PageRenderTime 44ms CodeModel.GetById 14ms RepoModel.GetById 0ms app.codeStats 0ms

/wp-includes/kses.php

https://bitbucket.org/acipriani/madeinapulia.com
PHP | 1545 lines | 952 code | 115 blank | 478 comment | 89 complexity | 48088a5167f4d99976ae72b40cc28d0f MD5 | raw file
Possible License(s): GPL-3.0, MIT, BSD-3-Clause, LGPL-2.1, GPL-2.0, Apache-2.0
  1. <?php
  2. /**
  3. * kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes
  4. * Copyright (C) 2002, 2003, 2005 Ulf Harnhammar
  5. *
  6. * This program is free software and open source software; you can redistribute
  7. * it and/or modify it under the terms of the GNU General Public License as
  8. * published by the Free Software Foundation; either version 2 of the License,
  9. * or (at your option) any later version.
  10. *
  11. * This program is distributed in the hope that it will be useful, but WITHOUT
  12. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13. * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
  14. * more details.
  15. *
  16. * You should have received a copy of the GNU General Public License along
  17. * with this program; if not, write to the Free Software Foundation, Inc.,
  18. * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19. * http://www.gnu.org/licenses/gpl.html
  20. *
  21. * [kses strips evil scripts!]
  22. *
  23. * Added wp_ prefix to avoid conflicts with existing kses users
  24. *
  25. * @version 0.2.2
  26. * @copyright (C) 2002, 2003, 2005
  27. * @author Ulf Harnhammar <http://advogato.org/person/metaur/>
  28. *
  29. * @package External
  30. * @subpackage KSES
  31. *
  32. */
  33. /**
  34. * You can override this in a plugin.
  35. *
  36. * The wp_kses_allowed_html filter is more powerful and supplies context.
  37. * CUSTOM_TAGS is not recommended and should be considered deprecated.
  38. *
  39. * @see wp_kses_allowed_html()
  40. *
  41. * @since 1.2.0
  42. */
  43. if ( ! defined( 'CUSTOM_TAGS' ) )
  44. define( 'CUSTOM_TAGS', false );
  45. // Ensure that these variables are added to the global namespace
  46. // (e.g. if using namespaces / autoload in the current PHP environment).
  47. global $allowedposttags, $allowedtags, $allowedentitynames;
  48. if ( ! CUSTOM_TAGS ) {
  49. /**
  50. * Kses global for default allowable HTML tags.
  51. *
  52. * Can be override by using CUSTOM_TAGS constant.
  53. *
  54. * @global array $allowedposttags
  55. * @since 2.0.0
  56. */
  57. $allowedposttags = array(
  58. 'address' => array(),
  59. 'a' => array(
  60. 'href' => true,
  61. 'rel' => true,
  62. 'rev' => true,
  63. 'name' => true,
  64. 'target' => true,
  65. ),
  66. 'abbr' => array(),
  67. 'acronym' => array(),
  68. 'area' => array(
  69. 'alt' => true,
  70. 'coords' => true,
  71. 'href' => true,
  72. 'nohref' => true,
  73. 'shape' => true,
  74. 'target' => true,
  75. ),
  76. 'article' => array(
  77. 'align' => true,
  78. 'dir' => true,
  79. 'lang' => true,
  80. 'xml:lang' => true,
  81. ),
  82. 'aside' => array(
  83. 'align' => true,
  84. 'dir' => true,
  85. 'lang' => true,
  86. 'xml:lang' => true,
  87. ),
  88. 'audio' => array(
  89. 'autoplay' => true,
  90. 'controls' => true,
  91. 'loop' => true,
  92. 'muted' => true,
  93. 'preload' => true,
  94. 'src' => true,
  95. ),
  96. 'b' => array(),
  97. 'big' => array(),
  98. 'blockquote' => array(
  99. 'cite' => true,
  100. 'lang' => true,
  101. 'xml:lang' => true,
  102. ),
  103. 'br' => array(),
  104. 'button' => array(
  105. 'disabled' => true,
  106. 'name' => true,
  107. 'type' => true,
  108. 'value' => true,
  109. ),
  110. 'caption' => array(
  111. 'align' => true,
  112. ),
  113. 'cite' => array(
  114. 'dir' => true,
  115. 'lang' => true,
  116. ),
  117. 'code' => array(),
  118. 'col' => array(
  119. 'align' => true,
  120. 'char' => true,
  121. 'charoff' => true,
  122. 'span' => true,
  123. 'dir' => true,
  124. 'valign' => true,
  125. 'width' => true,
  126. ),
  127. 'colgroup' => array(
  128. 'align' => true,
  129. 'char' => true,
  130. 'charoff' => true,
  131. 'span' => true,
  132. 'valign' => true,
  133. 'width' => true,
  134. ),
  135. 'del' => array(
  136. 'datetime' => true,
  137. ),
  138. 'dd' => array(),
  139. 'dfn' => array(),
  140. 'details' => array(
  141. 'align' => true,
  142. 'dir' => true,
  143. 'lang' => true,
  144. 'open' => true,
  145. 'xml:lang' => true,
  146. ),
  147. 'div' => array(
  148. 'align' => true,
  149. 'dir' => true,
  150. 'lang' => true,
  151. 'xml:lang' => true,
  152. ),
  153. 'dl' => array(),
  154. 'dt' => array(),
  155. 'em' => array(),
  156. 'fieldset' => array(),
  157. 'figure' => array(
  158. 'align' => true,
  159. 'dir' => true,
  160. 'lang' => true,
  161. 'xml:lang' => true,
  162. ),
  163. 'figcaption' => array(
  164. 'align' => true,
  165. 'dir' => true,
  166. 'lang' => true,
  167. 'xml:lang' => true,
  168. ),
  169. 'font' => array(
  170. 'color' => true,
  171. 'face' => true,
  172. 'size' => true,
  173. ),
  174. 'footer' => array(
  175. 'align' => true,
  176. 'dir' => true,
  177. 'lang' => true,
