Skip to content

Commit b197546

Browse files
whyisjakewhyisjake
committed
Update wp_kses_bad_protocol() to recognize : on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function. Brings r46895 to the 5.3 branch. Props: xknown, nickdaugherty, peterwilsoncc. git-svn-id: https://develop.svn.wordpress.org/branches/5.3@46899 602fd350-edb4-49c9-b593-d223f7449a82
1 parent 1f7f3f1 commit b197546

2 files changed

Lines changed: 23 additions & 1 deletion

File tree

src/wp-includes/kses.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1665,7 +1665,7 @@ function wp_kses_html_error( $string ) {
16651665
*/
16661666
function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
16671667
$string = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
1668-
$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
1668+
$string2 = preg_split( '/:|&#0*58;|&#x0*3a;|:/i', $string, 2 );
16691669
if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
16701670
$string = trim( $string2[1] );
16711671
$protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );

tests/phpunit/tests/kses.php

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -179,6 +179,28 @@ function test_wp_kses_bad_protocol() {
179179
}
180180
}
181181

182+
$bad_not_normalized = array(
183+
'dummy:alert(1)',
184+
'javascript:alert(1)',
185+
'javascript&CoLon;alert(1)',
186+
'javascript:alert(1);',
187+
'javascript:alert(1);',
188+
'javascript:alert(1);',
189+
'javascript&#0000058alert(1);',
190+
'jav ascript:alert(1);',
191+
'javascript:javascript:alert(1);',
192+
'javascript:javascript:alert(1);',
193+
'javascript&#0000058javascript:alert(1);',
194+
'javascript:javascript&#0000058alert(1);',
195+
'javascript&#58alert(1)',
196+
);
197+
foreach ( $bad_not_normalized as $k => $x ) {
198+
$result = wp_kses_bad_protocol( $x, wp_allowed_protocols() );
199+
if ( ! empty( $result ) && 'alert(1);' !== $result && 'alert(1)' !== $result ) {
200+
$this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
201+
}
202+
}
203+
182204
$safe = array(
183205
'dummy:alert(1)',
184206
'HTTP://example.org/',

0 commit comments

Comments
 (0)