  332. 'char' => true,
  333. 'charoff' => true,
  334. 'colspan' => true,
  335. 'headers' => true,
  336. 'height' => true,
  337. 'nowrap' => true,
  338. 'rowspan' => true,
  339. 'scope' => true,
  340. 'valign' => true,
  341. 'width' => true,
  342. ),
  343. 'thead' => array(
  344. 'align' => true,
  345. 'char' => true,
  346. 'charoff' => true,
  347. 'valign' => true,
  348. ),
  349. 'title' => array(),
  350. 'tr' => array(
  351. 'align' => true,
  352. 'bgcolor' => true,
  353. 'char' => true,
  354. 'charoff' => true,
  355. 'valign' => true,
  356. ),
  357. 'tt' => array(),
  358. 'u' => array(),
  359. 'ul' => array(
  360. 'type' => true,
  361. ),
  362. 'ol' => array(
  363. 'start' => true,
  364. 'type' => true,
  365. ),
  366. 'var' => array(),
  367. );
  368. /**
  369. * Kses allowed HTML elements.
  370. *
  371. * @global array $allowedtags
  372. * @since 1.0.0
  373. */
  374. $allowedtags = array(
  375. 'a' => array(
  376. 'href' => true,
  377. 'title' => true,
  378. ),
  379. 'abbr' => array(
  380. 'title' => true,
  381. ),
  382. 'acronym' => array(
  383. 'title' => true,
  384. ),
  385. 'b' => array(),
  386. 'blockquote' => array(
  387. 'cite' => true,
  388. ),
  389. 'cite' => array(),
  390. 'code' => array(),
  391. 'del' => array(
  392. 'datetime' => true,
  393. ),
  394. 'em' => array(),
  395. 'i' => array(),
  396. 'q' => array(
  397. 'cite' => true,
  398. ),
  399. 'strike' => array(),
  400. 'strong' => array(),
  401. );
  402. $allowedentitynames = array(
  403. 'nbsp', 'iexcl', 'cent', 'pound', 'curren', 'yen',
  404. 'brvbar', 'sect', 'uml', 'copy', 'ordf', 'laquo',
  405. 'not', 'shy', 'reg', 'macr', 'deg', 'plusmn',
  406. 'acute', 'micro', 'para', 'middot', 'cedil', 'ordm',
  407. 'raquo', 'iquest', 'Agrave', 'Aacute', 'Acirc', 'Atilde',
  408. 'Auml', 'Aring', 'AElig', 'Ccedil', 'Egrave', 'Eacute',
  409. 'Ecirc', 'Euml', 'Igrave', 'Iacute', 'Icirc', 'Iuml',
  410. 'ETH', 'Ntilde', 'Ograve', 'Oacute', 'Ocirc', 'Otilde',
  411. 'Ouml', 'times', 'Oslash', 'Ugrave', 'Uacute', 'Ucirc',
  412. 'Uuml', 'Yacute', 'THORN', 'szlig', 'agrave', 'aacute',
  413. 'acirc', 'atilde', 'auml', 'aring', 'aelig', 'ccedil',
  414. 'egrave', 'eacute', 'ecirc', 'euml', 'igrave', 'iacute',
  415. 'icirc', 'iuml', 'eth', 'ntilde', 'ograve', 'oacute',
  416. 'ocirc', 'otilde', 'ouml', 'divide', 'oslash', 'ugrave',
  417. 'uacute', 'ucirc', 'uuml', 'yacute', 'thorn', 'yuml',
  418. 'quot', 'amp', 'lt', 'gt', 'apos', 'OElig',
  419. 'oelig', 'Scaron', 'scaron', 'Yuml', 'circ', 'tilde',
  420. 'ensp', 'emsp', 'thinsp', 'zwnj', 'zwj', 'lrm',
  421. 'rlm', 'ndash', 'mdash', 'lsquo', 'rsquo', 'sbquo',
  422. 'ldquo', 'rdquo', 'bdquo', 'dagger', 'Dagger', 'permil',
  423. 'lsaquo', 'rsaquo', 'euro', 'fnof', 'Alpha', 'Beta',
  424. 'Gamma', 'Delta', 'Epsilon', 'Zeta', 'Eta', 'Theta',
  425. 'Iota', 'Kappa', 'Lambda', 'Mu', 'Nu', 'Xi',
  426. 'Omicron', 'Pi', 'Rho', 'Sigma', 'Tau', 'Upsilon',
  427. 'Phi', 'Chi', 'Psi', 'Omega', 'alpha', 'beta',
  428. 'gamma', 'delta', 'epsilon', 'zeta', 'eta', 'theta',
  429. 'iota', 'kappa', 'lambda', 'mu', 'nu', 'xi',
  430. 'omicron', 'pi', 'rho', 'sigmaf', 'sigma', 'tau',
  431. 'upsilon', 'phi', 'chi', 'psi', 'omega', 'thetasym',
  432. 'upsih', 'piv', 'bull', 'hellip', 'prime', 'Prime',
  433. 'oline', 'frasl', 'weierp', 'image', 'real', 'trade',
  434. 'alefsym', 'larr', 'uarr', 'rarr', 'darr', 'harr',
  435. 'crarr', 'lArr', 'uArr', 'rArr', 'dArr', 'hArr',
  436. 'forall', 'part', 'exist', 'empty', 'nabla', 'isin',
  437. 'notin', 'ni', 'prod', 'sum', 'minus', 'lowast',
  438. 'radic', 'prop', 'infin', 'ang', 'and', 'or',
  439. 'cap', 'cup', 'int', 'sim', 'cong', 'asymp',
  440. 'ne', 'equiv', 'le', 'ge', 'sub', 'sup',
  441. 'nsub', 'sube', 'supe', 'oplus', 'otimes', 'perp',
  442. 'sdot', 'lceil', 'rceil', 'lfloor', 'rfloor', 'lang',
  443. 'rang', 'loz', 'spades', 'clubs', 'hearts', 'diams',
  444. );
  445. $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags );
  446. } else {
  447. $allowedtags = wp_kses_array_lc( $allowedtags );
  448. $allowedposttags = wp_kses_array_lc( $allowedposttags );
  449. }
  450. /**
  451. * Filters content and keeps only allowable HTML elements.