  178. 'xml:lang' => true,
  179. ),
  180. 'form' => array(
  181. 'action' => true,
  182. 'accept' => true,
  183. 'accept-charset' => true,
  184. 'enctype' => true,
  185. 'method' => true,
  186. 'name' => true,
  187. 'target' => true,
  188. ),
  189. 'h1' => array(
  190. 'align' => true,
  191. ),
  192. 'h2' => array(
  193. 'align' => true,
  194. ),
  195. 'h3' => array(
  196. 'align' => true,
  197. ),
  198. 'h4' => array(
  199. 'align' => true,
  200. ),
  201. 'h5' => array(
  202. 'align' => true,
  203. ),
  204. 'h6' => array(
  205. 'align' => true,
  206. ),
  207. 'header' => array(
  208. 'align' => true,
  209. 'dir' => true,
  210. 'lang' => true,
  211. 'xml:lang' => true,
  212. ),
  213. 'hgroup' => array(
  214. 'align' => true,
  215. 'dir' => true,
  216. 'lang' => true,
  217. 'xml:lang' => true,
  218. ),
  219. 'hr' => array(
  220. 'align' => true,
  221. 'noshade' => true,
  222. 'size' => true,
  223. 'width' => true,
  224. ),
  225. 'i' => array(),
  226. 'img' => array(
  227. 'alt' => true,
  228. 'align' => true,
  229. 'border' => true,
  230. 'height' => true,
  231. 'hspace' => true,
  232. 'longdesc' => true,
  233. 'vspace' => true,
  234. 'src' => true,
  235. 'usemap' => true,
  236. 'width' => true,
  237. ),
  238. 'ins' => array(
  239. 'datetime' => true,
  240. 'cite' => true,
  241. ),
  242. 'kbd' => array(),
  243. 'label' => array(
  244. 'for' => true,
  245. ),
  246. 'legend' => array(
  247. 'align' => true,
  248. ),
  249. 'li' => array(
  250. 'align' => true,
  251. 'value' => true,
  252. ),
  253. 'map' => array(
  254. 'name' => true,
  255. ),
  256. 'mark' => array(),
  257. 'menu' => array(
  258. 'type' => true,
  259. ),
  260. 'nav' => array(
  261. 'align' => true,
  262. 'dir' => true,
  263. 'lang' => true,
  264. 'xml:lang' => true,
  265. ),
  266. 'p' => array(
  267. 'align' => true,
  268. 'dir' => true,
  269. 'lang' => true,
  270. 'xml:lang' => true,
  271. ),
  272. 'pre' => array(
  273. 'width' => true,
  274. ),
  275. 'q' => array(
  276. 'cite' => true,
  277. ),
  278. 's' => array(),
  279. 'samp' => array(),
  280. 'span' => array(
  281. 'dir' => true,
  282. 'align' => true,
  283. 'lang' => true,
  284. 'xml:lang' => true,
  285. ),
  286. 'section' => array(
  287. 'align' => true,
  288. 'dir' => true,
  289. 'lang' => true,
  290. 'xml:lang' => true,
  291. ),
  292. 'small' => array(),
  293. 'strike' => array(),
  294. 'strong' => array(),
  295. 'sub' => array(),
  296. 'summary' => array(
  297. 'align' => true,
  298. 'dir' => true,
  299. 'lang' => true,
  300. 'xml:lang' => true,
  301. ),
  302. 'sup' => array(),
  303. 'table' => array(
  304. 'align' => true,
  305. 'bgcolor' => true,
  306. 'border' => true,
  307. 'cellpadding' => true,
  308. 'cellspacing' => true,
  309. 'dir' => true,
  310. 'rules' => true,
  311. 'summary' => true,
  312. 'width' => true,
  313. ),
  314. 'tbody' => array(
  315. 'align' => true,
  316. 'char' => true,
  317. 'charoff' => true,
  318. 'valign' => true,
  319. ),
  320. 'td' => array(
  321. 'abbr' => true,
  322. 'align' => true,
  323. 'axis' => true,
  324. 'bgcolor' => true,
  325. 'char' => true,
  326. 'charoff' => true,
  327. 'colspan' => true,
  328. 'dir' => true,
  329. 'headers' => true,
  330. 'height' => true,
  331. 'nowrap' => true,
  332. 'rowspan' => true,
  333. 'scope' => true,
  334. 'valign' => true,
  335. 'width' => true,
  336. ),
  337. 'textarea' => array(
  338. 'cols' => true,
  339. 'rows' => true,
  340. 'disabled' => true,
  341. 'name' => true,
  342. 'readonly' => true,
  343. ),
  344. 'tfoot' => array(
  345. 'align' => true,
  346. 'char' => true,
  347. 'charoff' => true,
  348. 'valign' => true,
  349. ),
  350. 'th' => array(
  351. 'abbr' => true,
  352. 'align' => true,
  353. 'axis' => true,
  354. 'bgcolor' => true,
  355. 'char' => true,
  356. 'charoff' => true,
  357. 'colspan' => true,
  358. 'headers' => true,
  359. 'height' => true,
  360. 'nowrap' => true,
  361. 'rowspan' => true,
  362. 'scope' => true,
  363. 'valign' => true,
  364. 'width' => true,
  365. ),
  366. 'thead' => array(
  367. 'align' => true,
  368. 'char' => true,
  369. 'charoff' => true,
  370. 'valign' => true,
  371. ),
  372. 'title' => array(),
  373. 'tr' => array(
  374. 'align' => true,
  375. 'bgcolor' => true,
  376. 'char' => true,
  377. 'charoff' => true,
  378. 'valign' => true,
  379. ),
  380. 'track' => array(
  381. 'default' => true,
  382. 'kind' => true,
  383. 'label' => true,
  384. 'src' => true,
  385. 'srclang' => true,
  386. ),
  387. 'tt' => array(),
  388. 'u' => array(),
  389. 'ul' => array(
  390. 'type' => true,
  391. ),
  392. 'ol' => array(
  393. 'start' => true,
  394. 'type' => true,
  395. ),
  396. 'var' => array(),
  397. 'video' => array(
  398. 'autoplay' => true,
  399. 'controls' => true,
  400. 'height' => true,
  401. 'loop' => true,
  402. 'muted' => true,
  403. 'poster' => true,
  404. 'preload' => true,
  405. 'src' => true,
  406. 'width' => true,
  407. ),
  408. );
  409. /**
  410. * Kses allowed HTML elements.
