PageRenderTime 64ms CodeModel.GetById 18ms RepoModel.GetById 0ms app.codeStats 0ms

/wp-includes/kses.php

https://bitbucket.org/Thane2376/death-edge.ru
PHP | 1518 lines | 918 code | 115 blank | 485 comment | 89 complexity | da712144d6ca94966c0e057af581e42a MD5 | raw file
Possible License(s): LGPL-2.1, GPL-2.0, LGPL-3.0, AGPL-1.0 
    

  1. <?php

    2. 

  2. /**

    3. 

  3.  * kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes

    4. 

  4.  * Copyright (C) 2002, 2003, 2005  Ulf Harnhammar

    5. 

  5.  *

    6. 

  6.  * This program is free software and open source software; you can redistribute

    7. 

  7.  * it and/or modify it under the terms of the GNU General Public License as

    8. 

  8.  * published by the Free Software Foundation; either version 2 of the License,

    9. 

  9.  * or (at your option) any later version.

    10. 

  10.  *

    11. 

  11.  * This program is distributed in the hope that it will be useful, but WITHOUT

    12. 

  12.  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

    13. 

  13.  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for

    14. 

  14.  * more details.

    15. 

  15.  *

    16. 

  16.  * You should have received a copy of the GNU General Public License along

    17. 

  17.  * with this program; if not, write to the Free Software Foundation, Inc.,

    18. 

  18.  * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA

    19. 

  19.  * http://www.gnu.org/licenses/gpl.html

    20. 

  20.  *

    21. 

  21.  * [kses strips evil scripts!]

    22. 

  22.  *

    23. 

  23.  * Added wp_ prefix to avoid conflicts with existing kses users

    24. 

  24.  *

    25. 

  25.  * @version 0.2.2

    26. 

  26.  * @copyright (C) 2002, 2003, 2005

    27. 

  27.  * @author Ulf Harnhammar <http://advogato.org/person/metaur/>

    28. 

  28.  *

    29. 

  29.  * @package External

    30. 

  30.  * @subpackage KSES

    31. 

  31.  *

    32. 

  32.  */

    33. 

  33. 

    34. 

  34. /**

    35. 

  35.  * You can override this in a plugin.

    36. 

  36.  *

    37. 

  37.  * The wp_kses_allowed_html filter is more powerful and supplies context.

    38. 

  38.  * CUSTOM_TAGS is not recommended and should be considered deprecated.

    39. 

  39.  *

    40. 

  40.  * @see wp_kses_allowed_html()

    41. 

  41.  *

    42. 

  42.  * @since 1.2.0

    43. 

  43.  */

    44. 

  44. if ( ! defined( 'CUSTOM_TAGS' ) )

    45. 

  45. 	define( 'CUSTOM_TAGS', false );

    46. 

  46. 

    47. 

  47. // Ensure that these variables are added to the global namespace

    48. 

  48. // (e.g. if using namespaces / autoload in the current PHP environment).

    49. 

  49. global $allowedposttags, $allowedtags, $allowedentitynames;

    50. 

  50. 

    51. 

  51. if ( ! CUSTOM_TAGS ) {

    52. 

  52. 	/**

    53. 

  53. 	 * Kses global for default allowable HTML tags.

    54. 

  54. 	 *

    55. 

  55. 	 * Can be override by using CUSTOM_TAGS constant.

    56. 

  56. 	 *

    57. 

  57. 	 * @global array $allowedposttags

    58. 

  58. 	 * @since 2.0.0

    59. 

  59. 	 */

    60. 

  60. 	$allowedposttags = array(

    61. 

  61. 		'address' => array(),

    62. 

  62. 		'a' => array(

    63. 

  63. 			'href' => true,

    64. 

  64. 			'rel' => true,

    65. 

  65. 			'rev' => true,

    66. 

  66. 			'name' => true,

    67. 

  67. 			'target' => true,

    68. 

  68. 		),

    69. 

  69. 		'abbr' => array(),

    70. 

  70. 		'acronym' => array(),

    71. 

  71. 		'area' => array(

    72. 

  72. 			'alt' => true,

    73. 

  73. 			'coords' => true,

    74. 

  74. 			'href' => true,

    75. 

  75. 			'nohref' => true,

    76. 

  76. 			'shape' => true,

    77. 

  77. 			'target' => true,

    78. 

  78. 		),

    79. 

  79. 		'article' => array(

    80. 

  80. 			'align' => true,

    81. 

  81. 			'dir' => true,

    82. 

  82. 			'lang' => true,

    83. 

  83. 			'xml:lang' => true,

    84. 

  84. 		),

    85. 

  85. 		'aside' => array(

    86. 

  86. 			'align' => true,

    87. 

  87. 			'dir' => true,

    88. 

  88. 			'lang' => true,

    89. 

  89. 			'xml:lang' => true,

    90. 

  90. 		),

    91. 

  91. 		'b' => array(),

    92. 

  92. 		'big' => array(),

    93. 

  93. 		'blockquote' => array(

    94. 

  94. 			'cite' => true,

    95. 

  95. 			'lang' => true,

    96. 

  96. 			'xml:lang' => true,

    97. 

  97. 		),

    98. 

  98. 		'br' => array(),

    99. 

  99. 		'button' => array(

    100. 

  100. 			'disabled' => true,

    101. 

  101. 			'name' => true,

    102. 

  102. 			'type' => true,

    103. 

  103. 			'value' => true,

    104. 

  104. 		),

    105. 

  105. 		'caption' => array(

    106. 

  106. 			'align' => true,

    107. 

  107. 		),

    108. 

  108. 		'cite' => array(

    109. 

  109. 			'dir' => true,

    110. 

  110. 			'lang' => true,

    111. 

  111. 		),

    112. 

  112. 		'code' => array(),

    113. 

  113. 		'col' => array(

    114. 

  114. 			'align' => true,

    115. 

  115. 			'char' => true,

    116. 

  116. 			'charoff' => true,

    117. 

  117. 			'span' => true,

    118. 

  118. 			'dir' => true,

    119. 

  119. 			'valign' => true,

    120. 

  120. 			'width' => true,

    121. 

  121. 		),

    122. 

  122. 		'del' => array(

    123. 

  123. 			'datetime' => true,

    124. 

  124. 		),

    125. 

  125. 		'dd' => array(),

    126. 

  126. 		'dfn' => array(),

    127. 

  127. 		'details' => array(

    128. 

  128. 			'align' => true,

    129. 

  129. 			'dir' => true,

    130. 

  130. 			'lang' => true,

    131. 

  131. 			'open' => true,

    132. 

  132. 			'xml:lang' => true,

    133. 

  133. 		),

    134. 

  134. 		'div' => array(

    135. 

  135. 			'align' => true,

    136. 

  136. 			'dir' => true,

    137. 

  137. 			'lang' => true,

    138. 

  138. 			'xml:lang' => true,

    139. 

  139. 		),

    140. 

  140. 		'dl' => array(),

    141. 

  141. 		'dt' => array(),

    142. 

  142. 		'em' => array(),

    143. 

  143. 		'fieldset' => array(),

    144. 

  144. 		'figure' => array(

    145. 

  145. 			'align' => true,

    146. 

  146. 			'dir' => true,

    147. 

  147. 			'lang' => true,

    148. 

  148. 			'xml:lang' => true,

    149. 

  149. 		),

    150. 

  150. 		'figcaption' => array(

    151. 

  151. 			'align' => true,

    152. 

  152. 			'dir' => true,

    153. 

  153. 			'lang' => true,

    154. 

  154. 			'xml:lang' => true,

    155. 

  155. 		),

    156. 

  156. 		'font' => array(

    157. 

  157. 			'color' => true,

    158. 

  158. 			'face' => true,

    159. 

  159. 			'size' => true,

    160. 

  160. 		),

    161. 

  161. 		'footer' => array(

    162. 

  162. 			'align' => true,

    163. 

  163. 			'dir' => true,

    164. 

  164. 			'lang' => true,

    165. 

  165. 			'xml:lang' => true,

    166. 

  166. 		),

    167. 

  167. 		'form' => array(

    168. 

  168. 			'action' => true,

    169. 

  169. 			'accept' => true,

    170. 

  170. 			'accept-charset' => true,

    171. 

  171. 			'enctype' => true,

    172. 

  172. 			'method' => true,

    173. 

  173. 			'name' => true,

    174. 

  174. 			'target' => true,

    175. 

  175. 		),

    176. 

  176. 		'h1' => array(

    177. 

  177. 			'align' => true,

    178. 

  178. 		),

    179. 

  179. 		'h2' => array(

    180. 

  180. 			'align' => true,

    181. 

  181. 		),

    182. 

  182. 		'h3' => array(

    183. 

  183. 			'align' => true,

    184. 

  184. 		),

    185. 

  185. 		'h4' => array(

    186. 

  186. 			'align' => true,

    187. 

  187. 		),

    188. 

  188. 		'h5' => array(

    189. 

  189. 			'align' => true,

    190. 

  190. 		),

    191. 

  191. 		'h6' => array(

    192. 

  192. 			'align' => true,

    193. 

  193. 		),

    194. 

  194. 		'header' => array(

    195. 

  195. 			'align' => true,

    196. 

  196. 			'dir' => true,

    197. 

  197. 			'lang' => true,

    198. 

  198. 			'xml:lang' => true,

    199. 

  199. 		),

    200. 

  200. 		'hgroup' => array(

    201. 

  201. 			'align' => true,

    202. 

  202. 			'dir' => true,

    203. 

  203. 			'lang' => true,

    204. 

  204. 			'xml:lang' => true,

    205. 

  205. 		),

    206. 

  206. 		'hr' => array(

    207. 

  207. 			'align' => true,

    208. 

  208. 			'noshade' => true,

    209. 

  209. 			'size' => true,

    210. 

  210. 			'width' => true,

    211. 

  211. 		),

    212. 