  452. *
  453. * This function makes sure that only the allowed HTML element names, attribute
  454. * names and attribute values plus only sane HTML entities will occur in
  455. * $string. You have to remove any slashes from PHP's magic quotes before you
  456. * call this function.
  457. *
  458. * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
  459. * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
  460. * covers all common link protocols, except for 'javascript' which should not
  461. * be allowed for untrusted users.
  462. *
  463. * @since 1.0.0
  464. *
  465. * @param string $string Content to filter through kses
  466. * @param array $allowed_html List of allowed HTML elements
  467. * @param array $allowed_protocols Optional. Allowed protocol in links.
  468. * @return string Filtered content with only allowed HTML elements
  469. */
  470. function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
  471. if ( empty( $allowed_protocols ) )
  472. $allowed_protocols = wp_allowed_protocols();
  473. $string = wp_kses_no_null($string);
  474. $string = wp_kses_js_entities($string);
  475. $string = wp_kses_normalize_entities($string);
  476. $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook
  477. return wp_kses_split($string, $allowed_html, $allowed_protocols);
  478. }
  479. /**
  480. * Return a list of allowed tags and attributes for a given context.
  481. *
  482. * @since 3.5.0
  483. *
  484. * @param string $context The context for which to retrieve tags. Allowed values are
  485. * post | strip | data | entities or the name of a field filter such as pre_user_description.
  486. * @return array List of allowed tags and their allowed attributes.
  487. */
  488. function wp_kses_allowed_html( $context = '' ) {
  489. global $allowedposttags, $allowedtags, $allowedentitynames;
  490. if ( is_array( $context ) )
  491. return apply_filters( 'wp_kses_allowed_html', $context, 'explicit' );
  492. switch ( $context ) {
  493. case 'post':
  494. return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
  495. break;
  496. case 'user_description':
  497. case 'pre_user_description':
  498. $tags = $allowedtags;
  499. $tags['a']['rel'] = true;
  500. return apply_filters( 'wp_kses_allowed_html', $tags, $context );
  501. break;
  502. case 'strip':
  503. return apply_filters( 'wp_kses_allowed_html', array(), $context );
  504. break;
  505. case 'entities':
  506. return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context);
  507. break;
  508. case 'data':
  509. default:
  510. return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context );
  511. }
  512. }
  513. /**
  514. * You add any kses hooks here.
  515. *
  516. * There is currently only one kses WordPress hook and it is called here. All
  517. * parameters are passed to the hooks and expected to receive a string.
  518. *
  519. * @since 1.0.0
  520. *
  521. * @param string $string Content to filter through kses
  522. * @param array $allowed_html List of allowed HTML elements
  523. * @param array $allowed_protocols Allowed protocol in links
  524. * @return string Filtered content through 'pre_kses' hook
  525. */
  526. function wp_kses_hook( $string, $allowed_html, $allowed_protocols ) {
  527. $string = apply_filters('pre_kses', $string, $allowed_html, $allowed_protocols);
  528. return $string;
  529. }
  530. /**
  531. * This function returns kses' version number.
  532. *
  533. * @since 1.0.0
  534. *
  535. * @return string KSES Version Number
  536. */
  537. function wp_kses_version() {
  538. return '0.2.2';
  539. }
  540. /**
  541. * Searches for HTML tags, no matter how malformed.
  542. *
  543. * It also matches stray ">" characters.
  544. *
  545. * @since 1.0.0
  546. *
  547. * @param string $string Content to filter
  548. * @param array $allowed_html Allowed HTML elements
  549. * @param array $allowed_protocols Allowed protocols to keep
  550. * @return string Content with fixed HTML tags
  551. */
  552. function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
  553. global $pass_allowed_html, $pass_allowed_protocols;
  554. $pass_allowed_html = $allowed_html;
  555. $pass_allowed_protocols = $allowed_protocols;
  556. return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
  557. }
  558. /**
  559. * Callback for wp_kses_split.