  411. *
  412. * @global array $allowedtags
  413. * @since 1.0.0
  414. */
  415. $allowedtags = array(
  416. 'a' => array(
  417. 'href' => true,
  418. 'title' => true,
  419. ),
  420. 'abbr' => array(
  421. 'title' => true,
  422. ),
  423. 'acronym' => array(
  424. 'title' => true,
  425. ),
  426. 'b' => array(),
  427. 'blockquote' => array(
  428. 'cite' => true,
  429. ),
  430. 'cite' => array(),
  431. 'code' => array(),
  432. 'del' => array(
  433. 'datetime' => true,
  434. ),
  435. 'em' => array(),
  436. 'i' => array(),
  437. 'q' => array(
  438. 'cite' => true,
  439. ),
  440. 'strike' => array(),
  441. 'strong' => array(),
  442. );
  443. $allowedentitynames = array(
  444. 'nbsp', 'iexcl', 'cent', 'pound', 'curren', 'yen',
  445. 'brvbar', 'sect', 'uml', 'copy', 'ordf', 'laquo',
  446. 'not', 'shy', 'reg', 'macr', 'deg', 'plusmn',
  447. 'acute', 'micro', 'para', 'middot', 'cedil', 'ordm',
  448. 'raquo', 'iquest', 'Agrave', 'Aacute', 'Acirc', 'Atilde',
  449. 'Auml', 'Aring', 'AElig', 'Ccedil', 'Egrave', 'Eacute',
  450. 'Ecirc', 'Euml', 'Igrave', 'Iacute', 'Icirc', 'Iuml',
  451. 'ETH', 'Ntilde', 'Ograve', 'Oacute', 'Ocirc', 'Otilde',
  452. 'Ouml', 'times', 'Oslash', 'Ugrave', 'Uacute', 'Ucirc',
  453. 'Uuml', 'Yacute', 'THORN', 'szlig', 'agrave', 'aacute',
  454. 'acirc', 'atilde', 'auml', 'aring', 'aelig', 'ccedil',
  455. 'egrave', 'eacute', 'ecirc', 'euml', 'igrave', 'iacute',
  456. 'icirc', 'iuml', 'eth', 'ntilde', 'ograve', 'oacute',
  457. 'ocirc', 'otilde', 'ouml', 'divide', 'oslash', 'ugrave',
  458. 'uacute', 'ucirc', 'uuml', 'yacute', 'thorn', 'yuml',
  459. 'quot', 'amp', 'lt', 'gt', 'apos', 'OElig',
  460. 'oelig', 'Scaron', 'scaron', 'Yuml', 'circ', 'tilde',
  461. 'ensp', 'emsp', 'thinsp', 'zwnj', 'zwj', 'lrm',
  462. 'rlm', 'ndash', 'mdash', 'lsquo', 'rsquo', 'sbquo',
  463. 'ldquo', 'rdquo', 'bdquo', 'dagger', 'Dagger', 'permil',
  464. 'lsaquo', 'rsaquo', 'euro', 'fnof', 'Alpha', 'Beta',
  465. 'Gamma', 'Delta', 'Epsilon', 'Zeta', 'Eta', 'Theta',
  466. 'Iota', 'Kappa', 'Lambda', 'Mu', 'Nu', 'Xi',
  467. 'Omicron', 'Pi', 'Rho', 'Sigma', 'Tau', 'Upsilon',
  468. 'Phi', 'Chi', 'Psi', 'Omega', 'alpha', 'beta',
  469. 'gamma', 'delta', 'epsilon', 'zeta', 'eta', 'theta',
  470. 'iota', 'kappa', 'lambda', 'mu', 'nu', 'xi',
  471. 'omicron', 'pi', 'rho', 'sigmaf', 'sigma', 'tau',
  472. 'upsilon', 'phi', 'chi', 'psi', 'omega', 'thetasym',
  473. 'upsih', 'piv', 'bull', 'hellip', 'prime', 'Prime',
  474. 'oline', 'frasl', 'weierp', 'image', 'real', 'trade',
  475. 'alefsym', 'larr', 'uarr', 'rarr', 'darr', 'harr',
  476. 'crarr', 'lArr', 'uArr', 'rArr', 'dArr', 'hArr',
  477. 'forall', 'part', 'exist', 'empty', 'nabla', 'isin',
  478. 'notin', 'ni', 'prod', 'sum', 'minus', 'lowast',
  479. 'radic', 'prop', 'infin', 'ang', 'and', 'or',
  480. 'cap', 'cup', 'int', 'sim', 'cong', 'asymp',
  481. 'ne', 'equiv', 'le', 'ge', 'sub', 'sup',
  482. 'nsub', 'sube', 'supe', 'oplus', 'otimes', 'perp',
  483. 'sdot', 'lceil', 'rceil', 'lfloor', 'rfloor', 'lang',
  484. 'rang', 'loz', 'spades', 'clubs', 'hearts', 'diams',
  485. 'sup1', 'sup2', 'sup3', 'frac14', 'frac12', 'frac34',
  486. 'there4',
  487. );
  488. $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags );
  489. } else {
  490. $allowedtags = wp_kses_array_lc( $allowedtags );
  491. $allowedposttags = wp_kses_array_lc( $allowedposttags );
  492. }
  493. /**
  494. * Filters content and keeps only allowable HTML elements.
  495. *
  496. * This function makes sure that only the allowed HTML element names, attribute
  497. * names and attribute values plus only sane HTML entities will occur in
  498. * $string. You have to remove any slashes from PHP's magic quotes before you
  499. * call this function.
  500. *
  501. * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
  502. * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
  503. * covers all common link protocols, except for 'javascript' which should not
  504. * be allowed for untrusted users.
  505. *
  506. * @since 1.0.0
  507. *
  508. * @param string $string Content to filter through kses
  509. * @param array $allowed_html List of allowed HTML elements
  510. * @param array $allowed_protocols Optional. Allowed protocol in links.
  511. * @return string Filtered content with only allowed HTML elements
  512. */
  513. function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
  514. if ( empty( $allowed_protocols ) )
  515. $allowed_protocols = wp_allowed_protocols();
  516. $string = wp_kses_no_null($string);
  517. $string = wp_kses_js_entities($string);
  518. $string = wp_kses_normalize_entities($string);
  519. $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook
  520. return wp_kses_split($string, $allowed_html, $allowed_protocols);
  521. }
  522. /**
  523. * Return a list of allowed tags and attributes for a given context.
  524. *
  525. * @since 3.5.0
  526. *
  527. * @param string $context The context for which to retrieve tags. Allowed values are
  528. * post | strip | data | entities or the name of a field filter such as pre_user_description.
  529. * @return array List of allowed tags and their allowed attributes.
  530. */
  531. function wp_kses_allowed_html( $context = '' ) {
  532. global $allowedposttags, $allowedtags, $allowedentitynames;
  533. if ( is_array( $context ) ) {
  534. /**
  535. * Filter HTML elements allowed for a given context.
  536. *
  537. * @since 3.5.0
  538. *
  539. * @param string $tags Allowed tags, attributes, and/or entities.
  540. * @param string $context Context to judge allowed tags by. Allowed values are 'post',
  541. * 'data', 'strip', 'entities', 'explicit', or the name of a filter.