  212. 		'i' => array(),

    213. 

  213. 		'img' => array(

    214. 

  214. 			'alt' => true,

    215. 

  215. 			'align' => true,

    216. 

  216. 			'border' => true,

    217. 

  217. 			'height' => true,

    218. 

  218. 			'hspace' => true,

    219. 

  219. 			'longdesc' => true,

    220. 

  220. 			'vspace' => true,

    221. 

  221. 			'src' => true,

    222. 

  222. 			'usemap' => true,

    223. 

  223. 			'width' => true,

    224. 

  224. 		),

    225. 

  225. 		'ins' => array(

    226. 

  226. 			'datetime' => true,

    227. 

  227. 			'cite' => true,

    228. 

  228. 		),

    229. 

  229. 		'kbd' => array(),

    230. 

  230. 		'label' => array(

    231. 

  231. 			'for' => true,

    232. 

  232. 		),

    233. 

  233. 		'legend' => array(

    234. 

  234. 			'align' => true,

    235. 

  235. 		),

    236. 

  236. 		'li' => array(

    237. 

  237. 			'align' => true,

    238. 

  238. 			'value' => true,

    239. 

  239. 		),

    240. 

  240. 		'map' => array(

    241. 

  241. 			'name' => true,

    242. 

  242. 		),

    243. 

  243. 		'mark' => array(),

    244. 

  244. 		'menu' => array(

    245. 

  245. 			'type' => true,

    246. 

  246. 		),

    247. 

  247. 		'nav' => array(

    248. 

  248. 			'align' => true,

    249. 

  249. 			'dir' => true,

    250. 

  250. 			'lang' => true,

    251. 

  251. 			'xml:lang' => true,

    252. 

  252. 		),

    253. 

  253. 		'p' => array(

    254. 

  254. 			'align' => true,

    255. 

  255. 			'dir' => true,

    256. 

  256. 			'lang' => true,

    257. 

  257. 			'xml:lang' => true,

    258. 

  258. 		),

    259. 

  259. 		'pre' => array(

    260. 

  260. 			'width' => true,

    261. 

  261. 		),

    262. 

  262. 		'q' => array(

    263. 

  263. 			'cite' => true,

    264. 

  264. 		),

    265. 

  265. 		's' => array(),

    266. 

  266. 		'samp' => array(),

    267. 

  267. 		'span' => array(

    268. 

  268. 			'dir' => true,

    269. 

  269. 			'align' => true,

    270. 

  270. 			'lang' => true,

    271. 

  271. 			'xml:lang' => true,

    272. 

  272. 		),

    273. 

  273. 		'section' => array(

    274. 

  274. 			'align' => true,

    275. 

  275. 			'dir' => true,

    276. 

  276. 			'lang' => true,

    277. 

  277. 			'xml:lang' => true,

    278. 

  278. 		),

    279. 

  279. 		'small' => array(),

    280. 

  280. 		'strike' => array(),

    281. 

  281. 		'strong' => array(),

    282. 

  282. 		'sub' => array(),

    283. 

  283. 		'summary' => array(

    284. 

  284. 			'align' => true,

    285. 

  285. 			'dir' => true,

    286. 

  286. 			'lang' => true,

    287. 

  287. 			'xml:lang' => true,

    288. 

  288. 		),

    289. 

  289. 		'sup' => array(),

    290. 

  290. 		'table' => array(

    291. 

  291. 			'align' => true,

    292. 

  292. 			'bgcolor' => true,

    293. 

  293. 			'border' => true,

    294. 

  294. 			'cellpadding' => true,

    295. 

  295. 			'cellspacing' => true,

    296. 

  296. 			'dir' => true,

    297. 

  297. 			'rules' => true,

    298. 

  298. 			'summary' => true,

    299. 

  299. 			'width' => true,

    300. 

  300. 		),

    301. 

  301. 		'tbody' => array(

    302. 

  302. 			'align' => true,

    303. 

  303. 			'char' => true,

    304. 

  304. 			'charoff' => true,

    305. 

  305. 			'valign' => true,

    306. 

  306. 		),

    307. 

  307. 		'td' => array(

    308. 

  308. 			'abbr' => true,

    309. 

  309. 			'align' => true,

    310. 

  310. 			'axis' => true,

    311. 

  311. 			'bgcolor' => true,

    312. 

  312. 			'char' => true,

    313. 

  313. 			'charoff' => true,

    314. 

  314. 			'colspan' => true,

    315. 

  315. 			'dir' => true,

    316. 

  316. 			'headers' => true,

    317. 

  317. 			'height' => true,

    318. 

  318. 			'nowrap' => true,

    319. 

  319. 			'rowspan' => true,

    320. 

  320. 			'scope' => true,

    321. 

  321. 			'valign' => true,

    322. 

  322. 			'width' => true,

    323. 

  323. 		),

    324. 

  324. 		'textarea' => array(

    325. 

  325. 			'cols' => true,

    326. 

  326. 			'rows' => true,

    327. 

  327. 			'disabled' => true,

    328. 

  328. 			'name' => true,

    329. 

  329. 			'readonly' => true,

    330. 

  330. 		),

    331. 

  331. 		'tfoot' => array(

    332. 

  332. 			'align' => true,

    333. 

  333. 			'char' => true,

    334. 

  334. 			'charoff' => true,

    335. 

  335. 			'valign' => true,

    336. 

  336. 		),

    337. 

  337. 		'th' => array(

    338. 

  338. 			'abbr' => true,

    339. 

  339. 			'align' => true,

    340. 

  340. 			'axis' => true,

    341. 

  341. 			'bgcolor' => true,

    342. 

  342. 			'char' => true,

    343. 

  343. 			'charoff' => true,

    344. 

  344. 			'colspan' => true,

    345. 

  345. 			'headers' => true,

    346. 

  346. 			'height' => true,

    347. 

  347. 			'nowrap' => true,

    348. 

  348. 			'rowspan' => true,

    349. 

  349. 			'scope' => true,

    350. 

  350. 			'valign' => true,

    351. 

  351. 			'width' => true,

    352. 

  352. 		),

    353. 

  353. 		'thead' => array(

    354. 

  354. 			'align' => true,

    355. 

  355. 			'char' => true,

    356. 

  356. 			'charoff' => true,

    357. 

  357. 			'valign' => true,

    358. 

  358. 		),

    359. 

  359. 		'title' => array(),

    360. 

  360. 		'tr' => array(

    361. 

  361. 			'align' => true,

    362. 

  362. 			'bgcolor' => true,

    363. 

  363. 			'char' => true,

    364. 

  364. 			'charoff' => true,

    365. 

  365. 			'valign' => true,

    366. 

  366. 		),

    367. 

  367. 		'tt' => array(),

    368. 

  368. 		'u' => array(),

    369. 

  369. 		'ul' => array(

    370. 

  370. 			'type' => true,

    371. 

  371. 		),

    372. 

  372. 		'ol' => array(

    373. 

  373. 			'start' => true,

    374. 

  374. 			'type' => true,

    375. 

  375. 		),

    376. 

  376. 		'var' => array(),

    377. 

  377. 	);

    378. 

  378. 

    379. 

  379. 	/**

    380. 

  380. 	 * Kses allowed HTML elements.

    381. 

  381. 	 *

    382. 

  382. 	 * @global array $allowedtags

    383. 

  383. 	 * @since 1.0.0

    384. 

  384. 	 */

    385. 

  385. 	$allowedtags = array(

    386. 

  386. 		'a' => array(

    387. 

  387. 			'href' => true,

    388. 

  388. 			'title' => true,

    389. 

  389. 		),

    390. 

  390. 		'abbr' => array(

    391. 

  391. 			'title' => true,

    392. 

  392. 		),

    393. 

  393. 		'acronym' => array(

    394. 

  394. 			'title' => true,

    395. 

  395. 		),

    396. 

  396. 		'b' => array(),

    397. 

  397. 		'blockquote' => array(

    398. 

  398. 			'cite' => true,

    399. 

  399. 		),

    400. 

  400. 		'cite' => array(),

    401. 

  401. 		'code' => array(),

    402. 

  402. 		'del' => array(

    403. 

  403. 			'datetime' => true,

    404. 

  404. 		),

    405. 

  405. 		'em' => array(),

    406. 

  406. 		'i' => array(),

    407. 

  407. 		'q' => array(

    408. 

  408. 			'cite' => true,

    409. 

  409. 		),

    410. 

  410. 		'strike' => array(),

    411. 

  411. 		'strong' => array(),

    412. 

  412. 	);

    413. 

  413. 

    414. 

  414. 	$allowedentitynames = array(

    415. 

  415. 		'nbsp',    'iexcl',  'cent',    'pound',  'curren', 'yen',

    416. 

  416. 		'brvbar',  'sect',   'uml',     'copy',   'ordf',   'laquo',

    417. 

  417. 		'not',     'shy',    'reg',     'macr',   'deg',    'plusmn',

    418. 

  418. 		'acute',   'micro',  'para',    'middot', 'cedil',  'ordm',

    419. 

  419. 		'raquo',   'iquest', 'Agrave',  'Aacute', 'Acirc',  'Atilde',

    420. 

  420. 		'Auml',    'Aring',  'AElig',   'Ccedil', 'Egrave', 'Eacute',

    421. 

  421. 		'Ecirc',   'Euml',   'Igrave',  'Iacute', 'Icirc',  'Iuml',

    422. 

  422. 		'ETH',     'Ntilde', 'Ograve',  'Oacute', 'Ocirc',  'Otilde',

    423. 

  423. 		'Ouml',    'times',  'Oslash',  'Ugrave', 'Uacute', 'Ucirc',

    424. 

  424. 		'Uuml',    'Yacute', 'THORN',   'szlig',  'agrave', 'aacute',

    425. 

  425. 		'acirc',   'atilde', 'auml',    'aring',  'aelig',  'ccedil',

    426. 

