Skip to content

Commit 9cdbe00

Browse files
pentopento
committed
KSES: Conditionally remove the <form> element from $allowedposttags.
To avoid backwards compatibility issues, `<form>` is re-added if a custom filter has added the `<input>` or `<select>` elements to `$allowedposttags`. Merges [43994] to the 4.2 branch. git-svn-id: https://develop.svn.wordpress.org/branches/4.2@44008 602fd350-edb4-49c9-b593-d223f7449a82
1 parent f4d2024 commit 9cdbe00

1 file changed

Lines changed: 22 additions & 10 deletions

File tree

src/wp-includes/kses.php

Lines changed: 22 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -180,15 +180,6 @@
180180
'lang' => true,
181181
'xml:lang' => true,
182182
),
183-
'form' => array(
184-
'action' => true,
185-
'accept' => true,
186-
'accept-charset' => true,
187-
'enctype' => true,
188-
'method' => true,
189-
'name' => true,
190-
'target' => true,
191-
),
192183
'h1' => array(
193184
'align' => true,
194185
),
@@ -608,6 +599,7 @@ function wp_kses_one_attr( $string, $element ) {
608599
* Return a list of allowed tags and attributes for a given context.
609600
*
610601
* @since 3.5.0
602+
* @since 5.0.1 `form` removed as allowable HTML tag.
611603
*
612604
* @param string $context The context for which to retrieve tags. Allowed values are
613605
* post | strip | data | entities or the name of a field filter such as pre_user_description.
@@ -632,7 +624,27 @@ function wp_kses_allowed_html( $context = '' ) {
632624
switch ( $context ) {
633625
case 'post':
634626
/** This filter is documented in wp-includes/kses.php */
635-
return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
627+
$tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
628+
629+
// 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
630+
if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
631+
$tags = $allowedposttags;
632+
633+
$tags['form'] = array(
634+
'action' => true,
635+
'accept' => true,
636+
'accept-charset' => true,
637+
'enctype' => true,
638+
'method' => true,
639+
'name' => true,
640+
'target' => true,
641+
);
642+
643+
/** This filter is documented in wp-includes/kses.php */
644+
$tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
645+
}
646+
647+
return $tags;
636648

637649
case 'user_description':
638650
case 'pre_user_description':

0 commit comments

Comments
 (0)