  542. */
  543. return apply_filters( 'wp_kses_allowed_html', $context, 'explicit' );
  544. }
  545. switch ( $context ) {
  546. case 'post':
  547. /** This filter is documented in wp-includes/kses.php */
  548. return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
  549. break;
  550. case 'user_description':
  551. case 'pre_user_description':
  552. $tags = $allowedtags;
  553. $tags['a']['rel'] = true;
  554. /** This filter is documented in wp-includes/kses.php */
  555. return apply_filters( 'wp_kses_allowed_html', $tags, $context );
  556. break;
  557. case 'strip':
  558. /** This filter is documented in wp-includes/kses.php */
  559. return apply_filters( 'wp_kses_allowed_html', array(), $context );
  560. break;
  561. case 'entities':
  562. /** This filter is documented in wp-includes/kses.php */
  563. return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context);
  564. break;
  565. case 'data':
  566. default:
  567. /** This filter is documented in wp-includes/kses.php */
  568. return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context );
  569. }
  570. }
  571. /**
  572. * You add any kses hooks here.
  573. *
  574. * There is currently only one kses WordPress hook and it is called here. All
  575. * parameters are passed to the hooks and expected to receive a string.
  576. *
  577. * @since 1.0.0
  578. *
  579. * @param string $string Content to filter through kses
  580. * @param array $allowed_html List of allowed HTML elements
  581. * @param array $allowed_protocols Allowed protocol in links
  582. * @return string Filtered content through 'pre_kses' hook
  583. */
  584. function wp_kses_hook( $string, $allowed_html, $allowed_protocols ) {
  585. /**
  586. * Filter content to be run through kses.
  587. *
  588. * @since 2.3.0
  589. *
  590. * @param string $string Content to run through kses.
  591. * @param array $allowed_html Allowed HTML elements.
  592. * @param array $allowed_protocols Allowed protocol in links.
  593. */
  594. $string = apply_filters( 'pre_kses', $string, $allowed_html, $allowed_protocols );
  595. return $string;
  596. }
  597. /**
  598. * This function returns kses' version number.
  599. *
  600. * @since 1.0.0
  601. *
  602. * @return string KSES Version Number
  603. */
  604. function wp_kses_version() {
  605. return '0.2.2';
  606. }
  607. /**
  608. * Searches for HTML tags, no matter how malformed.
  609. *
  610. * It also matches stray ">" characters.
  611. *
  612. * @since 1.0.0
  613. *
  614. * @param string $string Content to filter
  615. * @param array $allowed_html Allowed HTML elements
  616. * @param array $allowed_protocols Allowed protocols to keep
  617. * @return string Content with fixed HTML tags
  618. */
  619. function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
  620. global $pass_allowed_html, $pass_allowed_protocols;
  621. $pass_allowed_html = $allowed_html;
  622. $pass_allowed_protocols = $allowed_protocols;
  623. return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
  624. }
  625. /**
  626. * Callback for wp_kses_split.
  627. *
  628. * @since 3.1.0
  629. * @access private
  630. */
  631. function _wp_kses_split_callback( $match ) {
  632. global $pass_allowed_html, $pass_allowed_protocols;
  633. return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
  634. }
  635. /**
  636. * Callback for wp_kses_split for fixing malformed HTML tags.
  637. *
  638. * This function does a lot of work. It rejects some very malformed things like
  639. * <:::>. It returns an empty string, if the element isn't allowed (look ma, no
  640. * strip_tags()!). Otherwise it splits the tag into an element and an attribute
  641. * list.
  642. *
  643. * After the tag is split into an element and an attribute list, it is run
  644. * through another filter which will remove illegal attributes and once that is
  645. * completed, will be returned.
  646. *
  647. * @access private
  648. * @since 1.0.0
  649. *
  650. * @param string $string Content to filter
  651. * @param array $allowed_html Allowed HTML elements
  652. * @param array $allowed_protocols Allowed protocols to keep
  653. * @return string Fixed HTML element
  654. */
  655. function wp_kses_split2($string, $allowed_html, $allowed_protocols) {
  656. $string = wp_kses_stripslashes($string);
  657. if (substr($string, 0, 1) != '<')
  658. return '&gt;';
  659. # It matched a ">" character
  660. if ( '<!--' == substr( $string, 0, 4 ) ) {
  661. $string = str_replace( array('<!--', '-->'), '', $string );
  662. while ( $string != ($newstring = wp_kses($string, $allowed_html, $allowed_protocols)) )
  663. $string = $newstring;
  664. if ( $string == '' )
  665. return '';
  666. // prevent multiple dashes in comments
  667. $string = preg_replace('/--+/', '-', $string);
  668. // prevent three dashes closing a comment
  669. $string = preg_replace('/-$/', '', $string);
  670. return "<!--{$string}-->";
  671. }
  672. # Allow HTML comments
  673. if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches))
  674. return '';
  675. # It's seriously malformed
  676. $slash = trim($matches[1]);
  677. $elem = $matches[2];
  678. $attrlist = $matches[3];
  679. if ( ! is_array( $allowed_html ) )
  680. $allowed_html = wp_kses_allowed_html( $allowed_html );
  681. if ( ! isset($allowed_html[strtolower($elem)]) )
  682. return '';
  683. # They are using a not allowed HTML element
  684. if ($slash != '')
  685. return "</$elem>";
  686. # No attributes are allowed for closing elements
  687. return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols );
  688. }
  689. /**
  690. * Removes all attributes, if none are allowed for this element.
  691. *
  692. * If some are allowed it calls wp_kses_hair() to split them further, and then
  693. * it builds up new HTML code from the data that kses_hair() returns. It also
  694. * removes "<" and ">" characters, if there are any left. One more thing it does
  695. * is to check if the tag has a closing XHTML slash, and if it does, it puts one
  696. * in the returned code as well.
  697. *
  698. * @since 1.0.0
  699. *
  700. * @param string $element HTML element/tag
  701. * @param string $attr HTML attributes from HTML element to closing HTML element tag
  702. * @param array $allowed_html Allowed HTML elements
  703. * @param array $allowed_protocols Allowed protocols to keep
  704. * @return string Sanitized HTML element
  705. */
  706. function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) {
  707. # Is there a closing XHTML slash at the end of the attributes?
  708. if ( ! is_array( $allowed_html ) )
  709. $allowed_html = wp_kses_allowed_html( $allowed_html );
  710. $xhtml_slash = '';
  711. if (preg_match('%\s*/\s*$%', $attr))
  712. $xhtml_slash = ' /';
  713. # Are any attributes allowed at all for this element?