  426. 		'egrave',  'eacute', 'ecirc',   'euml',   'igrave', 'iacute',

    427. 

  427. 		'icirc',   'iuml',   'eth',     'ntilde', 'ograve', 'oacute',

    428. 

  428. 		'ocirc',   'otilde', 'ouml',    'divide', 'oslash', 'ugrave',

    429. 

  429. 		'uacute',  'ucirc',  'uuml',    'yacute', 'thorn',  'yuml',

    430. 

  430. 		'quot',    'amp',    'lt',      'gt',     'apos',   'OElig',

    431. 

  431. 		'oelig',   'Scaron', 'scaron',  'Yuml',   'circ',   'tilde',

    432. 

  432. 		'ensp',    'emsp',   'thinsp',  'zwnj',   'zwj',    'lrm',

    433. 

  433. 		'rlm',     'ndash',  'mdash',   'lsquo',  'rsquo',  'sbquo',

    434. 

  434. 		'ldquo',   'rdquo',  'bdquo',   'dagger', 'Dagger', 'permil',

    435. 

  435. 		'lsaquo',  'rsaquo', 'euro',    'fnof',   'Alpha',  'Beta',

    436. 

  436. 		'Gamma',   'Delta',  'Epsilon', 'Zeta',   'Eta',    'Theta',

    437. 

  437. 		'Iota',    'Kappa',  'Lambda',  'Mu',     'Nu',     'Xi',

    438. 

  438. 		'Omicron', 'Pi',     'Rho',     'Sigma',  'Tau',    'Upsilon',

    439. 

  439. 		'Phi',     'Chi',    'Psi',     'Omega',  'alpha',  'beta',

    440. 

  440. 		'gamma',   'delta',  'epsilon', 'zeta',   'eta',    'theta',

    441. 

  441. 		'iota',    'kappa',  'lambda',  'mu',     'nu',     'xi',

    442. 

  442. 		'omicron', 'pi',     'rho',     'sigmaf', 'sigma',  'tau',

    443. 

  443. 		'upsilon', 'phi',    'chi',     'psi',    'omega',  'thetasym',

    444. 

  444. 		'upsih',   'piv',    'bull',    'hellip', 'prime',  'Prime',

    445. 

  445. 		'oline',   'frasl',  'weierp',  'image',  'real',   'trade',

    446. 

  446. 		'alefsym', 'larr',   'uarr',    'rarr',   'darr',   'harr',

    447. 

  447. 		'crarr',   'lArr',   'uArr',    'rArr',   'dArr',   'hArr',

    448. 

  448. 		'forall',  'part',   'exist',   'empty',  'nabla',  'isin',

    449. 

  449. 		'notin',   'ni',     'prod',    'sum',    'minus',  'lowast',

    450. 

  450. 		'radic',   'prop',   'infin',   'ang',    'and',    'or',

    451. 

  451. 		'cap',     'cup',    'int',     'sim',    'cong',   'asymp',

    452. 

  452. 		'ne',      'equiv',  'le',      'ge',     'sub',    'sup',

    453. 

  453. 		'nsub',    'sube',   'supe',    'oplus',  'otimes', 'perp',

    454. 

  454. 		'sdot',    'lceil',  'rceil',   'lfloor', 'rfloor', 'lang',

    455. 

  455. 		'rang',    'loz',    'spades',  'clubs',  'hearts', 'diams',

    456. 

  456. 		'sup1',    'sup2',   'sup3',    'frac14', 'frac12', 'frac34',

    457. 

  457. 		'there4',

    458. 

  458. 	);

    459. 

  459. 

    460. 

  460. 	$allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags );

    461. 

  461. } else {

    462. 

  462. 	$allowedtags = wp_kses_array_lc( $allowedtags );

    463. 

  463. 	$allowedposttags = wp_kses_array_lc( $allowedposttags );

    464. 

  464. }

    465. 

  465. 

    466. 

  466. /**

    467. 

  467.  * Filters content and keeps only allowable HTML elements.

    468. 

  468.  *

    469. 

  469.  * This function makes sure that only the allowed HTML element names, attribute

    470. 

  470.  * names and attribute values plus only sane HTML entities will occur in

    471. 

  471.  * $string. You have to remove any slashes from PHP's magic quotes before you

    472. 

  472.  * call this function.

    473. 

  473.  *

    474. 

  474.  * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',

    475. 

  475.  * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This

    476. 

  476.  * covers all common link protocols, except for 'javascript' which should not

    477. 

  477.  * be allowed for untrusted users.

    478. 

  478.  *

    479. 

  479.  * @since 1.0.0

    480. 

  480.  *

    481. 

  481.  * @param string $string Content to filter through kses

    482. 

  482.  * @param array $allowed_html List of allowed HTML elements

    483. 

  483.  * @param array $allowed_protocols Optional. Allowed protocol in links.

    484. 

  484.  * @return string Filtered content with only allowed HTML elements

    485. 

  485.  */

    486. 

  486. function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {

    487. 

  487. 	if ( empty( $allowed_protocols ) )

    488. 

  488. 		$allowed_protocols = wp_allowed_protocols();

    489. 

  489. 	$string = wp_kses_no_null($string);

    490. 

  490. 	$string = wp_kses_js_entities($string);

    491. 

  491. 	$string = wp_kses_normalize_entities($string);

    492. 

  492. 	$string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook

    493. 

  493. 	return wp_kses_split($string, $allowed_html, $allowed_protocols);

    494. 

  494. }

    495. 

  495. 

    496. 

  496. /**

    497. 

  497.  * Return a list of allowed tags and attributes for a given context.

    498. 

  498.  *

    499. 

  499.  * @since 3.5.0

    500. 

  500.  *

    501. 

  501.  * @param string $context The context for which to retrieve tags. Allowed values are

    502. 

  502.  *  post | strip | data | entities or the name of a field filter such as pre_user_description.

    503. 

  503.  * @return array List of allowed tags and their allowed attributes.

    504. 

  504.  */

    505. 

  505. function wp_kses_allowed_html( $context = '' ) {

    506. 

  506. 	global $allowedposttags, $allowedtags, $allowedentitynames;

    507. 

  507. 

    508. 

  508. 	if ( is_array( $context ) ) {

    509. 

  509. 		/**

    510. 

  510. 		 * Filter HTML elements allowed for a given context.

    511. 

  511. 		 *

    512. 

  512. 		 * @since 3.5.0

    513. 

  513. 		 *

    514. 

  514. 		 * @param string $tags    Allowed tags, attributes, and/or entities.

    515. 

  515. 		 * @param string $context Context to judge allowed tags by. Allowed values are 'post',

    516. 

  516. 		 *                        'data', 'strip', 'entities', 'explicit', or the name of a filter.

    517. 

  517. 		 */

    518. 

  518. 		return apply_filters( 'wp_kses_allowed_html', $context, 'explicit' );

    519. 

  519. 	}

    520. 

  520. 

    521. 

  521. 	switch ( $context ) {

    522. 

  522. 		case 'post':

    523. 

  523. 			/** This filter is documented in wp-includes/kses.php */

    524. 

  524. 			return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );

    525. 

  525. 			break;

    526. 

  526. 		case 'user_description':

    527. 

  527. 		case 'pre_user_description':

    528. 

  528. 			$tags = $allowedtags;

    529. 

  529. 			$tags['a']['rel'] = true;

    530. 

  530. 			/** This filter is documented in wp-includes/kses.php */

    531. 

  531. 			return apply_filters( 'wp_kses_allowed_html', $tags, $context );

    532. 

  532. 			break;

    533. 

  533. 		case 'strip':

    534. 

  534. 			/** This filter is documented in wp-includes/kses.php */

    535. 

  535. 			return apply_filters( 'wp_kses_allowed_html', array(), $context );

    536. 

  536. 			break;

    537. 

  537. 		case 'entities':

    538. 

  538. 			/** This filter is documented in wp-includes/kses.php */

    539. 

  539. 			return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context);

    540. 

  540. 			break;

    541. 

  541. 		case 'data':

    542. 

  542. 		default:

    543. 

  543. 			/** This filter is documented in wp-includes/kses.php */

    544. 

  544. 			return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context );

    545. 

  545. 	}

    546. 

  546. }

    547. 

  547. 

    548. 

  548. /**

    549. 

  549.  * You add any kses hooks here.

    550. 

  550.  *

    551. 

  551.  * There is currently only one kses WordPress hook and it is called here. All

    552. 

  552.  * parameters are passed to the hooks and expected to receive a string.

    553. 

  553.  *

    554. 

  554.  * @since 1.0.0

    555. 

  555.  *

    556. 

  556.  * @param string $string Content to filter through kses

    557. 

  557.  * @param array $allowed_html List of allowed HTML elements

    558. 

  558.  * @param array $allowed_protocols Allowed protocol in links

    559. 

  559.  * @return string Filtered content through 'pre_kses' hook

    560. 

  560.  */

    561. 

  561. function wp_kses_hook( $string, $allowed_html, $allowed_protocols ) {

    562. 

  562. 	/**

    563. 

  563. 	 * Filter content to be run through kses.

    564. 

  564. 	 *

    565. 

  565. 	 * @since 2.3.0

    566. 

  566. 	 *

    567. 

  567. 	 * @param string $string            Content to run through kses.

    568. 

  568. 	 * @param array  $allowed_html      Allowed HTML elements.

    569. 

  569. 	 * @param array  $allowed_protocols Allowed protocol in links.

    570. 

  570. 	 */

    571. 

  571. 	$string = apply_filters( 'pre_kses', $string, $allowed_html, $allowed_protocols );

    572. 

  572. 	return $string;

    573. 

  573. }

    574. 

  574. 

    575. 

  575. /**

    576. 

  576.  * This function returns kses' version number.

    577. 

  577.  *

    578. 

  578.  * @since 1.0.0

    579. 

  579.  *

    580. 

  580.  * @return string KSES Version Number

    581. 