  560. *
  561. * @since 3.1.0
  562. * @access private
  563. */
  564. function _wp_kses_split_callback( $match ) {
  565. global $pass_allowed_html, $pass_allowed_protocols;
  566. return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
  567. }
  568. /**
  569. * Callback for wp_kses_split for fixing malformed HTML tags.
  570. *
  571. * This function does a lot of work. It rejects some very malformed things like
  572. * <:::>. It returns an empty string, if the element isn't allowed (look ma, no
  573. * strip_tags()!). Otherwise it splits the tag into an element and an attribute
  574. * list.
  575. *
  576. * After the tag is split into an element and an attribute list, it is run
  577. * through another filter which will remove illegal attributes and once that is
  578. * completed, will be returned.
  579. *
  580. * @access private
  581. * @since 1.0.0
  582. * @uses wp_kses_attr()
  583. *
  584. * @param string $string Content to filter
  585. * @param array $allowed_html Allowed HTML elements
  586. * @param array $allowed_protocols Allowed protocols to keep
  587. * @return string Fixed HTML element
  588. */
  589. function wp_kses_split2($string, $allowed_html, $allowed_protocols) {
  590. $string = wp_kses_stripslashes($string);
  591. if (substr($string, 0, 1) != '<')
  592. return '&gt;';
  593. # It matched a ">" character
  594. if ( '<!--' == substr( $string, 0, 4 ) ) {
  595. $string = str_replace( array('<!--', '-->'), '', $string );
  596. while ( $string != ($newstring = wp_kses($string, $allowed_html, $allowed_protocols)) )
  597. $string = $newstring;
  598. if ( $string == '' )
  599. return '';
  600. // prevent multiple dashes in comments
  601. $string = preg_replace('/--+/', '-', $string);
  602. // prevent three dashes closing a comment
  603. $string = preg_replace('/-$/', '', $string);
  604. return "<!--{$string}-->";
  605. }
  606. # Allow HTML comments
  607. if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches))
  608. return '';
  609. # It's seriously malformed
  610. $slash = trim($matches[1]);
  611. $elem = $matches[2];
  612. $attrlist = $matches[3];
  613. if ( ! is_array( $allowed_html ) )
  614. $allowed_html = wp_kses_allowed_html( $allowed_html );
  615. if ( ! isset($allowed_html[strtolower($elem)]) )
  616. return '';
  617. # They are using a not allowed HTML element
  618. if ($slash != '')
  619. return "</$elem>";
  620. # No attributes are allowed for closing elements
  621. return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols );
  622. }
  623. /**
  624. * Removes all attributes, if none are allowed for this element.
  625. *
  626. * If some are allowed it calls wp_kses_hair() to split them further, and then
  627. * it builds up new HTML code from the data that kses_hair() returns. It also
  628. * removes "<" and ">" characters, if there are any left. One more thing it does
  629. * is to check if the tag has a closing XHTML slash, and if it does, it puts one
  630. * in the returned code as well.
  631. *
  632. * @since 1.0.0
  633. *
  634. * @param string $element HTML element/tag
  635. * @param string $attr HTML attributes from HTML element to closing HTML element tag
  636. * @param array $allowed_html Allowed HTML elements
  637. * @param array $allowed_protocols Allowed protocols to keep
  638. * @return string Sanitized HTML element
  639. */
  640. function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) {
  641. # Is there a closing XHTML slash at the end of the attributes?
  642. if ( ! is_array( $allowed_html ) )
  643. $allowed_html = wp_kses_allowed_html( $allowed_html );
  644. $xhtml_slash = '';
  645. if (preg_match('%\s*/\s*$%', $attr))
  646. $xhtml_slash = ' /';
  647. # Are any attributes allowed at all for this element?
  648. if ( ! isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0 )
  649. return "<$element$xhtml_slash>";
  650. # Split it
  651. $attrarr = wp_kses_hair($attr, $allowed_protocols);
  652. # Go through $attrarr, and save the allowed attributes for this element
  653. # in $attr2
  654. $attr2 = '';
  655. $allowed_attr = $allowed_html[strtolower($element)];
  656. foreach ($attrarr as $arreach) {
  657. if ( ! isset( $allowed_attr[strtolower($arreach['name'])] ) )
  658. continue; # the attribute is not allowed
  659. $current = $allowed_attr[strtolower($arreach['name'])];
  660. if ( $current == '' )
  661. continue; # the attribute is not allowed
  662. if ( strtolower( $arreach['name'] ) == 'style' ) {
  663. $orig_value = $arreach['value'];
  664. $value = safecss_filter_attr( $orig_value );
  665. if ( empty( $value ) )
  666. continue;
  667. $arreach['value'] = $value;
  668. $arreach['whole'] = str_replace( $orig_value, $value, $arreach['whole'] );
  669. }
  670. if ( ! is_array($current) ) {
  671. $attr2 .= ' '.$arreach['whole'];
  672. # there are no checks
  673. } else {
  674. # there are some checks
  675. $ok = true;
  676. foreach ($current as $currkey => $currval) {
  677. if ( ! wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval) ) {
  678. $ok = false;
  679. break;
  680. }
  681. }
  682. if ( $ok )
  683. $attr2 .= ' '.$arreach['whole']; # it passed them
  684. } # if !is_array($current)
  685. } # foreach
  686. # Remove any "<" or ">" characters
  687. $attr2 = preg_replace('/[<>]/', '', $attr2);
  688. return "<$element$attr2$xhtml_slash>";
  689. }
  690. /**
  691. * Builds an attribute list from string containing attributes.