  714. if ( ! isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0 )
  715. return "<$element$xhtml_slash>";
  716. # Split it
  717. $attrarr = wp_kses_hair($attr, $allowed_protocols);
  718. # Go through $attrarr, and save the allowed attributes for this element
  719. # in $attr2
  720. $attr2 = '';
  721. $allowed_attr = $allowed_html[strtolower($element)];
  722. foreach ($attrarr as $arreach) {
  723. if ( ! isset( $allowed_attr[strtolower($arreach['name'])] ) )
  724. continue; # the attribute is not allowed
  725. $current = $allowed_attr[strtolower($arreach['name'])];
  726. if ( $current == '' )
  727. continue; # the attribute is not allowed
  728. if ( strtolower( $arreach['name'] ) == 'style' ) {
  729. $orig_value = $arreach['value'];
  730. $value = safecss_filter_attr( $orig_value );
  731. if ( empty( $value ) )
  732. continue;
  733. $arreach['value'] = $value;
  734. $arreach['whole'] = str_replace( $orig_value, $value, $arreach['whole'] );
  735. }
  736. if ( ! is_array($current) ) {
  737. $attr2 .= ' '.$arreach['whole'];
  738. # there are no checks
  739. } else {
  740. # there are some checks
  741. $ok = true;
  742. foreach ($current as $currkey => $currval) {
  743. if ( ! wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval) ) {
  744. $ok = false;
  745. break;
  746. }
  747. }
  748. if ( $ok )
  749. $attr2 .= ' '.$arreach['whole']; # it passed them
  750. } # if !is_array($current)
  751. } # foreach
  752. # Remove any "<" or ">" characters
  753. $attr2 = preg_replace('/[<>]/', '', $attr2);
  754. return "<$element$attr2$xhtml_slash>";
  755. }
  756. /**
  757. * Builds an attribute list from string containing attributes.
  758. *
  759. * This function does a lot of work. It parses an attribute list into an array
  760. * with attribute data, and tries to do the right thing even if it gets weird
  761. * input. It will add quotes around attribute values that don't have any quotes
  762. * or apostrophes around them, to make it easier to produce HTML code that will
  763. * conform to W3C's HTML specification. It will also remove bad URL protocols
  764. * from attribute values. It also reduces duplicate attributes by using the
  765. * attribute defined first (foo='bar' foo='baz' will result in foo='bar').
  766. *
  767. * @since 1.0.0
  768. *
  769. * @param string $attr Attribute list from HTML element to closing HTML element tag
  770. * @param array $allowed_protocols Allowed protocols to keep
  771. * @return array List of attributes after parsing
  772. */
  773. function wp_kses_hair($attr, $allowed_protocols) {
  774. $attrarr = array();
  775. $mode = 0;
  776. $attrname = '';
  777. $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
  778. # Loop through the whole attribute list
  779. while (strlen($attr) != 0) {
  780. $working = 0; # Was the last operation successful?
  781. switch ($mode) {
  782. case 0 : # attribute name, href for instance
  783. if ( preg_match('/^([-a-zA-Z:]+)/', $attr, $match ) ) {
  784. $attrname = $match[1];
  785. $working = $mode = 1;
  786. $attr = preg_replace( '/^[-a-zA-Z:]+/', '', $attr );
  787. }
  788. break;
  789. case 1 : # equals sign or valueless ("selected")
  790. if (preg_match('/^\s*=\s*/', $attr)) # equals sign
  791. {
  792. $working = 1;
  793. $mode = 2;
  794. $attr = preg_replace('/^\s*=\s*/', '', $attr);
  795. break;
  796. }
  797. if (preg_match('/^\s+/', $attr)) # valueless
  798. {
  799. $working = 1;
  800. $mode = 0;
  801. if(false === array_key_exists($attrname, $attrarr)) {
  802. $attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
  803. }
  804. $attr = preg_replace('/^\s+/', '', $attr);
  805. }
  806. break;
  807. case 2 : # attribute value, a URL after href= for instance
  808. if (preg_match('%^"([^"]*)"(\s+|/?$)%', $attr, $match))
  809. # "value"
  810. {
  811. $thisval = $match[1];
  812. if ( in_array(strtolower($attrname), $uris) )
  813. $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
  814. if(false === array_key_exists($attrname, $attrarr)) {
  815. $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');
  816. }
  817. $working = 1;
  818. $mode = 0;
  819. $attr = preg_replace('/^"[^"]*"(\s+|$)/', '', $attr);
  820. break;
  821. }
  822. if (preg_match("%^'([^']*)'(\s+|/?$)%", $attr, $match))
  823. # 'value'
  824. {
  825. $thisval = $match[1];
  826. if ( in_array(strtolower($attrname), $uris) )
  827. $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
  828. if(false === array_key_exists($attrname, $attrarr)) {
  829. $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname='$thisval'", 'vless' => 'n');
  830. }
  831. $working = 1;
  832. $mode = 0;
  833. $attr = preg_replace("/^'[^']*'(\s+|$)/", '', $attr);
  834. break;
  835. }
  836. if (preg_match("%^([^\s\"']+)(\s+|/?$)%", $attr, $match))
  837. # value
  838. {
  839. $thisval = $match[1];
  840. if ( in_array(strtolower($attrname), $uris) )
  841. $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
  842. if(false === array_key_exists($attrname, $attrarr)) {
  843. $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');
  844. }
  845. # We add quotes to conform to W3C's HTML spec.
  846. $working = 1;
  847. $mode = 0;
  848. $attr = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attr);
  849. }
  850. break;
  851. } # switch
  852. if ($working == 0) # not well formed, remove and try again
  853. {
  854. $attr = wp_kses_html_error($attr);
  855. $mode = 0;
  856. }
  857. } # while
  858. if ($mode == 1 && false === array_key_exists($attrname, $attrarr))
  859. # special case, for when the attribute list ends with a valueless
  860. # attribute like "selected"
  861. $attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
  862. return $attrarr;
  863. }
  864. /**
  865. * Performs different checks for attribute values.
  866. *
  867. * The currently implemented checks are "maxlen", "minlen", "maxval", "minval"
  868. * and "valueless".
  869. *
  870. * @since 1.0.0
  871. *
  872. * @param string $value Attribute value
  873. * @param string $vless Whether the value is valueless. Use 'y' or 'n'
  874. * @param string $checkname What $checkvalue is checking for.
  875. * @param mixed $checkvalue What constraint the value should pass
  876. * @return bool Whether check passes
  877. */
  878. function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) {
  879. $ok = true;
  880. switch (strtolower($checkname)) {
  881. case 'maxlen' :
  882. # The maxlen check makes sure that the attribute value has a length not
  883. # greater than the given value. This can be used to avoid Buffer Overflows
  884. # in WWW clients and various Internet servers.
  885. if (strlen($value) > $checkvalue)
  886. $ok = false;
  887. break;
  888. case 'minlen' :
  889. # The minlen check makes sure that the attribute value has a length not
  890. # smaller than the given value.
  891. if (strlen($value) < $checkvalue)
  892. $ok = false;
  893. break;
  894. case 'maxval' :
  895. # The maxval check does two things: it checks that the attribute value is
  896. # an integer from 0 and up, without an excessive amount of zeroes or
  897. # whitespace (to avoid Buffer Overflows). It also checks that the attribute
  898. # value is not greater than the given value.