  581.  */

    582. 

  582. function wp_kses_version() {

    583. 

  583. 	return '0.2.2';

    584. 

  584. }

    585. 

  585. 

    586. 

  586. /**

    587. 

  587.  * Searches for HTML tags, no matter how malformed.

    588. 

  588.  *

    589. 

  589.  * It also matches stray ">" characters.

    590. 

  590.  *

    591. 

  591.  * @since 1.0.0

    592. 

  592.  *

    593. 

  593.  * @param string $string Content to filter

    594. 

  594.  * @param array $allowed_html Allowed HTML elements

    595. 

  595.  * @param array $allowed_protocols Allowed protocols to keep

    596. 

  596.  * @return string Content with fixed HTML tags

    597. 

  597.  */

    598. 

  598. function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {

    599. 

  599. 	global $pass_allowed_html, $pass_allowed_protocols;

    600. 

  600. 	$pass_allowed_html = $allowed_html;

    601. 

  601. 	$pass_allowed_protocols = $allowed_protocols;

    602. 

  602. 	return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );

    603. 

  603. }

    604. 

  604. 

    605. 

  605. /**

    606. 

  606.  * Callback for wp_kses_split.

    607. 

  607.  *

    608. 

  608.  * @since 3.1.0

    609. 

  609.  * @access private

    610. 

  610.  */

    611. 

  611. function _wp_kses_split_callback( $match ) {

    612. 

  612. 	global $pass_allowed_html, $pass_allowed_protocols;

    613. 

  613. 	return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );

    614. 

  614. }

    615. 

  615. 

    616. 

  616. /**

    617. 

  617.  * Callback for wp_kses_split for fixing malformed HTML tags.

    618. 

  618.  *

    619. 

  619.  * This function does a lot of work. It rejects some very malformed things like

    620. 

  620.  * <:::>. It returns an empty string, if the element isn't allowed (look ma, no

    621. 

  621.  * strip_tags()!). Otherwise it splits the tag into an element and an attribute

    622. 

  622.  * list.

    623. 

  623.  *

    624. 

  624.  * After the tag is split into an element and an attribute list, it is run

    625. 

  625.  * through another filter which will remove illegal attributes and once that is

    626. 

  626.  * completed, will be returned.

    627. 

  627.  *

    628. 

  628.  * @access private

    629. 

  629.  * @since 1.0.0

    630. 

  630.  * @uses wp_kses_attr()

    631. 

  631.  *

    632. 

  632.  * @param string $string Content to filter

    633. 

  633.  * @param array $allowed_html Allowed HTML elements

    634. 

  634.  * @param array $allowed_protocols Allowed protocols to keep

    635. 

  635.  * @return string Fixed HTML element

    636. 

  636.  */

    637. 

  637. function wp_kses_split2($string, $allowed_html, $allowed_protocols) {

    638. 

  638. 	$string = wp_kses_stripslashes($string);

    639. 

  639. 

    640. 

  640. 	if (substr($string, 0, 1) != '<')

    641. 

  641. 		return '&gt;';

    642. 

  642. 	# It matched a ">" character

    643. 

  643. 

    644. 

  644. 	if ( '<!--' == substr( $string, 0, 4 ) ) {

    645. 

  645. 		$string = str_replace( array('<!--', '-->'), '', $string );

    646. 

  646. 		while ( $string != ($newstring = wp_kses($string, $allowed_html, $allowed_protocols)) )

    647. 

  647. 			$string = $newstring;

    648. 

  648. 		if ( $string == '' )

    649. 

  649. 			return '';

    650. 

  650. 		// prevent multiple dashes in comments

    651. 

  651. 		$string = preg_replace('/--+/', '-', $string);

    652. 

  652. 		// prevent three dashes closing a comment

    653. 

  653. 		$string = preg_replace('/-$/', '', $string);

    654. 

  654. 		return "<!--{$string}-->";

    655. 

  655. 	}

    656. 

  656. 	# Allow HTML comments

    657. 

  657. 

    658. 

  658. 	if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches))

    659. 

  659. 		return '';

    660. 

  660. 	# It's seriously malformed

    661. 

  661. 

    662. 

  662. 	$slash = trim($matches[1]);

    663. 

  663. 	$elem = $matches[2];

    664. 

  664. 	$attrlist = $matches[3];

    665. 

  665. 

    666. 

  666. 	if ( ! is_array( $allowed_html ) )

    667. 

  667. 		$allowed_html = wp_kses_allowed_html( $allowed_html );

    668. 

  668. 

    669. 

  669. 	if ( ! isset($allowed_html[strtolower($elem)]) )

    670. 

  670. 		return '';

    671. 

  671. 	# They are using a not allowed HTML element

    672. 

  672. 

    673. 

  673. 	if ($slash != '')

    674. 

  674. 		return "</$elem>";

    675. 

  675. 	# No attributes are allowed for closing elements

    676. 

  676. 

    677. 

  677. 	return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols );

    678. 

  678. }

    679. 

  679. 

    680. 

  680. /**

    681. 

  681.  * Removes all attributes, if none are allowed for this element.

    682. 

  682.  *

    683. 

  683.  * If some are allowed it calls wp_kses_hair() to split them further, and then

    684. 

  684.  * it builds up new HTML code from the data that kses_hair() returns. It also

    685. 

  685.  * removes "<" and ">" characters, if there are any left. One more thing it does

    686. 

  686.  * is to check if the tag has a closing XHTML slash, and if it does, it puts one

    687. 

  687.  * in the returned code as well.

    688. 

  688.  *

    689. 

  689.  * @since 1.0.0

    690. 

  690.  *

    691. 

  691.  * @param string $element HTML element/tag

    692. 

  692.  * @param string $attr HTML attributes from HTML element to closing HTML element tag

    693. 

  693.  * @param array $allowed_html Allowed HTML elements

    694. 

  694.  * @param array $allowed_protocols Allowed protocols to keep

    695. 

  695.  * @return string Sanitized HTML element

    696. 

  696.  */

    697. 

  697. function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) {

    698. 

  698. 	# Is there a closing XHTML slash at the end of the attributes?

    699. 

  699. 

    700. 

  700. 	if ( ! is_array( $allowed_html ) )

    701. 

  701. 		$allowed_html = wp_kses_allowed_html( $allowed_html );

    702. 

  702. 

    703. 

  703. 	$xhtml_slash = '';

    704. 

  704. 	if (preg_match('%\s*/\s*$%', $attr))

    705. 

  705. 		$xhtml_slash = ' /';

    706. 

  706. 

    707. 

  707. 	# Are any attributes allowed at all for this element?

    708. 

  708. 	if ( ! isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0 )

    709. 

  709. 		return "<$element$xhtml_slash>";

    710. 

  710. 

    711. 

  711. 	# Split it

    712. 

  712. 	$attrarr = wp_kses_hair($attr, $allowed_protocols);

    713. 

  713. 

    714. 

  714. 	# Go through $attrarr, and save the allowed attributes for this element

    715. 

  715. 	# in $attr2

    716. 

  716. 	$attr2 = '';

    717. 

  717. 

    718. 

  718. 	$allowed_attr = $allowed_html[strtolower($element)];

    719. 

  719. 	foreach ($attrarr as $arreach) {

    720. 

  720. 		if ( ! isset( $allowed_attr[strtolower($arreach['name'])] ) )

    721. 

  721. 			continue; # the attribute is not allowed

    722. 

  722. 

    723. 

  723. 		$current = $allowed_attr[strtolower($arreach['name'])];

    724. 

  724. 		if ( $current == '' )

    725. 

  725. 			continue; # the attribute is not allowed

    726. 

  726. 

    727. 

  727. 		if ( strtolower( $arreach['name'] ) == 'style' ) {

    728. 

  728. 			$orig_value = $arreach['value'];

    729. 

  729. 			$value = safecss_filter_attr( $orig_value );

    730. 

  730. 

    731. 

  731. 			if ( empty( $value ) )

    732. 

  732. 				continue;

    733. 

  733. 

    734. 

  734. 			$arreach['value'] = $value;

    735. 

  735. 			$arreach['whole'] = str_replace( $orig_value, $value, $arreach['whole'] );

    736. 

  736. 		}

    737. 

  737. 

    738. 

  738. 		if ( ! is_array($current) ) {

    739. 

  739. 			$attr2 .= ' '.$arreach['whole'];

    740. 

  740. 		# there are no checks

    741. 

  741. 

    742. 

  742. 		} else {

    743. 

  743. 			# there are some checks

    744. 

  744. 			$ok = true;

    745. 

  745. 			foreach ($current as $currkey => $currval) {

    746. 

  746. 				if ( ! wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval) ) {

    747. 

  747. 					$ok = false;

    748. 

  748. 					break;

    749. 

  749. 				}

    750. 

  750. 			}

    751. 

  751. 

    752. 

  752. 			if ( $ok )

    753. 

  753. 				$attr2 .= ' '.$arreach['whole']; # it passed them

    754. 

  754. 		} # if !is_array($current)

    755. 

  755. 	} # foreach

    756. 

  756. 

    757. 

  757. 	# Remove any "<" or ">" characters

    758. 

  758. 	$attr2 = preg_replace('/[<>]/', '', $attr2);

    759. 

  759. 

    760. 

  760. 	return "<$element$attr2$xhtml_slash>";

    761. 

  761. }

    762. 

  762. 

    763. 

  763. /**

    764. 

  764.  * Builds an attribute list from string containing attributes.

    765. 

  765.  *

    766. 

  766.  * This function does a lot of work. It parses an attribute list into an array

    767. 

  767.  * with attribute data, and tries to do the right thing even if it gets weird

    768. 

  768.  * input. It will add quotes around attribute values that don't have any quotes

    769. 

  769.  * or apostrophes around them, to make it easier to produce HTML code that will

    770. 

  770.  * conform to W3C's HTML specification. It will also remove bad URL protocols

    771. 