  692. *
  693. * This function does a lot of work. It parses an attribute list into an array
  694. * with attribute data, and tries to do the right thing even if it gets weird
  695. * input. It will add quotes around attribute values that don't have any quotes
  696. * or apostrophes around them, to make it easier to produce HTML code that will
  697. * conform to W3C's HTML specification. It will also remove bad URL protocols
  698. * from attribute values. It also reduces duplicate attributes by using the
  699. * attribute defined first (foo='bar' foo='baz' will result in foo='bar').
  700. *
  701. * @since 1.0.0
  702. *
  703. * @param string $attr Attribute list from HTML element to closing HTML element tag
  704. * @param array $allowed_protocols Allowed protocols to keep
  705. * @return array List of attributes after parsing
  706. */
  707. function wp_kses_hair($attr, $allowed_protocols) {
  708. $attrarr = array();
  709. $mode = 0;
  710. $attrname = '';
  711. $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
  712. # Loop through the whole attribute list
  713. while (strlen($attr) != 0) {
  714. $working = 0; # Was the last operation successful?
  715. switch ($mode) {
  716. case 0 : # attribute name, href for instance
  717. if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) {
  718. $attrname = $match[1];
  719. $working = $mode = 1;
  720. $attr = preg_replace('/^[-a-zA-Z]+/', '', $attr);
  721. }
  722. break;
  723. case 1 : # equals sign or valueless ("selected")
  724. if (preg_match('/^\s*=\s*/', $attr)) # equals sign
  725. {
  726. $working = 1;
  727. $mode = 2;
  728. $attr = preg_replace('/^\s*=\s*/', '', $attr);
  729. break;
  730. }
  731. if (preg_match('/^\s+/', $attr)) # valueless
  732. {
  733. $working = 1;
  734. $mode = 0;
  735. if(false === array_key_exists($attrname, $attrarr)) {
  736. $attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
  737. }
  738. $attr = preg_replace('/^\s+/', '', $attr);
  739. }
  740. break;
  741. case 2 : # attribute value, a URL after href= for instance
  742. if (preg_match('%^"([^"]*)"(\s+|/?$)%', $attr, $match))
  743. # "value"
  744. {
  745. $thisval = $match[1];
  746. if ( in_array(strtolower($attrname), $uris) )
  747. $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
  748. if(false === array_key_exists($attrname, $attrarr)) {
  749. $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');
  750. }
  751. $working = 1;
  752. $mode = 0;
  753. $attr = preg_replace('/^"[^"]*"(\s+|$)/', '', $attr);
  754. break;
  755. }
  756. if (preg_match("%^'([^']*)'(\s+|/?$)%", $attr, $match))
  757. # 'value'
  758. {
  759. $thisval = $match[1];
  760. if ( in_array(strtolower($attrname), $uris) )
  761. $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
  762. if(false === array_key_exists($attrname, $attrarr)) {
  763. $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname='$thisval'", 'vless' => 'n');
  764. }
  765. $working = 1;
  766. $mode = 0;
  767. $attr = preg_replace("/^'[^']*'(\s+|$)/", '', $attr);
  768. break;
  769. }
  770. if (preg_match("%^([^\s\"']+)(\s+|/?$)%", $attr, $match))
  771. # value
  772. {
  773. $thisval = $match[1];
  774. if ( in_array(strtolower($attrname), $uris) )
  775. $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
  776. if(false === array_key_exists($attrname, $attrarr)) {
  777. $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');
  778. }
  779. # We add quotes to conform to W3C's HTML spec.
  780. $working = 1;
  781. $mode = 0;
  782. $attr = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attr);
  783. }
  784. break;
  785. } # switch
  786. if ($working == 0) # not well formed, remove and try again
  787. {
  788. $attr = wp_kses_html_error($attr);
  789. $mode = 0;
  790. }
  791. } # while
  792. if ($mode == 1 && false === array_key_exists($attrname, $attrarr))
  793. # special case, for when the attribute list ends with a valueless
  794. # attribute like "selected"
  795. $attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
  796. return $attrarr;
  797. }
  798. /**
  799. * Performs different checks for attribute values.
  800. *
  801. * The currently implemented checks are "maxlen", "minlen", "maxval", "minval"
  802. * and "valueless".
  803. *
  804. * @since 1.0.0
  805. *
  806. * @param string $value Attribute value
  807. * @param string $vless Whether the value is valueless. Use 'y' or 'n'
  808. * @param string $checkname What $checkvalue is checking for.
  809. * @param mixed $checkvalue What constraint the value should pass
  810. * @return bool Whether check passes
  811. */
  812. function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) {
  813. $ok = true;
  814. switch (strtolower($checkname)) {
  815. case 'maxlen' :
  816. # The maxlen check makes sure that the attribute value has a length not
  817. # greater than the given value. This can be used to avoid Buffer Overflows
  818. # in WWW clients and various Internet servers.