  899. # This check can be used to avoid Denial of Service attacks.
  900. if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))
  901. $ok = false;
  902. if ($value > $checkvalue)
  903. $ok = false;
  904. break;
  905. case 'minval' :
  906. # The minval check makes sure that the attribute value is a positive integer,
  907. # and that it is not smaller than the given value.
  908. if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))
  909. $ok = false;
  910. if ($value < $checkvalue)
  911. $ok = false;
  912. break;
  913. case 'valueless' :
  914. # The valueless check makes sure if the attribute has a value
  915. # (like <a href="blah">) or not (<option selected>). If the given value
  916. # is a "y" or a "Y", the attribute must not have a value.
  917. # If the given value is an "n" or an "N", the attribute must have one.
  918. if (strtolower($checkvalue) != $vless)
  919. $ok = false;
  920. break;
  921. } # switch
  922. return $ok;
  923. }
  924. /**
  925. * Sanitize string from bad protocols.
  926. *
  927. * This function removes all non-allowed protocols from the beginning of
  928. * $string. It ignores whitespace and the case of the letters, and it does
  929. * understand HTML entities. It does its work in a while loop, so it won't be
  930. * fooled by a string like "javascript:javascript:alert(57)".
  931. *
  932. * @since 1.0.0
  933. *
  934. * @param string $string Content to filter bad protocols from
  935. * @param array $allowed_protocols Allowed protocols to keep
  936. * @return string Filtered content
  937. */
  938. function wp_kses_bad_protocol($string, $allowed_protocols) {
  939. $string = wp_kses_no_null($string);
  940. $iterations = 0;
  941. do {
  942. $original_string = $string;
  943. $string = wp_kses_bad_protocol_once($string, $allowed_protocols);
  944. } while ( $original_string != $string && ++$iterations < 6 );
  945. if ( $original_string != $string )
  946. return '';
  947. return $string;
  948. }
  949. /**
  950. * Removes any invalid control characters in $string.
  951. *
  952. * Also removes any instance of the '\0' string.
  953. *
  954. * @since 1.0.0
  955. *
  956. * @param string $string
  957. * @return string
  958. */
  959. function wp_kses_no_null($string) {
  960. $string = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string);
  961. $string = preg_replace('/(\\\\0)+/', '', $string);
  962. return $string;
  963. }
  964. /**
  965. * Strips slashes from in front of quotes.
  966. *
  967. * This function changes the character sequence \" to just ". It leaves all
  968. * other slashes alone. It's really weird, but the quoting from
  969. * preg_replace(//e) seems to require this.
  970. *
  971. * @since 1.0.0
  972. *
  973. * @param string $string String to strip slashes
  974. * @return string Fixed string with quoted slashes
  975. */
  976. function wp_kses_stripslashes($string) {
  977. return preg_replace('%\\\\"%', '"', $string);
  978. }
  979. /**
  980. * Goes through an array and changes the keys to all lower case.
  981. *
  982. * @since 1.0.0
  983. *
  984. * @param array $inarray Unfiltered array
  985. * @return array Fixed array with all lowercase keys
  986. */
  987. function wp_kses_array_lc($inarray) {
  988. $outarray = array ();
  989. foreach ( (array) $inarray as $inkey => $inval) {
  990. $outkey = strtolower($inkey);
  991. $outarray[$outkey] = array ();
  992. foreach ( (array) $inval as $inkey2 => $inval2) {
  993. $outkey2 = strtolower($inkey2);
  994. $outarray[$outkey][$outkey2] = $inval2;
  995. } # foreach $inval
  996. } # foreach $inarray
  997. return $outarray;
  998. }
  999. /**
  1000. * Removes the HTML JavaScript entities found in early versions of Netscape 4.
  1001. *
  1002. * @since 1.0.0
  1003. *
  1004. * @param string $string
  1005. * @return string
  1006. */
  1007. function wp_kses_js_entities($string) {
  1008. return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
  1009. }
  1010. /**
  1011. * Handles parsing errors in wp_kses_hair().
  1012. *
  1013. * The general plan is to remove everything to and including some whitespace,
  1014. * but it deals with quotes and apostrophes as well.
  1015. *
  1016. * @since 1.0.0
  1017. *
  1018. * @param string $string
  1019. * @return string
  1020. */
  1021. function wp_kses_html_error($string) {
  1022. return preg_replace('/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string);
  1023. }
  1024. /**
  1025. * Sanitizes content from bad protocols and other characters.
  1026. *
  1027. * This function searches for URL protocols at the beginning of $string, while
  1028. * handling whitespace and HTML entities.
  1029. *
  1030. * @since 1.0.0
  1031. *
  1032. * @param string $string Content to check for bad protocols
  1033. * @param string $allowed_protocols Allowed protocols
  1034. * @return string Sanitized content
  1035. */
  1036. function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) {
  1037. $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
  1038. if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {
  1039. $string = trim( $string2[1] );
  1040. $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );
  1041. if ( 'feed:' == $protocol ) {
  1042. if ( $count > 2 )
  1043. return '';
  1044. $string = wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count );
  1045. if ( empty( $string ) )
  1046. return $string;
  1047. }
  1048. $string = $protocol . $string;
  1049. }
  1050. return $string;
  1051. }
  1052. /**
  1053. * Callback for wp_kses_bad_protocol_once() regular expression.
  1054. *
  1055. * This function processes URL protocols, checks to see if they're in the
  1056. * whitelist or not, and returns different data depending on the answer.
  1057. *
  1058. * @access private
  1059. * @since 1.0.0
  1060. *
  1061. * @param string $string URI scheme to check against the whitelist
  1062. * @param string $allowed_protocols Allowed protocols
  1063. * @return string Sanitized content
  1064. */
  1065. function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {
  1066. $string2 = wp_kses_decode_entities($string);
  1067. $string2 = preg_replace('/\s/', '', $string2);
  1068. $string2 = wp_kses_no_null($string2);
  1069. $string2 = strtolower($string2);
  1070. $allowed = false;
  1071. foreach ( (array) $allowed_protocols as $one_protocol )
  1072. if ( strtolower($one_protocol) == $string2 ) {
  1073. $allowed = true;
  1074. break;
  1075. }
  1076. if ($allowed)
  1077. return "$string2:";
  1078. else
  1079. return '';
  1080. }
  1081. /**
  1082. * Converts and fixes HTML entities.
  1083. *
  1084. * This function normalizes HTML entities. It will convert `AT&T` to the correct
  1085. * `AT&amp;T`, `&#00058;` to `&#58;`, `&#XYZZY;` to `&amp;#XYZZY;` and so on.