  771.  * from attribute values. It also reduces duplicate attributes by using the

    772. 

  772.  * attribute defined first (foo='bar' foo='baz' will result in foo='bar').

    773. 

  773.  *

    774. 

  774.  * @since 1.0.0

    775. 

  775.  *

    776. 

  776.  * @param string $attr Attribute list from HTML element to closing HTML element tag

    777. 

  777.  * @param array $allowed_protocols Allowed protocols to keep

    778. 

  778.  * @return array List of attributes after parsing

    779. 

  779.  */

    780. 

  780. function wp_kses_hair($attr, $allowed_protocols) {

    781. 

  781. 	$attrarr = array();

    782. 

  782. 	$mode = 0;

    783. 

  783. 	$attrname = '';

    784. 

  784. 	$uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');

    785. 

  785. 

    786. 

  786. 	# Loop through the whole attribute list

    787. 

  787. 

    788. 

  788. 	while (strlen($attr) != 0) {

    789. 

  789. 		$working = 0; # Was the last operation successful?

    790. 

  790. 

    791. 

  791. 		switch ($mode) {

    792. 

  792. 			case 0 : # attribute name, href for instance

    793. 

  793. 

    794. 

  794. 				if ( preg_match('/^([-a-zA-Z:]+)/', $attr, $match ) ) {

    795. 

  795. 					$attrname = $match[1];

    796. 

  796. 					$working = $mode = 1;

    797. 

  797. 					$attr = preg_replace( '/^[-a-zA-Z:]+/', '', $attr );

    798. 

  798. 				}

    799. 

  799. 

    800. 

  800. 				break;

    801. 

  801. 

    802. 

  802. 			case 1 : # equals sign or valueless ("selected")

    803. 

  803. 

    804. 

  804. 				if (preg_match('/^\s*=\s*/', $attr)) # equals sign

    805. 

  805. 					{

    806. 

  806. 					$working = 1;

    807. 

  807. 					$mode = 2;

    808. 

  808. 					$attr = preg_replace('/^\s*=\s*/', '', $attr);

    809. 

  809. 					break;

    810. 

  810. 				}

    811. 

  811. 

    812. 

  812. 				if (preg_match('/^\s+/', $attr)) # valueless

    813. 

  813. 					{

    814. 

  814. 					$working = 1;

    815. 

  815. 					$mode = 0;

    816. 

  816. 					if(false === array_key_exists($attrname, $attrarr)) {

    817. 

  817. 						$attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');

    818. 

  818. 					}

    819. 

  819. 					$attr = preg_replace('/^\s+/', '', $attr);

    820. 

  820. 				}

    821. 

  821. 

    822. 

  822. 				break;

    823. 

  823. 

    824. 

  824. 			case 2 : # attribute value, a URL after href= for instance

    825. 

  825. 

    826. 

  826. 				if (preg_match('%^"([^"]*)"(\s+|/?$)%', $attr, $match))

    827. 

  827. 					# "value"

    828. 

  828. 					{

    829. 

  829. 					$thisval = $match[1];

    830. 

  830. 					if ( in_array(strtolower($attrname), $uris) )

    831. 

  831. 						$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);

    832. 

  832. 

    833. 

  833. 					if(false === array_key_exists($attrname, $attrarr)) {

    834. 

  834. 						$attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');

    835. 

  835. 					}

    836. 

  836. 					$working = 1;

    837. 

  837. 					$mode = 0;

    838. 

  838. 					$attr = preg_replace('/^"[^"]*"(\s+|$)/', '', $attr);

    839. 

  839. 					break;

    840. 

  840. 				}

    841. 

  841. 

    842. 

  842. 				if (preg_match("%^'([^']*)'(\s+|/?$)%", $attr, $match))

    843. 

  843. 					# 'value'

    844. 

  844. 					{

    845. 

  845. 					$thisval = $match[1];

    846. 

  846. 					if ( in_array(strtolower($attrname), $uris) )

    847. 

  847. 						$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);

    848. 

  848. 

    849. 

  849. 					if(false === array_key_exists($attrname, $attrarr)) {

    850. 

  850. 						$attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname='$thisval'", 'vless' => 'n');

    851. 

  851. 					}

    852. 

  852. 					$working = 1;

    853. 

  853. 					$mode = 0;

    854. 

  854. 					$attr = preg_replace("/^'[^']*'(\s+|$)/", '', $attr);

    855. 

  855. 					break;

    856. 

  856. 				}

    857. 

  857. 

    858. 

  858. 				if (preg_match("%^([^\s\"']+)(\s+|/?$)%", $attr, $match))

    859. 

  859. 					# value

    860. 

  860. 					{

    861. 

  861. 					$thisval = $match[1];

    862. 

  862. 					if ( in_array(strtolower($attrname), $uris) )

    863. 

  863. 						$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);

    864. 

  864. 

    865. 

  865. 					if(false === array_key_exists($attrname, $attrarr)) {

    866. 

  866. 						$attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');

    867. 

  867. 					}

    868. 

  868. 					# We add quotes to conform to W3C's HTML spec.

    869. 

  869. 					$working = 1;

    870. 

  870. 					$mode = 0;

    871. 

  871. 					$attr = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attr);

    872. 

  872. 				}

    873. 

  873. 

    874. 

  874. 				break;

    875. 

  875. 		} # switch

    876. 

  876. 

    877. 

  877. 		if ($working == 0) # not well formed, remove and try again

    878. 

  878. 		{

    879. 

  879. 			$attr = wp_kses_html_error($attr);

    880. 

  880. 			$mode = 0;

    881. 

  881. 		}

    882. 

  882. 	} # while

    883. 

  883. 

    884. 

  884. 	if ($mode == 1 && false === array_key_exists($attrname, $attrarr))

    885. 

  885. 		# special case, for when the attribute list ends with a valueless

    886. 

  886. 		# attribute like "selected"

    887. 

  887. 		$attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');

    888. 

  888. 

    889. 

  889. 	return $attrarr;

    890. 

  890. }

    891. 

  891. 

    892. 

  892. /**

    893. 

  893.  * Performs different checks for attribute values.

    894. 

  894.  *

    895. 

  895.  * The currently implemented checks are "maxlen", "minlen", "maxval", "minval"

    896. 

  896.  * and "valueless".

    897. 

  897.  *

    898. 

  898.  * @since 1.0.0

    899. 

  899.  *

    900. 

  900.  * @param string $value Attribute value

    901. 

  901.  * @param string $vless Whether the value is valueless. Use 'y' or 'n'

    902. 

  902.  * @param string $checkname What $checkvalue is checking for.

    903. 

  903.  * @param mixed $checkvalue What constraint the value should pass

    904. 

  904.  * @return bool Whether check passes

    905. 

  905.  */

    906. 

  906. function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) {

    907. 

  907. 	$ok = true;

    908. 

  908. 

    909. 

  909. 	switch (strtolower($checkname)) {

    910. 

  910. 		case 'maxlen' :

    911. 

  911. 			# The maxlen check makes sure that the attribute value has a length not

    912. 

  912. 			# greater than the given value. This can be used to avoid Buffer Overflows

    913. 

  913. 			# in WWW clients and various Internet servers.

    914. 

  914. 

    915. 

  915. 			if (strlen($value) > $checkvalue)

    916. 

  916. 				$ok = false;

    917. 

  917. 			break;

    918. 

  918. 

    919. 

  919. 		case 'minlen' :

    920. 

  920. 			# The minlen check makes sure that the attribute value has a length not

    921. 

  921. 			# smaller than the given value.

    922. 

  922. 

    923. 

  923. 			if (strlen($value) < $checkvalue)

    924. 

  924. 				$ok = false;

    925. 

  925. 			break;

    926. 

  926. 

    927. 

  927. 		case 'maxval' :

    928. 

  928. 			# The maxval check does two things: it checks that the attribute value is

    929. 

  929. 			# an integer from 0 and up, without an excessive amount of zeroes or

    930. 

  930. 			# whitespace (to avoid Buffer Overflows). It also checks that the attribute

    931. 

  931. 			# value is not greater than the given value.

    932. 

  932. 			# This check can be used to avoid Denial of Service attacks.

    933. 

  933. 

    934. 

  934. 			if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))

    935. 

  935. 				$ok = false;

    936. 

  936. 			if ($value > $checkvalue)

    937. 

  937. 				$ok = false;

    938. 

  938. 			break;

    939. 

  939. 

    940. 

  940. 		case 'minval' :

    941. 

  941. 			# The minval check makes sure that the attribute value is a positive integer,

    942. 

  942. 			# and that it is not smaller than the given value.

    943. 

  943. 

    944. 

  944. 			if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))

    945. 

  945. 				$ok = false;

    946. 

  946. 			if ($value < $checkvalue)

    947. 

  947. 				$ok = false;

    948. 

  948. 			break;

    949. 

  949. 

    950. 

  950. 		case 'valueless' :

    951. 

  951. 			# The valueless check makes sure if the attribute has a value

    952. 

  952. 			# (like <a href="blah">) or not (<option selected>). If the given value

    953. 

  953. 			# is a "y" or a "Y", the attribute must not have a value.

    954. 

  954. 			# If the given value is an "n" or an "N", the attribute must have one.

    955. 

  955. 

    956. 

  956. 			if (strtolower($checkvalue) != $vless)

    957. 

  957. 				$ok = false;

    958. 

  958. 			break;

    959. 

  959. 	} # switch

    960. 

  960. 

    961. 

  961. 	return $ok;

    962. 

  962. }

    963. 

  963. 

    964. 

  964. /**

    965. 

  965.  * Sanitize string from bad protocols.

    966. 

  966.  *

    967. 

  967.  * This function removes all non-allowed protocols from the beginning of

    968. 

  968.  * $string. It ignores whitespace and the case of the letters, and it does

    969. 

  969.  * understand HTML entities. It does its work in a while loop, so it won't be

    970. 