  819. if (strlen($value) > $checkvalue)
  820. $ok = false;
  821. break;
  822. case 'minlen' :
  823. # The minlen check makes sure that the attribute value has a length not
  824. # smaller than the given value.
  825. if (strlen($value) < $checkvalue)
  826. $ok = false;
  827. break;
  828. case 'maxval' :
  829. # The maxval check does two things: it checks that the attribute value is
  830. # an integer from 0 and up, without an excessive amount of zeroes or
  831. # whitespace (to avoid Buffer Overflows). It also checks that the attribute
  832. # value is not greater than the given value.
  833. # This check can be used to avoid Denial of Service attacks.
  834. if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))
  835. $ok = false;
  836. if ($value > $checkvalue)
  837. $ok = false;
  838. break;
  839. case 'minval' :
  840. # The minval check makes sure that the attribute value is a positive integer,
  841. # and that it is not smaller than the given value.
  842. if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))
  843. $ok = false;
  844. if ($value < $checkvalue)
  845. $ok = false;
  846. break;
  847. case 'valueless' :
  848. # The valueless check makes sure if the attribute has a value
  849. # (like <a href="blah">) or not (<option selected>). If the given value
  850. # is a "y" or a "Y", the attribute must not have a value.
  851. # If the given value is an "n" or an "N", the attribute must have one.
  852. if (strtolower($checkvalue) != $vless)
  853. $ok = false;
  854. break;
  855. } # switch
  856. return $ok;
  857. }
  858. /**
  859. * Sanitize string from bad protocols.
  860. *
  861. * This function removes all non-allowed protocols from the beginning of
  862. * $string. It ignores whitespace and the case of the letters, and it does
  863. * understand HTML entities. It does its work in a while loop, so it won't be
  864. * fooled by a string like "javascript:javascript:alert(57)".
  865. *
  866. * @since 1.0.0
  867. *
  868. * @param string $string Content to filter bad protocols from
  869. * @param array $allowed_protocols Allowed protocols to keep
  870. * @return string Filtered content
  871. */
  872. function wp_kses_bad_protocol($string, $allowed_protocols) {
  873. $string = wp_kses_no_null($string);
  874. $iterations = 0;
  875. do {
  876. $original_string = $string;
  877. $string = wp_kses_bad_protocol_once($string, $allowed_protocols);
  878. } while ( $original_string != $string && ++$iterations < 6 );
  879. if ( $original_string != $string )
  880. return '';
  881. return $string;
  882. }
  883. /**
  884. * Removes any null characters in $string.
  885. *
  886. * @since 1.0.0
  887. *
  888. * @param string $string
  889. * @return string
  890. */
  891. function wp_kses_no_null($string) {
  892. $string = preg_replace('/\0+/', '', $string);
  893. $string = preg_replace('/(\\\\0)+/', '', $string);
  894. return $string;
  895. }
  896. /**
  897. * Strips slashes from in front of quotes.
  898. *
  899. * This function changes the character sequence \" to just ". It leaves all
  900. * other slashes alone. It's really weird, but the quoting from
  901. * preg_replace(//e) seems to require this.
  902. *
  903. * @since 1.0.0
  904. *
  905. * @param string $string String to strip slashes
  906. * @return string Fixed string with quoted slashes
  907. */
  908. function wp_kses_stripslashes($string) {
  909. return preg_replace('%\\\\"%', '"', $string);
  910. }
  911. /**
  912. * Goes through an array and changes the keys to all lower case.
  913. *
  914. * @since 1.0.0
  915. *
  916. * @param array $inarray Unfiltered array
  917. * @return array Fixed array with all lowercase keys
  918. */
  919. function wp_kses_array_lc($inarray) {
  920. $outarray = array ();
  921. foreach ( (array) $inarray as $inkey => $inval) {
  922. $outkey = strtolower($inkey);
  923. $outarray[$outkey] = array ();
  924. foreach ( (array) $inval as $inkey2 => $inval2) {
  925. $outkey2 = strtolower($inkey2);
  926. $outarray[$outkey][$outkey2] = $inval2;
  927. } # foreach $inval
  928. } # foreach $inarray
  929. return $outarray;
  930. }
  931. /**
  932. * Removes the HTML JavaScript entities found in early versions of Netscape 4.
  933. *
  934. * @since 1.0.0
  935. *
  936. * @param string $string
  937. * @return string
  938. */
  939. function wp_kses_js_entities($string) {
  940. return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
  941. }
  942. /**
  943. * Handles parsing errors in wp_kses_hair().
  944. *
  945. * The general plan is to remove everything to and including some whitespace,
  946. * but it deals with quotes and apostrophes as well.
  947. *
  948. * @since 1.0.0
  949. *
  950. * @param string $string
  951. * @return string
  952. */
  953. function wp_kses_html_error($string) {
  954. return preg_replace('/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string);
  955. }
  956. /**
  957. * Sanitizes content from bad protocols and other characters.
  958. *
  959. * This function searches for URL protocols at the beginning of $string, while
  960. * handling whitespace and HTML entities.