  1086. *
  1087. * @since 1.0.0
  1088. *
  1089. * @param string $string Content to normalize entities
  1090. * @return string Content with normalized entities
  1091. */
  1092. function wp_kses_normalize_entities($string) {
  1093. # Disarm all entities by converting & to &amp;
  1094. $string = str_replace('&', '&amp;', $string);
  1095. # Change back the allowed entities in our entity whitelist
  1096. $string = preg_replace_callback('/&amp;([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string);
  1097. $string = preg_replace_callback('/&amp;#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string);
  1098. $string = preg_replace_callback('/&amp;#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string);
  1099. return $string;
  1100. }
  1101. /**
  1102. * Callback for wp_kses_normalize_entities() regular expression.
  1103. *
  1104. * This function only accepts valid named entity references, which are finite,
  1105. * case-sensitive, and highly scrutinized by HTML and XML validators.
  1106. *
  1107. * @since 3.0.0
  1108. *
  1109. * @param array $matches preg_replace_callback() matches array
  1110. * @return string Correctly encoded entity
  1111. */
  1112. function wp_kses_named_entities($matches) {
  1113. global $allowedentitynames;
  1114. if ( empty($matches[1]) )
  1115. return '';
  1116. $i = $matches[1];
  1117. return ( ( ! in_array($i, $allowedentitynames) ) ? "&amp;$i;" : "&$i;" );
  1118. }
  1119. /**
  1120. * Callback for wp_kses_normalize_entities() regular expression.
  1121. *
  1122. * This function helps {@see wp_kses_normalize_entities()} to only accept 16-bit
  1123. * values and nothing more for `&#number;` entities.
  1124. *
  1125. * @access private
  1126. * @since 1.0.0
  1127. *
  1128. * @param array $matches preg_replace_callback() matches array
  1129. * @return string Correctly encoded entity
  1130. */
  1131. function wp_kses_normalize_entities2($matches) {
  1132. if ( empty($matches[1]) )
  1133. return '';
  1134. $i = $matches[1];
  1135. if (valid_unicode($i)) {
  1136. $i = str_pad(ltrim($i,'0'), 3, '0', STR_PAD_LEFT);
  1137. $i = "&#$i;";
  1138. } else {
  1139. $i = "&amp;#$i;";
  1140. }
  1141. return $i;
  1142. }
  1143. /**
  1144. * Callback for wp_kses_normalize_entities() for regular expression.
  1145. *
  1146. * This function helps wp_kses_normalize_entities() to only accept valid Unicode
  1147. * numeric entities in hex form.
  1148. *
  1149. * @access private
  1150. *
  1151. * @param array $matches preg_replace_callback() matches array
  1152. * @return string Correctly encoded entity
  1153. */
  1154. function wp_kses_normalize_entities3($matches) {
  1155. if ( empty($matches[1]) )
  1156. return '';
  1157. $hexchars = $matches[1];
  1158. return ( ( ! valid_unicode(hexdec($hexchars)) ) ? "&amp;#x$hexchars;" : '&#x'.ltrim($hexchars,'0').';' );
  1159. }
  1160. /**
  1161. * Helper function to determine if a Unicode value is valid.
  1162. *
  1163. * @param int $i Unicode value
  1164. * @return bool True if the value was a valid Unicode number
  1165. */
  1166. function valid_unicode($i) {
  1167. return ( $i == 0x9 || $i == 0xa || $i == 0xd ||
  1168. ($i >= 0x20 && $i <= 0xd7ff) ||
  1169. ($i >= 0xe000 && $i <= 0xfffd) ||
  1170. ($i >= 0x10000 && $i <= 0x10ffff) );
  1171. }
  1172. /**
  1173. * Convert all entities to their character counterparts.
  1174. *
  1175. * This function decodes numeric HTML entities (`&#65;` and `&#x41;`).
  1176. * It doesn't do anything with other entities like &auml;, but we don't
  1177. * need them in the URL protocol whitelisting system anyway.
  1178. *
  1179. * @since 1.0.0
  1180. *
  1181. * @param string $string Content to change entities
  1182. * @return string Content after decoded entities
  1183. */
  1184. function wp_kses_decode_entities($string) {
  1185. $string = preg_replace_callback('/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string);
  1186. $string = preg_replace_callback('/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string);
  1187. return $string;
  1188. }
  1189. /**
  1190. * Regex callback for wp_kses_decode_entities()
  1191. *
  1192. * @param array $match preg match
  1193. * @return string
  1194. */
  1195. function _wp_kses_decode_entities_chr( $match ) {
  1196. return chr( $match[1] );
  1197. }
  1198. /**
  1199. * Regex callback for wp_kses_decode_entities()
  1200. *
  1201. * @param array $match preg match
  1202. * @return string
  1203. */
  1204. function _wp_kses_decode_entities_chr_hexdec( $match ) {
  1205. return chr( hexdec( $match[1] ) );
  1206. }
  1207. /**
  1208. * Sanitize content with allowed HTML Kses rules.
  1209. *
  1210. * @since 1.0.0
  1211. *
  1212. * @param string $data Content to filter, expected to be escaped with slashes
  1213. * @return string Filtered content
  1214. */
  1215. function wp_filter_kses( $data ) {
  1216. return addslashes( wp_kses( stripslashes( $data ), current_filter() ) );
  1217. }
  1218. /**
  1219. * Sanitize content with allowed HTML Kses rules.
  1220. *
  1221. * @since 2.9.0
  1222. *
  1223. * @param string $data Content to filter, expected to not be escaped
  1224. * @return string Filtered content
  1225. */
  1226. function wp_kses_data( $data ) {
  1227. return wp_kses( $data , current_filter() );
  1228. }
  1229. /**
  1230. * Sanitize content for allowed HTML tags for post content.
  1231. *
  1232. * Post content refers to the page contents of the 'post' type and not $_POST
  1233. * data from forms.
  1234. *
  1235. * @since 2.0.0
  1236. *
  1237. * @param string $data Post content to filter, expected to be escaped with slashes
  1238. * @return string Filtered post content with allowed HTML tags and attributes intact.
  1239. */
  1240. function wp_filter_post_kses($data) {
  1241. return addslashes ( wp_kses( stripslashes( $data ), 'post' ) );
  1242. }
  1243. /**
  1244. * Sanitize content for allowed HTML tags for post content.
  1245. *
  1246. * Post content refers to the page contents of the 'post' type and not $_POST
  1247. * data from forms.
  1248. *
  1249. * @since 2.9.0
  1250. *
  1251. * @param string $data Post content to filter
  1252. * @return string Filtered post content with allowed HTML tags and attributes intact.
  1253. */
  1254. function wp_kses_post($data) {
  1255. return wp_kses( $data , 'post' );
  1256. }
  1257. /**
  1258. * Strips all of the HTML in the content.