  970.  * fooled by a string like "javascript:javascript:alert(57)".

    971. 

  971.  *

    972. 

  972.  * @since 1.0.0

    973. 

  973.  *

    974. 

  974.  * @param string $string Content to filter bad protocols from

    975. 

  975.  * @param array $allowed_protocols Allowed protocols to keep

    976. 

  976.  * @return string Filtered content

    977. 

  977.  */

    978. 

  978. function wp_kses_bad_protocol($string, $allowed_protocols) {

    979. 

  979. 	$string = wp_kses_no_null($string);

    980. 

  980. 	$iterations = 0;

    981. 

  981. 

    982. 

  982. 	do {

    983. 

  983. 		$original_string = $string;

    984. 

  984. 		$string = wp_kses_bad_protocol_once($string, $allowed_protocols);

    985. 

  985. 	} while ( $original_string != $string && ++$iterations < 6 );

    986. 

  986. 

    987. 

  987. 	if ( $original_string != $string )

    988. 

  988. 		return '';

    989. 

  989. 

    990. 

  990. 	return $string;

    991. 

  991. }

    992. 

  992. 

    993. 

  993. /**

    994. 

  994.  * Removes any invalid control characters in $string.

    995. 

  995.  *

    996. 

  996.  * Also removes any instance of the '\0' string.

    997. 

  997.  *

    998. 

  998.  * @since 1.0.0

    999. 

  999.  *

    1000. 

  1000.  * @param string $string

    1001. 

  1001.  * @return string

    1002. 

  1002.  */

    1003. 

  1003. function wp_kses_no_null($string) {

    1004. 

  1004. 	$string = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string);

    1005. 

  1005. 	$string = preg_replace('/(\\\\0)+/', '', $string);

    1006. 

  1006. 

    1007. 

  1007. 	return $string;

    1008. 

  1008. }

    1009. 

  1009. 

    1010. 

  1010. /**

    1011. 

  1011.  * Strips slashes from in front of quotes.

    1012. 

  1012.  *

    1013. 

  1013.  * This function changes the character sequence \" to just ". It leaves all

    1014. 

  1014.  * other slashes alone. It's really weird, but the quoting from

    1015. 

  1015.  * preg_replace(//e) seems to require this.

    1016. 

  1016.  *

    1017. 

  1017.  * @since 1.0.0

    1018. 

  1018.  *

    1019. 

  1019.  * @param string $string String to strip slashes

    1020. 

  1020.  * @return string Fixed string with quoted slashes

    1021. 

  1021.  */

    1022. 

  1022. function wp_kses_stripslashes($string) {

    1023. 

  1023. 	return preg_replace('%\\\\"%', '"', $string);

    1024. 

  1024. }

    1025. 

  1025. 

    1026. 

  1026. /**

    1027. 

  1027.  * Goes through an array and changes the keys to all lower case.

    1028. 

  1028.  *

    1029. 

  1029.  * @since 1.0.0

    1030. 

  1030.  *

    1031. 

  1031.  * @param array $inarray Unfiltered array

    1032. 

  1032.  * @return array Fixed array with all lowercase keys

    1033. 

  1033.  */

    1034. 

  1034. function wp_kses_array_lc($inarray) {

    1035. 

  1035. 	$outarray = array ();

    1036. 

  1036. 

    1037. 

  1037. 	foreach ( (array) $inarray as $inkey => $inval) {

    1038. 

  1038. 		$outkey = strtolower($inkey);

    1039. 

  1039. 		$outarray[$outkey] = array ();

    1040. 

  1040. 

    1041. 

  1041. 		foreach ( (array) $inval as $inkey2 => $inval2) {

    1042. 

  1042. 			$outkey2 = strtolower($inkey2);

    1043. 

  1043. 			$outarray[$outkey][$outkey2] = $inval2;

    1044. 

  1044. 		} # foreach $inval

    1045. 

  1045. 	} # foreach $inarray

    1046. 

  1046. 

    1047. 

  1047. 	return $outarray;

    1048. 

  1048. }

    1049. 

  1049. 

    1050. 

  1050. /**

    1051. 

  1051.  * Removes the HTML JavaScript entities found in early versions of Netscape 4.

    1052. 

  1052.  *

    1053. 

  1053.  * @since 1.0.0

    1054. 

  1054.  *

    1055. 

  1055.  * @param string $string

    1056. 

  1056.  * @return string

    1057. 

  1057.  */

    1058. 

  1058. function wp_kses_js_entities($string) {

    1059. 

  1059. 	return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);

    1060. 

  1060. }

    1061. 

  1061. 

    1062. 

  1062. /**

    1063. 

  1063.  * Handles parsing errors in wp_kses_hair().

    1064. 

  1064.  *

    1065. 

  1065.  * The general plan is to remove everything to and including some whitespace,

    1066. 

  1066.  * but it deals with quotes and apostrophes as well.

    1067. 

  1067.  *

    1068. 

  1068.  * @since 1.0.0

    1069. 

  1069.  *

    1070. 

  1070.  * @param string $string

    1071. 

  1071.  * @return string

    1072. 

  1072.  */

    1073. 

  1073. function wp_kses_html_error($string) {

    1074. 

  1074. 	return preg_replace('/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string);

    1075. 

  1075. }

    1076. 

  1076. 

    1077. 

  1077. /**

    1078. 

  1078.  * Sanitizes content from bad protocols and other characters.

    1079. 

  1079.  *

    1080. 

  1080.  * This function searches for URL protocols at the beginning of $string, while

    1081. 

  1081.  * handling whitespace and HTML entities.

    1082. 

  1082.  *

    1083. 

  1083.  * @since 1.0.0

    1084. 

  1084.  *

    1085. 

  1085.  * @param string $string Content to check for bad protocols

    1086. 

  1086.  * @param string $allowed_protocols Allowed protocols

    1087. 

  1087.  * @return string Sanitized content

    1088. 

  1088.  */

    1089. 

  1089. function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) {

    1090. 

  1090. 	$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );

    1091. 

  1091. 	if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {

    1092. 

  1092. 		$string = trim( $string2[1] );

    1093. 

  1093. 		$protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );

    1094. 

  1094. 		if ( 'feed:' == $protocol ) {

    1095. 

  1095. 			if ( $count > 2 )

    1096. 

  1096. 				return '';

    1097. 

  1097. 			$string = wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count );

    1098. 

  1098. 			if ( empty( $string ) )

    1099. 

  1099. 				return $string;

    1100. 

  1100. 		}

    1101. 

  1101. 		$string = $protocol . $string;

    1102. 

  1102. 	}

    1103. 

  1103. 

    1104. 

  1104. 	return $string;

    1105. 

  1105. }

    1106. 

  1106. 

    1107. 

  1107. /**

    1108. 

  1108.  * Callback for wp_kses_bad_protocol_once() regular expression.

    1109. 

  1109.  *

    1110. 

  1110.  * This function processes URL protocols, checks to see if they're in the

    1111. 

  1111.  * whitelist or not, and returns different data depending on the answer.

    1112. 

  1112.  *

    1113. 

  1113.  * @access private

    1114. 

  1114.  * @since 1.0.0

    1115. 

  1115.  *

    1116. 

  1116.  * @param string $string URI scheme to check against the whitelist

    1117. 

  1117.  * @param string $allowed_protocols Allowed protocols

    1118. 

  1118.  * @return string Sanitized content

    1119. 

  1119.  */

    1120. 

  1120. function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {

    1121. 

  1121. 	$string2 = wp_kses_decode_entities($string);

    1122. 

  1122. 	$string2 = preg_replace('/\s/', '', $string2);

    1123. 

  1123. 	$string2 = wp_kses_no_null($string2);

    1124. 

  1124. 	$string2 = strtolower($string2);

    1125. 

  1125. 

    1126. 

  1126. 	$allowed = false;

    1127. 

  1127. 	foreach ( (array) $allowed_protocols as $one_protocol )

    1128. 

  1128. 		if ( strtolower($one_protocol) == $string2 ) {

    1129. 

  1129. 			$allowed = true;

    1130. 

  1130. 			break;

    1131. 

  1131. 		}

    1132. 

  1132. 

    1133. 

  1133. 	if ($allowed)

    1134. 

  1134. 		return "$string2:";

    1135. 

  1135. 	else

    1136. 

  1136. 		return '';

    1137. 

  1137. }

    1138. 

  1138. 

    1139. 

  1139. /**

    1140. 

  1140.  * Converts and fixes HTML entities.

    1141. 

  1141.  *

    1142. 

  1142.  * This function normalizes HTML entities. It will convert "AT&T" to the correct

    1143. 

  1143.  * "AT&amp;T", "&#00058;" to "&#58;", "&#XYZZY;" to "&amp;#XYZZY;" and so on.

    1144. 

  1144.  *

    1145. 

  1145.  * @since 1.0.0

    1146. 

  1146.  *

    1147. 

  1147.  * @param string $string Content to normalize entities

    1148. 

  1148.  * @return string Content with normalized entities

    1149. 

  1149.  */

    1150. 

  1150. function wp_kses_normalize_entities($string) {

    1151. 

  1151. 	# Disarm all entities by converting & to &amp;

    1152. 

  1152. 

    1153. 

  1153. 	$string = str_replace('&', '&amp;', $string);

    1154. 

  1154. 

    1155. 

  1155. 	# Change back the allowed entities in our entity whitelist

    1156. 

  1156. 

    1157. 

  1157. 	$string = preg_replace_callback('/&amp;([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string);

    1158. 

  1158. 	$string = preg_replace_callback('/&amp;#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string);

    1159. 

  1159. 	$string = preg_replace_callback('/&amp;#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string);

    1160. 

  1160. 

    1161. 

  1161. 	return $string;

    1162. 

  1162. }

    1163. 

  1163. 

    1164. 

  1164. /**

    1165. 