  961. *
  962. * @since 1.0.0
  963. *
  964. * @param string $string Content to check for bad protocols
  965. * @param string $allowed_protocols Allowed protocols
  966. * @return string Sanitized content
  967. */
  968. function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) {
  969. $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
  970. if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {
  971. $string = trim( $string2[1] );
  972. $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );
  973. if ( 'feed:' == $protocol ) {
  974. if ( $count > 2 )
  975. return '';
  976. $string = wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count );
  977. if ( empty( $string ) )
  978. return $string;
  979. }
  980. $string = $protocol . $string;
  981. }
  982. return $string;
  983. }
  984. /**
  985. * Callback for wp_kses_bad_protocol_once() regular expression.
  986. *
  987. * This function processes URL protocols, checks to see if they're in the
  988. * whitelist or not, and returns different data depending on the answer.
  989. *
  990. * @access private
  991. * @since 1.0.0
  992. *
  993. * @param string $string URI scheme to check against the whitelist
  994. * @param string $allowed_protocols Allowed protocols
  995. * @return string Sanitized content
  996. */
  997. function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {
  998. $string2 = wp_kses_decode_entities($string);
  999. $string2 = preg_replace('/\s/', '', $string2);
  1000. $string2 = wp_kses_no_null($string2);
  1001. $string2 = strtolower($string2);
  1002. $allowed = false;
  1003. foreach ( (array) $allowed_protocols as $one_protocol )
  1004. if ( strtolower($one_protocol) == $string2 ) {
  1005. $allowed = true;
  1006. break;
  1007. }
  1008. if ($allowed)
  1009. return "$string2:";
  1010. else
  1011. return '';
  1012. }
  1013. /**
  1014. * Converts and fixes HTML entities.
  1015. *
  1016. * This function normalizes HTML entities. It will convert "AT&T" to the correct
  1017. * "AT&amp;T", "&#00058;" to "&#58;", "&#XYZZY;" to "&amp;#XYZZY;" and so on.
  1018. *
  1019. * @since 1.0.0
  1020. *
  1021. * @param string $string Content to normalize entities
  1022. * @return string Content with normalized entities
  1023. */
  1024. function wp_kses_normalize_entities($string) {
  1025. # Disarm all entities by converting & to &amp;
  1026. $string = str_replace('&', '&amp;', $string);
  1027. # Change back the allowed entities in our entity whitelist
  1028. $string = preg_replace_callback('/&amp;([A-Za-z]{2,8});/', 'wp_kses_named_entities', $string);
  1029. $string = preg_replace_callback('/&amp;#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string);
  1030. $string = preg_replace_callback('/&amp;#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string);
  1031. return $string;
  1032. }
  1033. /**
  1034. * Callback for wp_kses_normalize_entities() regular expression.
  1035. *
  1036. * This function only accepts valid named entity references, which are finite,
  1037. * case-sensitive, and highly scrutinized by HTML and XML validators.
  1038. *
  1039. * @since 3.0.0
  1040. *
  1041. * @param array $matches preg_replace_callback() matches array
  1042. * @return string Correctly encoded entity
  1043. */
  1044. function wp_kses_named_entities($matches) {
  1045. global $allowedentitynames;
  1046. if ( empty($matches[1]) )
  1047. return '';
  1048. $i = $matches[1];
  1049. return ( ( ! in_array($i, $allowedentitynames) ) ? "&amp;$i;" : "&$i;" );
  1050. }
  1051. /**
  1052. * Callback for wp_kses_normalize_entities() regular expression.
  1053. *
  1054. * This function helps wp_kses_normalize_entities() to only accept 16-bit values
  1055. * and nothing more for &#number; entities.
  1056. *
  1057. * @access private
  1058. * @since 1.0.0
  1059. *
  1060. * @param array $matches preg_replace_callback() matches array
  1061. * @return string Correctly encoded entity
  1062. */
  1063. function wp_kses_normalize_entities2($matches) {
  1064. if ( empty($matches[1]) )
  1065. return '';
  1066. $i = $matches[1];
  1067. if (valid_unicode($i)) {
  1068. $i = str_pad(ltrim($i,'0'), 3, '0', STR_PAD_LEFT);
  1069. $i = "&#$i;";
  1070. } else {
  1071. $i = "&amp;#$i;";
  1072. }
  1073. return $i;
  1074. }
  1075. /**
  1076. * Callback for wp_kses_normalize_entities() for regular expression.
  1077. *
  1078. * This function helps wp_kses_normalize_entities() to only accept valid Unicode
  1079. * numeric entities in hex form.
  1080. *
  1081. * @access private
  1082. *
  1083. * @param array $matches preg_replace_callback() matches array
  1084. * @return string Correctly encoded entity
  1085. */
  1086. function wp_kses_normalize_entities3($matches) {
  1087. if ( empty($matches[1]) )
  1088. return '';
  1089. $hexchars = $matches[1];
  1090. return ( ( ! valid_unicode(hexdec($hexchars)) ) ? "&amp;#x$hexchars;" : '&#x'.ltrim($hexchars,'0').';' );
  1091. }
  1092. /**
  1093. * Helper function to determine if a Unicode value is valid.
