From 4ec1d4bc32ac8cdb508c6fd23377e63456d8c248 Mon Sep 17 00:00:00 2001 From: ryan Date: Thu, 29 Oct 2009 17:15:58 +0000 Subject: [PATCH] Introduce wp_kses_post() and wp_kses_data() for filtering unescaped data. Fixes slashing of displayed fields. fixes #10949 git-svn-id: http://svn.automattic.com/wordpress/trunk@12125 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/default-filters.php | 9 +++++++-- wp-includes/kses.php | 35 +++++++++++++++++++++++++++++++-- 2 files changed, 40 insertions(+), 4 deletions(-) diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php index 6def7cc7d..7837b9981 100644 --- a/wp-includes/default-filters.php +++ b/wp-includes/default-filters.php @@ -26,11 +26,16 @@ foreach ( array( 'term_name', 'comment_author_name', 'link_name', 'link_target', add_filter( $filter, '_wp_specialchars', 30 ); } -// Kses only for textarea saves and displays -foreach ( array( 'pre_term_description', 'term_description', 'pre_link_description', 'link_description', 'pre_link_notes', 'link_notes', 'pre_user_description', 'user_description' ) as $filter ) { +// Kses only for textarea saves +foreach ( array( 'pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description' ) as $filter ) { add_filter( $filter, 'wp_filter_kses' ); } +// Kses only for textarea saves displays +foreach ( array( 'term_description', 'link_description', 'link_notes', 'user_description' ) as $filter ) { + add_filter( $filter, 'wp_kses_data' ); +} + // Email saves foreach ( array( 'pre_comment_author_email', 'pre_user_email' ) as $filter ) { add_filter( $filter, 'trim' ); diff --git a/wp-includes/kses.php b/wp-includes/kses.php index 1eef93f93..1c4d06685 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -1059,7 +1059,7 @@ function _wp_kses_decode_entities_chr_hexdec( $match ) { * @since 1.0.0 * @uses $allowedtags * - * @param string $data Content to filter + * @param string $data Content to filter, expected to be escaped with slashes * @return string Filtered content */ function wp_filter_kses($data) { @@ -1067,6 +1067,20 @@ function wp_filter_kses($data) { return addslashes( wp_kses(stripslashes( $data ), $allowedtags) ); } +/** + * Sanitize content with allowed HTML Kses rules. + * + * @since 2.9.0 + * @uses $allowedtags + * + * @param string $data Content to filter, expected to not be escaped + * @return string Filtered content + */ +function wp_kses_data($data) { + global $allowedtags; + return wp_kses( $data , $allowedtags ); +} + /** * Sanitize content for allowed HTML tags for post content. * @@ -1076,7 +1090,7 @@ function wp_filter_kses($data) { * @since 2.0.0 * @uses $allowedposttags * - * @param string $data Post content to filter + * @param string $data Post content to filter, expected to be escaped with slashes * @return string Filtered post content with allowed HTML tags and attributes intact. */ function wp_filter_post_kses($data) { @@ -1084,6 +1098,23 @@ function wp_filter_post_kses($data) { return addslashes ( wp_kses(stripslashes( $data ), $allowedposttags) ); } +/** + * Sanitize content for allowed HTML tags for post content. + * + * Post content refers to the page contents of the 'post' type and not $_POST + * data from forms. + * + * @since 2.9.0 + * @uses $allowedposttags + * + * @param string $data Post content to filter + * @return string Filtered post content with allowed HTML tags and attributes intact. + */ +function wp_kses_post($data) { + global $allowedposttags; + return wp_kses( $data , $allowedposttags ); +} + /** * Strips all of the HTML in the content. *