  1165.  * Callback for wp_kses_normalize_entities() regular expression.

    1166. 

  1166.  *

    1167. 

  1167.  * This function only accepts valid named entity references, which are finite,

    1168. 

  1168.  * case-sensitive, and highly scrutinized by HTML and XML validators.

    1169. 

  1169.  *

    1170. 

  1170.  * @since 3.0.0

    1171. 

  1171.  *

    1172. 

  1172.  * @param array $matches preg_replace_callback() matches array

    1173. 

  1173.  * @return string Correctly encoded entity

    1174. 

  1174.  */

    1175. 

  1175. function wp_kses_named_entities($matches) {

    1176. 

  1176. 	global $allowedentitynames;

    1177. 

  1177. 

    1178. 

  1178. 	if ( empty($matches[1]) )

    1179. 

  1179. 		return '';

    1180. 

  1180. 

    1181. 

  1181. 	$i = $matches[1];

    1182. 

  1182. 	return ( ( ! in_array($i, $allowedentitynames) ) ? "&amp;$i;" : "&$i;" );

    1183. 

  1183. }

    1184. 

  1184. 

    1185. 

  1185. /**

    1186. 

  1186.  * Callback for wp_kses_normalize_entities() regular expression.

    1187. 

  1187.  *

    1188. 

  1188.  * This function helps wp_kses_normalize_entities() to only accept 16-bit values

    1189. 

  1189.  * and nothing more for &#number; entities.

    1190. 

  1190.  *

    1191. 

  1191.  * @access private

    1192. 

  1192.  * @since 1.0.0

    1193. 

  1193.  *

    1194. 

  1194.  * @param array $matches preg_replace_callback() matches array

    1195. 

  1195.  * @return string Correctly encoded entity

    1196. 

  1196.  */

    1197. 

  1197. function wp_kses_normalize_entities2($matches) {

    1198. 

  1198. 	if ( empty($matches[1]) )

    1199. 

  1199. 		return '';

    1200. 

  1200. 

    1201. 

  1201. 	$i = $matches[1];

    1202. 

  1202. 	if (valid_unicode($i)) {

    1203. 

  1203. 		$i = str_pad(ltrim($i,'0'), 3, '0', STR_PAD_LEFT);

    1204. 

  1204. 		$i = "&#$i;";

    1205. 

  1205. 	} else {

    1206. 

  1206. 		$i = "&amp;#$i;";

    1207. 

  1207. 	}

    1208. 

  1208. 

    1209. 

  1209. 	return $i;

    1210. 

  1210. }

    1211. 

  1211. 

    1212. 

  1212. /**

    1213. 

  1213.  * Callback for wp_kses_normalize_entities() for regular expression.

    1214. 

  1214.  *

    1215. 

  1215.  * This function helps wp_kses_normalize_entities() to only accept valid Unicode

    1216. 

  1216.  * numeric entities in hex form.

    1217. 

  1217.  *

    1218. 

  1218.  * @access private

    1219. 

  1219.  *

    1220. 

  1220.  * @param array $matches preg_replace_callback() matches array

    1221. 

  1221.  * @return string Correctly encoded entity

    1222. 

  1222.  */

    1223. 

  1223. function wp_kses_normalize_entities3($matches) {

    1224. 

  1224. 	if ( empty($matches[1]) )

    1225. 

  1225. 		return '';

    1226. 

  1226. 

    1227. 

  1227. 	$hexchars = $matches[1];

    1228. 

  1228. 	return ( ( ! valid_unicode(hexdec($hexchars)) ) ? "&amp;#x$hexchars;" : '&#x'.ltrim($hexchars,'0').';' );

    1229. 

  1229. }

    1230. 

  1230. 

    1231. 

  1231. /**

    1232. 

  1232.  * Helper function to determine if a Unicode value is valid.

    1233. 

  1233.  *

    1234. 

  1234.  * @param int $i Unicode value

    1235. 

  1235.  * @return bool True if the value was a valid Unicode number

    1236. 

  1236.  */

    1237. 

  1237. function valid_unicode($i) {

    1238. 

  1238. 	return ( $i == 0x9 || $i == 0xa || $i == 0xd ||

    1239. 

  1239. 			($i >= 0x20 && $i <= 0xd7ff) ||

    1240. 

  1240. 			($i >= 0xe000 && $i <= 0xfffd) ||

    1241. 

  1241. 			($i >= 0x10000 && $i <= 0x10ffff) );

    1242. 

  1242. }

    1243. 

  1243. 

    1244. 

  1244. /**

    1245. 

  1245.  * Convert all entities to their character counterparts.

    1246. 

  1246.  *

    1247. 

  1247.  * This function decodes numeric HTML entities (&#65; and &#x41;). It doesn't do

    1248. 

  1248.  * anything with other entities like &auml;, but we don't need them in the URL

    1249. 

  1249.  * protocol whitelisting system anyway.

    1250. 

  1250.  *

    1251. 

  1251.  * @since 1.0.0

    1252. 

  1252.  *

    1253. 

  1253.  * @param string $string Content to change entities

    1254. 

  1254.  * @return string Content after decoded entities

    1255. 

  1255.  */

    1256. 

  1256. function wp_kses_decode_entities($string) {

    1257. 

  1257. 	$string = preg_replace_callback('/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string);

    1258. 

  1258. 	$string = preg_replace_callback('/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string);

    1259. 

  1259. 

    1260. 

  1260. 	return $string;

    1261. 

  1261. }

    1262. 

  1262. 

    1263. 

  1263. /**

    1264. 

  1264.  * Regex callback for wp_kses_decode_entities()

    1265. 

  1265.  *

    1266. 

  1266.  * @param array $match preg match

    1267. 

  1267.  * @return string

    1268. 

  1268.  */

    1269. 

  1269. function _wp_kses_decode_entities_chr( $match ) {

    1270. 

  1270. 	return chr( $match[1] );

    1271. 

  1271. }

    1272. 

  1272. 

    1273. 

  1273. /**

    1274. 

  1274.  * Regex callback for wp_kses_decode_entities()

    1275. 

  1275.  *

    1276. 

  1276.  * @param array $match preg match

    1277. 

  1277.  * @return string

    1278. 

  1278.  */

    1279. 

  1279. function _wp_kses_decode_entities_chr_hexdec( $match ) {

    1280. 

  1280. 	return chr( hexdec( $match[1] ) );

    1281. 

  1281. }

    1282. 

  1282. 

    1283. 

  1283. /**

    1284. 

  1284.  * Sanitize content with allowed HTML Kses rules.

    1285. 

  1285.  *

    1286. 

  1286.  * @since 1.0.0

    1287. 

  1287.  * @uses $allowedtags

    1288. 

  1288.  *

    1289. 

  1289.  * @param string $data Content to filter, expected to be escaped with slashes

    1290. 

  1290.  * @return string Filtered content

    1291. 

  1291.  */

    1292. 

  1292. function wp_filter_kses( $data ) {

    1293. 

  1293. 	return addslashes( wp_kses( stripslashes( $data ), current_filter() ) );

    1294. 

  1294. }

    1295. 

  1295. 

    1296. 

  1296. /**

    1297. 

  1297.  * Sanitize content with allowed HTML Kses rules.

    1298. 

  1298.  *

    1299. 

  1299.  * @since 2.9.0

    1300. 

  1300.  * @uses $allowedtags

    1301. 

  1301.  *

    1302. 

  1302.  * @param string $data Content to filter, expected to not be escaped

    1303. 

  1303.  * @return string Filtered content

    1304. 

  1304.  */

    1305. 

  1305. function wp_kses_data( $data ) {

    1306. 

  1306. 	return wp_kses( $data , current_filter() );

    1307. 

  1307. }

    1308. 

  1308. 

    1309. 

  1309. /**

    1310. 

  1310.  * Sanitize content for allowed HTML tags for post content.

    1311. 

  1311.  *

    1312. 

  1312.  * Post content refers to the page contents of the 'post' type and not $_POST

    1313. 

  1313.  * data from forms.

    1314. 

  1314.  *

    1315. 

  1315.  * @since 2.0.0

    1316. 

  1316.  *

    1317. 

  1317.  * @param string $data Post content to filter, expected to be escaped with slashes

    1318. 

  1318.  * @return string Filtered post content with allowed HTML tags and attributes intact.

    1319. 

  1319.  */

    1320. 

  1320. function wp_filter_post_kses($data) {

    1321. 

  1321. 	return addslashes ( wp_kses( stripslashes( $data ), 'post' ) );

    1322. 

  1322. }

    1323. 

  1323. 

    1324. 

  1324. /**

    1325. 

  1325.  * Sanitize content for allowed HTML tags for post content.

    1326. 

  1326.  *

    1327. 

  1327.  * Post content refers to the page contents of the 'post' type and not $_POST

    1328. 

  1328.  * data from forms.

    1329. 

  1329.  *

    1330. 

  1330.  * @since 2.9.0

    1331. 

  1331.  *

    1332. 

  1332.  * @param string $data Post content to filter

    1333. 

  1333.  * @return string Filtered post content with allowed HTML tags and attributes intact.

    1334. 

  1334.  */

    1335. 

  1335. function wp_kses_post($data) {

    1336. 

  1336. 	return wp_kses( $data , 'post' );

    1337. 

  1337. }

    1338. 

  1338. 

    1339. 

  1339. /**

    1340. 

  1340.  * Strips all of the HTML in the content.

    1341. 

  1341.  *

    1342. 

  1342.  * @since 2.1.0

    1343. 

  1343.  *

    1344. 

  1344.  * @param string $data Content to strip all HTML from

    1345. 

  1345.  * @return string Filtered content without any HTML

    1346. 

  1346.  */

    1347. 

  1347. function wp_filter_nohtml_kses( $data ) {

    1348. 

  1348. 	return addslashes ( wp_kses( stripslashes( $data ), 'strip' ) );

    1349. 

  1349. }

    1350. 