  1094. *
  1095. * @param int $i Unicode value
  1096. * @return bool True if the value was a valid Unicode number
  1097. */
  1098. function valid_unicode($i) {
  1099. return ( $i == 0x9 || $i == 0xa || $i == 0xd ||
  1100. ($i >= 0x20 && $i <= 0xd7ff) ||
  1101. ($i >= 0xe000 && $i <= 0xfffd) ||
  1102. ($i >= 0x10000 && $i <= 0x10ffff) );
  1103. }
  1104. /**
  1105. * Convert all entities to their character counterparts.
  1106. *
  1107. * This function decodes numeric HTML entities (&#65; and &#x41;). It doesn't do
  1108. * anything with other entities like &auml;, but we don't need them in the URL
  1109. * protocol whitelisting system anyway.
  1110. *
  1111. * @since 1.0.0
  1112. *
  1113. * @param string $string Content to change entities
  1114. * @return string Content after decoded entities
  1115. */
  1116. function wp_kses_decode_entities($string) {
  1117. $string = preg_replace_callback('/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string);
  1118. $string = preg_replace_callback('/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string);
  1119. return $string;
  1120. }
  1121. /**
  1122. * Regex callback for wp_kses_decode_entities()
  1123. *
  1124. * @param array $match preg match
  1125. * @return string
  1126. */
  1127. function _wp_kses_decode_entities_chr( $match ) {
  1128. return chr( $match[1] );
  1129. }
  1130. /**
  1131. * Regex callback for wp_kses_decode_entities()
  1132. *
  1133. * @param array $match preg match
  1134. * @return string
  1135. */
  1136. function _wp_kses_decode_entities_chr_hexdec( $match ) {
  1137. return chr( hexdec( $match[1] ) );
  1138. }
  1139. /**
  1140. * Sanitize content with allowed HTML Kses rules.
  1141. *
  1142. * @since 1.0.0
  1143. * @uses $allowedtags
  1144. *
  1145. * @param string $data Content to filter, expected to be escaped with slashes
  1146. * @return string Filtered content
  1147. */
  1148. function wp_filter_kses( $data ) {
  1149. return addslashes( wp_kses( stripslashes( $data ), current_filter() ) );
  1150. }
  1151. /**
  1152. * Sanitize content with allowed HTML Kses rules.
  1153. *
  1154. * @since 2.9.0
  1155. * @uses $allowedtags
  1156. *
  1157. * @param string $data Content to filter, expected to not be escaped
  1158. * @return string Filtered content
  1159. */
  1160. function wp_kses_data( $data ) {
  1161. return wp_kses( $data , current_filter() );
  1162. }
  1163. /**
  1164. * Sanitize content for allowed HTML tags for post content.
  1165. *
  1166. * Post content refers to the page contents of the 'post' type and not $_POST
  1167. * data from forms.
  1168. *
  1169. * @since 2.0.0
  1170. *
  1171. * @param string $data Post content to filter, expected to be escaped with slashes
  1172. * @return string Filtered post content with allowed HTML tags and attributes intact.
  1173. */
  1174. function wp_filter_post_kses($data) {
  1175. return addslashes ( wp_kses( stripslashes( $data ), 'post' ) );
  1176. }
  1177. /**
  1178. * Sanitize content for allowed HTML tags for post content.
  1179. *
  1180. * Post content refers to the page contents of the 'post' type and not $_POST
  1181. * data from forms.
  1182. *
  1183. * @since 2.9.0
  1184. *
  1185. * @param string $data Post content to filter
  1186. * @return string Filtered post content with allowed HTML tags and attributes intact.
  1187. */
  1188. function wp_kses_post($data) {
  1189. return wp_kses( $data , 'post' );
  1190. }
  1191. /**
  1192. * Strips all of the HTML in the content.
  1193. *
  1194. * @since 2.1.0
  1195. *
  1196. * @param string $data Content to strip all HTML from
  1197. * @return string Filtered content without any HTML
  1198. */
  1199. function wp_filter_nohtml_kses( $data ) {
  1200. return addslashes ( wp_kses( stripslashes( $data ), 'strip' ) );
  1201. }
  1202. /**
  1203. * Adds all Kses input form content filters.
  1204. *
  1205. * All hooks have default priority. The wp_filter_kses() function is added to
  1206. * the 'pre_comment_content' and 'title_save_pre' hooks.
  1207. *
  1208. * The wp_filter_post_kses() function is added to the 'content_save_pre',
  1209. * 'excerpt_save_pre', and 'content_filtered_save_pre' hooks.
  1210. *
  1211. * @since 2.0.0
  1212. * @uses add_filter() See description for what functions are added to what hooks.
  1213. */
  1214. function kses_init_filters() {
  1215. // Normal filtering
  1216. add_filter('title_save_pre', 'wp_filter_kses');
  1217. // Comment filtering
  1218. if ( current_user_can( 'unfiltered_html' ) )
  1219. add_filter( 'pre_comment_content', 'wp_filter_post_kses' );
  1220. else
  1221. add_filter( 'pre_comment_content', 'wp_filter_kses' );
  1222. // Post filtering
  1223. add_filter('content_save_pre', 'wp_filter_post_kses');
  1224. add_filter('excerpt_save_pre', 'wp_filter_post_kses');
  1225. add_filter('content_filtered_save_pre', 'wp_filter_post_kses');
  1226. }
  1227. /**
  1228. * Removes all Kses input form content filters.
