Skip to content

Commit 1147355

Browse files
SergeyBiryukovSergeyBiryukov
committed
Update wp_kses_bad_protocol() to recognize : on uri attributes,
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function. Brings r46895 to the 4.2 branch. Props: xknown, nickdaugherty, peterwilsoncc. git-svn-id: https://develop.svn.wordpress.org/branches/4.2@46910 602fd350-edb4-49c9-b593-d223f7449a82
1 parent f5a9729 commit 1147355

2 files changed

Lines changed: 23 additions & 1 deletion

File tree

src/wp-includes/kses.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1376,7 +1376,7 @@ function wp_kses_html_error($string) {
13761376
*/
13771377
function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) {
13781378
$string = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
1379-
$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
1379+
$string2 = preg_split( '/:|&#0*58;|&#x0*3a;|:/i', $string, 2 );
13801380
if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {
13811381
$string = trim( $string2[1] );
13821382
$protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );

tests/phpunit/tests/kses.php

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,28 @@ function test_wp_kses_bad_protocol() {
169169
}
170170
}
171171

172+
$bad_not_normalized = array(
173+
'dummy:alert(1)',
174+
'javascript:alert(1)',
175+
'javascript&CoLon;alert(1)',
176+
'javascript:alert(1);',
177+
'javascript:alert(1);',
178+
'javascript:alert(1);',
179+
'javascript&#0000058alert(1);',
180+
'jav ascript:alert(1);',
181+
'javascript:javascript:alert(1);',
182+
'javascript:javascript:alert(1);',
183+
'javascript&#0000058javascript:alert(1);',
184+
'javascript:javascript&#0000058alert(1);',
185+
'javascript&#58alert(1)',
186+
);
187+
foreach ( $bad_not_normalized as $k => $x ) {
188+
$result = wp_kses_bad_protocol( $x, wp_allowed_protocols() );
189+
if ( ! empty( $result ) && 'alert(1);' !== $result && 'alert(1)' !== $result ) {
190+
$this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
191+
}
192+
}
193+
172194
$safe = array(
173195
'dummy:alert(1)',
174196
'HTTP://example.org/',

0 commit comments

Comments
 (0)