  1350. 

    1351. 

  1351. /**

    1352. 

  1352.  * Adds all Kses input form content filters.

    1353. 

  1353.  *

    1354. 

  1354.  * All hooks have default priority. The wp_filter_kses() function is added to

    1355. 

  1355.  * the 'pre_comment_content' and 'title_save_pre' hooks.

    1356. 

  1356.  *

    1357. 

  1357.  * The wp_filter_post_kses() function is added to the 'content_save_pre',

    1358. 

  1358.  * 'excerpt_save_pre', and 'content_filtered_save_pre' hooks.

    1359. 

  1359.  *

    1360. 

  1360.  * @since 2.0.0

    1361. 

  1361.  * @uses add_filter() See description for what functions are added to what hooks.

    1362. 

  1362.  */

    1363. 

  1363. function kses_init_filters() {

    1364. 

  1364. 	// Normal filtering

    1365. 

  1365. 	add_filter('title_save_pre', 'wp_filter_kses');

    1366. 

  1366. 

    1367. 

  1367. 	// Comment filtering

    1368. 

  1368. 	if ( current_user_can( 'unfiltered_html' ) )

    1369. 

  1369. 		add_filter( 'pre_comment_content', 'wp_filter_post_kses' );

    1370. 

  1370. 	else

    1371. 

  1371. 		add_filter( 'pre_comment_content', 'wp_filter_kses' );

    1372. 

  1372. 

    1373. 

  1373. 	// Post filtering

    1374. 

  1374. 	add_filter('content_save_pre', 'wp_filter_post_kses');

    1375. 

  1375. 	add_filter('excerpt_save_pre', 'wp_filter_post_kses');

    1376. 

  1376. 	add_filter('content_filtered_save_pre', 'wp_filter_post_kses');

    1377. 

  1377. }

    1378. 

  1378. 

    1379. 

  1379. /**

    1380. 

  1380.  * Removes all Kses input form content filters.

    1381. 

  1381.  *

    1382. 

  1382.  * A quick procedural method to removing all of the filters that kses uses for

    1383. 

  1383.  * content in WordPress Loop.

    1384. 

  1384.  *

    1385. 

  1385.  * Does not remove the kses_init() function from 'init' hook (priority is

    1386. 

  1386.  * default). Also does not remove kses_init() function from 'set_current_user'

    1387. 

  1387.  * hook (priority is also default).

    1388. 

  1388.  *

    1389. 

  1389.  * @since 2.0.6

    1390. 

  1390.  */

    1391. 

  1391. function kses_remove_filters() {

    1392. 

  1392. 	// Normal filtering

    1393. 

  1393. 	remove_filter('title_save_pre', 'wp_filter_kses');

    1394. 

  1394. 

    1395. 

  1395. 	// Comment filtering

    1396. 

  1396. 	remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );

    1397. 

  1397. 	remove_filter( 'pre_comment_content', 'wp_filter_kses' );

    1398. 

  1398. 

    1399. 

  1399. 	// Post filtering

    1400. 

  1400. 	remove_filter('content_save_pre', 'wp_filter_post_kses');

    1401. 

  1401. 	remove_filter('excerpt_save_pre', 'wp_filter_post_kses');

    1402. 

  1402. 	remove_filter('content_filtered_save_pre', 'wp_filter_post_kses');

    1403. 

  1403. }

    1404. 

  1404. 

    1405. 

  1405. /**

    1406. 

  1406.  * Sets up most of the Kses filters for input form content.

    1407. 

  1407.  *

    1408. 

  1408.  * If you remove the kses_init() function from 'init' hook and

    1409. 

  1409.  * 'set_current_user' (priority is default), then none of the Kses filter hooks

    1410. 

  1410.  * will be added.

    1411. 

  1411.  *

    1412. 

  1412.  * First removes all of the Kses filters in case the current user does not need

    1413. 

  1413.  * to have Kses filter the content. If the user does not have unfiltered_html

    1414. 

  1414.  * capability, then Kses filters are added.

    1415. 

  1415.  *

    1416. 

  1416.  * @uses kses_remove_filters() Removes the Kses filters

    1417. 

  1417.  * @uses kses_init_filters() Adds the Kses filters back if the user

    1418. 

  1418.  *		does not have unfiltered HTML capability.

    1419. 

  1419.  * @since 2.0.0

    1420. 

  1420.  */

    1421. 

  1421. function kses_init() {

    1422. 

  1422. 	kses_remove_filters();

    1423. 

  1423. 

    1424. 

  1424. 	if (current_user_can('unfiltered_html') == false)

    1425. 

  1425. 		kses_init_filters();

    1426. 

  1426. }

    1427. 

  1427. 

    1428. 

  1428. add_action('init', 'kses_init');

    1429. 

  1429. add_action('set_current_user', 'kses_init');

    1430. 

  1430. 

    1431. 

  1431. /**

    1432. 

  1432.  * Inline CSS filter

    1433. 

  1433.  *

    1434. 

  1434.  * @since 2.8.1

    1435. 

  1435.  */

    1436. 

  1436. function safecss_filter_attr( $css, $deprecated = '' ) {

    1437. 

  1437. 	if ( !empty( $deprecated ) )

    1438. 

  1438. 		_deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented

    1439. 

  1439. 

    1440. 

  1440. 	$css = wp_kses_no_null($css);

    1441. 

  1441. 	$css = str_replace(array("\n","\r","\t"), '', $css);

    1442. 

  1442. 

    1443. 

  1443. 	if ( preg_match( '%[\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments

    1444. 

  1444. 		return '';

    1445. 

  1445. 

    1446. 

  1446. 	$css_array = explode( ';', trim( $css ) );

    1447. 

  1447. 

    1448. 

  1448. 	/**

    1449. 

  1449. 	 * Filter list of allowed CSS attributes.

    1450. 

  1450. 	 *

    1451. 

  1451. 	 * @since 2.8.1

    1452. 

  1452. 	 *

    1453. 

  1453. 	 * @param array $attr List of allowed CSS attributes.

    1454. 

  1454. 	 */

    1455. 

  1455. 	$allowed_attr = apply_filters( 'safe_style_css', array( 'text-align', 'margin', 'color', 'float',

    1456. 

  1456. 	'border', 'background', 'background-color', 'border-bottom', 'border-bottom-color',

    1457. 

  1457. 	'border-bottom-style', 'border-bottom-width', 'border-collapse', 'border-color', 'border-left',

    1458. 

  1458. 	'border-left-color', 'border-left-style', 'border-left-width', 'border-right', 'border-right-color',

    1459. 

  1459. 	'border-right-style', 'border-right-width', 'border-spacing', 'border-style', 'border-top',

    1460. 

  1460. 	'border-top-color', 'border-top-style', 'border-top-width', 'border-width', 'caption-side',

    1461. 

  1461. 	'clear', 'cursor', 'direction', 'font', 'font-family', 'font-size', 'font-style',

    1462. 

  1462. 	'font-variant', 'font-weight', 'height', 'letter-spacing', 'line-height', 'margin-bottom',

    1463. 

  1463. 	'margin-left', 'margin-right', 'margin-top', 'overflow', 'padding', 'padding-bottom',

    1464. 

  1464. 	'padding-left', 'padding-right', 'padding-top', 'text-decoration', 'text-indent', 'vertical-align',

    1465. 

  1465. 	'width' ) );

    1466. 

  1466. 

    1467. 

  1467. 	if ( empty($allowed_attr) )

    1468. 

  1468. 		return $css;

    1469. 

  1469. 

    1470. 

  1470. 	$css = '';

    1471. 

  1471. 	foreach ( $css_array as $css_item ) {

    1472. 

  1472. 		if ( $css_item == '' )

    1473. 

  1473. 			continue;

    1474. 

  1474. 		$css_item = trim( $css_item );

    1475. 

  1475. 		$found = false;

    1476. 

  1476. 		if ( strpos( $css_item, ':' ) === false ) {

    1477. 

  1477. 			$found = true;

    1478. 

  1478. 		} else {

    1479. 

  1479. 			$parts = explode( ':', $css_item );

    1480. 

  1480. 			if ( in_array( trim( $parts[0] ), $allowed_attr ) )

    1481. 

  1481. 				$found = true;

    1482. 

  1482. 		}

    1483. 

  1483. 		if ( $found ) {

    1484. 

  1484. 			if( $css != '' )

    1485. 

  1485. 				$css .= ';';

    1486. 

  1486. 			$css .= $css_item;

    1487. 

  1487. 		}

    1488. 

  1488. 	}

    1489. 

  1489. 

    1490. 

  1490. 	return $css;

    1491. 

  1491. }

    1492. 

  1492. 

    1493. 

  1493. /**

    1494. 

  1494.  * Helper function to add global attributes to a tag in the allowed html list.

    1495. 

  1495.  *

    1496. 

  1496.  * @since 3.5.0

    1497. 

  1497.  * @access private

    1498. 

  1498.  *

    1499. 

  1499.  * @param array $value An array of attributes.

    1500. 

  1500.  * @return array The array of attributes with global attributes added.

    1501. 

  1501.  */

    1502. 

  1502. function _wp_add_global_attributes( $value ) {

    1503. 

  1503. 	$global_attributes = array(

    1504. 

  1504. 		'class' => true,

    1505. 

  1505. 		'id' => true,

    1506. 

  1506. 		'style' => true,

    1507. 

  1507. 		'title' => true,

    1508. 

  1508. 		'role' => true,

    1509. 

  1509. 	);

    1510. 

  1510. 

    1511. 

  1511. 	if ( true === $value )

    1512. 

  1512. 		$value = array();

    1513. 

  1513. 

    1514. 

  1514. 	if ( is_array( $value ) )

    1515. 

  1515. 		return array_merge( $value, $global_attributes );

    1516. 

  1516. 

    1517. 

  1517. 	return $value;

    1518. 

  1518. }

    1519. 

  1519.