  1229. *
  1230. * A quick procedural method to removing all of the filters that kses uses for
  1231. * content in WordPress Loop.
  1232. *
  1233. * Does not remove the kses_init() function from 'init' hook (priority is
  1234. * default). Also does not remove kses_init() function from 'set_current_user'
  1235. * hook (priority is also default).
  1236. *
  1237. * @since 2.0.6
  1238. */
  1239. function kses_remove_filters() {
  1240. // Normal filtering
  1241. remove_filter('title_save_pre', 'wp_filter_kses');
  1242. // Comment filtering
  1243. remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
  1244. remove_filter( 'pre_comment_content', 'wp_filter_kses' );
  1245. // Post filtering
  1246. remove_filter('content_save_pre', 'wp_filter_post_kses');
  1247. remove_filter('excerpt_save_pre', 'wp_filter_post_kses');
  1248. remove_filter('content_filtered_save_pre', 'wp_filter_post_kses');
  1249. }
  1250. /**
  1251. * Sets up most of the Kses filters for input form content.
  1252. *
  1253. * If you remove the kses_init() function from 'init' hook and
  1254. * 'set_current_user' (priority is default), then none of the Kses filter hooks
  1255. * will be added.
  1256. *
  1257. * First removes all of the Kses filters in case the current user does not need
  1258. * to have Kses filter the content. If the user does not have unfiltered_html
  1259. * capability, then Kses filters are added.
  1260. *
  1261. * @uses kses_remove_filters() Removes the Kses filters
  1262. * @uses kses_init_filters() Adds the Kses filters back if the user
  1263. * does not have unfiltered HTML capability.
  1264. * @since 2.0.0
  1265. */
  1266. function kses_init() {
  1267. kses_remove_filters();
  1268. if (current_user_can('unfiltered_html') == false)
  1269. kses_init_filters();
  1270. }
  1271. add_action('init', 'kses_init');
  1272. add_action('set_current_user', 'kses_init');
  1273. /**
  1274. * Inline CSS filter
  1275. *
  1276. * @since 2.8.1
  1277. */
  1278. function safecss_filter_attr( $css, $deprecated = '' ) {
  1279. if ( !empty( $deprecated ) )
  1280. _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented
  1281. $css = wp_kses_no_null($css);
  1282. $css = str_replace(array("\n","\r","\t"), '', $css);
  1283. if ( preg_match( '%[\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments
  1284. return '';
  1285. $css_array = explode( ';', trim( $css ) );
  1286. $allowed_attr = apply_filters( 'safe_style_css', array( 'text-align', 'margin', 'color', 'float',
  1287. 'border', 'background', 'background-color', 'border-bottom', 'border-bottom-color',
  1288. 'border-bottom-style', 'border-bottom-width', 'border-collapse', 'border-color', 'border-left',
  1289. 'border-left-color', 'border-left-style', 'border-left-width', 'border-right', 'border-right-color',
  1290. 'border-right-style', 'border-right-width', 'border-spacing', 'border-style', 'border-top',
  1291. 'border-top-color', 'border-top-style', 'border-top-width', 'border-width', 'caption-side',
  1292. 'clear', 'cursor', 'direction', 'font', 'font-family', 'font-size', 'font-style',
  1293. 'font-variant', 'font-weight', 'height', 'letter-spacing', 'line-height', 'margin-bottom',
  1294. 'margin-left', 'margin-right', 'margin-top', 'overflow', 'padding', 'padding-bottom',
  1295. 'padding-left', 'padding-right', 'padding-top', 'text-decoration', 'text-indent', 'vertical-align',
  1296. 'width' ) );
  1297. if ( empty($allowed_attr) )
  1298. return $css;
  1299. $css = '';
  1300. foreach ( $css_array as $css_item ) {
  1301. if ( $css_item == '' )
  1302. continue;
  1303. $css_item = trim( $css_item );
  1304. $found = false;
  1305. if ( strpos( $css_item, ':' ) === false ) {
  1306. $found = true;
  1307. } else {
  1308. $parts = explode( ':', $css_item );
  1309. if ( in_array( trim( $parts[0] ), $allowed_attr ) )
  1310. $found = true;
  1311. }
  1312. if ( $found ) {
  1313. if( $css != '' )
  1314. $css .= ';';
  1315. $css .= $css_item;
  1316. }
  1317. }
  1318. return $css;
  1319. }
  1320. /**
  1321. * Helper function to add global attributes to a tag in the allowed html list.
  1322. *
  1323. * @since 3.5.0
  1324. * @access private
  1325. *
  1326. * @param array $value An array of attributes.
  1327. * @return array The array of attributes with global attributes added.
  1328. */
  1329. function _wp_add_global_attributes( $value ) {
  1330. $global_attributes = array(
  1331. 'class' => true,
  1332. 'id' => true,
  1333. 'style' => true,
  1334. 'title' => true,
  1335. );
  1336. if ( true === $value )
  1337. $value = array();
  1338. if ( is_array( $value ) )
  1339. return array_merge( $value, $global_attributes );
  1340. return $value;
  1341. }