  1259. *
  1260. * @since 2.1.0
  1261. *
  1262. * @param string $data Content to strip all HTML from
  1263. * @return string Filtered content without any HTML
  1264. */
  1265. function wp_filter_nohtml_kses( $data ) {
  1266. return addslashes ( wp_kses( stripslashes( $data ), 'strip' ) );
  1267. }
  1268. /**
  1269. * Adds all Kses input form content filters.
  1270. *
  1271. * All hooks have default priority. The wp_filter_kses() function is added to
  1272. * the 'pre_comment_content' and 'title_save_pre' hooks.
  1273. *
  1274. * The wp_filter_post_kses() function is added to the 'content_save_pre',
  1275. * 'excerpt_save_pre', and 'content_filtered_save_pre' hooks.
  1276. *
  1277. * @since 2.0.0
  1278. */
  1279. function kses_init_filters() {
  1280. // Normal filtering
  1281. add_filter('title_save_pre', 'wp_filter_kses');
  1282. // Comment filtering
  1283. if ( current_user_can( 'unfiltered_html' ) )
  1284. add_filter( 'pre_comment_content', 'wp_filter_post_kses' );
  1285. else
  1286. add_filter( 'pre_comment_content', 'wp_filter_kses' );
  1287. // Post filtering
  1288. add_filter('content_save_pre', 'wp_filter_post_kses');
  1289. add_filter('excerpt_save_pre', 'wp_filter_post_kses');
  1290. add_filter('content_filtered_save_pre', 'wp_filter_post_kses');
  1291. }
  1292. /**
  1293. * Removes all Kses input form content filters.
  1294. *
  1295. * A quick procedural method to removing all of the filters that kses uses for
  1296. * content in WordPress Loop.
  1297. *
  1298. * Does not remove the kses_init() function from 'init' hook (priority is
  1299. * default). Also does not remove kses_init() function from 'set_current_user'
  1300. * hook (priority is also default).
  1301. *
  1302. * @since 2.0.6
  1303. */
  1304. function kses_remove_filters() {
  1305. // Normal filtering
  1306. remove_filter('title_save_pre', 'wp_filter_kses');
  1307. // Comment filtering
  1308. remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
  1309. remove_filter( 'pre_comment_content', 'wp_filter_kses' );
  1310. // Post filtering
  1311. remove_filter('content_save_pre', 'wp_filter_post_kses');
  1312. remove_filter('excerpt_save_pre', 'wp_filter_post_kses');
  1313. remove_filter('content_filtered_save_pre', 'wp_filter_post_kses');
  1314. }
  1315. /**
  1316. * Sets up most of the Kses filters for input form content.
  1317. *
  1318. * If you remove the kses_init() function from 'init' hook and
  1319. * 'set_current_user' (priority is default), then none of the Kses filter hooks
  1320. * will be added.
  1321. *
  1322. * First removes all of the Kses filters in case the current user does not need
  1323. * to have Kses filter the content. If the user does not have unfiltered_html
  1324. * capability, then Kses filters are added.
  1325. *
  1326. * @since 2.0.0
  1327. */
  1328. function kses_init() {
  1329. kses_remove_filters();
  1330. if (current_user_can('unfiltered_html') == false)
  1331. kses_init_filters();
  1332. }
  1333. add_action('init', 'kses_init');
  1334. add_action('set_current_user', 'kses_init');
  1335. /**
  1336. * Inline CSS filter
  1337. *
  1338. * @since 2.8.1
  1339. */
  1340. function safecss_filter_attr( $css, $deprecated = '' ) {
  1341. if ( !empty( $deprecated ) )
  1342. _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented
  1343. $css = wp_kses_no_null($css);
  1344. $css = str_replace(array("\n","\r","\t"), '', $css);
  1345. if ( preg_match( '%[\\\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments
  1346. return '';
  1347. $css_array = explode( ';', trim( $css ) );
  1348. /**
  1349. * Filter list of allowed CSS attributes.
  1350. *
  1351. * @since 2.8.1
  1352. *
  1353. * @param array $attr List of allowed CSS attributes.
  1354. */
  1355. $allowed_attr = apply_filters( 'safe_style_css', array( 'text-align', 'margin', 'color', 'float',
  1356. 'border', 'background', 'background-color', 'border-bottom', 'border-bottom-color',
  1357. 'border-bottom-style', 'border-bottom-width', 'border-collapse', 'border-color', 'border-left',
  1358. 'border-left-color', 'border-left-style', 'border-left-width', 'border-right', 'border-right-color',
  1359. 'border-right-style', 'border-right-width', 'border-spacing', 'border-style', 'border-top',
  1360. 'border-top-color', 'border-top-style', 'border-top-width', 'border-width', 'caption-side',
  1361. 'clear', 'cursor', 'direction', 'font', 'font-family', 'font-size', 'font-style',
  1362. 'font-variant', 'font-weight', 'height', 'letter-spacing', 'line-height', 'margin-bottom',
  1363. 'margin-left', 'margin-right', 'margin-top', 'overflow', 'padding', 'padding-bottom',
  1364. 'padding-left', 'padding-right', 'padding-top', 'text-decoration', 'text-indent', 'vertical-align',
  1365. 'width' ) );
  1366. if ( empty($allowed_attr) )
  1367. return $css;
  1368. $css = '';
  1369. foreach ( $css_array as $css_item ) {
  1370. if ( $css_item == '' )
  1371. continue;
  1372. $css_item = trim( $css_item );
  1373. $found = false;
  1374. if ( strpos( $css_item, ':' ) === false ) {
  1375. $found = true;
  1376. } else {
  1377. $parts = explode( ':', $css_item );
  1378. if ( in_array( trim( $parts[0] ), $allowed_attr ) )
  1379. $found = true;
  1380. }
  1381. if ( $found ) {
  1382. if( $css != '' )
  1383. $css .= ';';
  1384. $css .= $css_item;
  1385. }
  1386. }
  1387. return $css;
  1388. }
  1389. /**
  1390. * Helper function to add global attributes to a tag in the allowed html list.
  1391. *
  1392. * @since 3.5.0
  1393. * @access private
  1394. *
  1395. * @param array $value An array of attributes.
  1396. * @return array The array of attributes with global attributes added.
  1397. */
  1398. function _wp_add_global_attributes( $value ) {
  1399. $global_attributes = array(
  1400. 'class' => true,
  1401. 'id' => true,
  1402. 'style' => true,
  1403. 'title' => true,
  1404. 'role' => true,
  1405. );
  1406. if ( true === $value )
  1407. $value = array();
  1408. if ( is_array( $value ) )
  1409. return array_merge( $value, $global_attributes );
  1410. return $value;
  1411. }