diff options
| author | Charles Cabergs <me@cacharle.xyz> | 2020-07-27 10:05:23 +0200 |
|---|---|---|
| committer | Charles Cabergs <me@cacharle.xyz> | 2020-07-27 10:05:23 +0200 |
| commit | 5bf66662a9bdd62c5bccab15e607cd95cfb8fcab (patch) | |
| tree | 39a1a4629749056191c05dfd899f931701b7acf3 /srcs/wordpress/wp-includes/kses.php | |
| parent | 5afd237bbd22028b85532b8c0b3fcead49a00764 (diff) | |
| download | ft_server-master.tar.gz ft_server-master.tar.bz2 ft_server-master.zip | |
Removed wordpress and phpmyadmin, my server doesn't handle it well and it brings shame on my famillyHEADmaster
Diffstat (limited to 'srcs/wordpress/wp-includes/kses.php')
| -rw-r--r-- | srcs/wordpress/wp-includes/kses.php | 2332 |
1 files changed, 0 insertions, 2332 deletions
diff --git a/srcs/wordpress/wp-includes/kses.php b/srcs/wordpress/wp-includes/kses.php deleted file mode 100644 index d2f3cbb..0000000 --- a/srcs/wordpress/wp-includes/kses.php +++ /dev/null @@ -1,2332 +0,0 @@ -<?php -/** - * kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes - * Copyright (C) 2002, 2003, 2005 Ulf Harnhammar - * - * This program is free software and open source software; you can redistribute - * it and/or modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation; either version 2 of the License, - * or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA - * http://www.gnu.org/licenses/gpl.html - * - * [kses strips evil scripts!] - * - * Added wp_ prefix to avoid conflicts with existing kses users - * - * @version 0.2.2 - * @copyright (C) 2002, 2003, 2005 - * @author Ulf Harnhammar <http://advogato.org/person/metaur/> - * - * @package External - * @subpackage KSES - */ - -/** - * Specifies the default allowable HTML tags. - * - * Using `CUSTOM_TAGS` is not recommended and should be considered deprecated. The - * {@see 'wp_kses_allowed_html'} filter is more powerful and supplies context. - * - * @see wp_kses_allowed_html() - * @since 1.2.0 - * - * @var array[]|bool Array of default allowable HTML tags, or false to use the defaults. - */ -if ( ! defined( 'CUSTOM_TAGS' ) ) { - define( 'CUSTOM_TAGS', false ); -} - -// Ensure that these variables are added to the global namespace -// (e.g. if using namespaces / autoload in the current PHP environment). -global $allowedposttags, $allowedtags, $allowedentitynames; - -if ( ! CUSTOM_TAGS ) { - /** - * KSES global for default allowable HTML tags. - * - * Can be overridden with the `CUSTOM_TAGS` constant. - * - * @var array[] $allowedposttags Array of default allowable HTML tags. - * @since 2.0.0 - */ - $allowedposttags = array( - 'address' => array(), - 'a' => array( - 'href' => true, - 'rel' => true, - 'rev' => true, - 'name' => true, - 'target' => true, - 'download' => array( - 'valueless' => 'y', - ), - ), - 'abbr' => array(), - 'acronym' => array(), - 'area' => array( - 'alt' => true, - 'coords' => true, - 'href' => true, - 'nohref' => true, - 'shape' => true, - 'target' => true, - ), - 'article' => array( - 'align' => true, - 'dir' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'aside' => array( - 'align' => true, - 'dir' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'audio' => array( - 'autoplay' => true, - 'controls' => true, - 'loop' => true, - 'muted' => true, - 'preload' => true, - 'src' => true, - ), - 'b' => array(), - 'bdo' => array( - 'dir' => true, - ), - 'big' => array(), - 'blockquote' => array( - 'cite' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'br' => array(), - 'button' => array( - 'disabled' => true, - 'name' => true, - 'type' => true, - 'value' => true, - ), - 'caption' => array( - 'align' => true, - ), - 'cite' => array( - 'dir' => true, - 'lang' => true, - ), - 'code' => array(), - 'col' => array( - 'align' => true, - 'char' => true, - 'charoff' => true, - 'span' => true, - 'dir' => true, - 'valign' => true, - 'width' => true, - ), - 'colgroup' => array( - 'align' => true, - 'char' => true, - 'charoff' => true, - 'span' => true, - 'valign' => true, - 'width' => true, - ), - 'del' => array( - 'datetime' => true, - ), - 'dd' => array(), - 'dfn' => array(), - 'details' => array( - 'align' => true, - 'dir' => true, - 'lang' => true, - 'open' => true, - 'xml:lang' => true, - ), - 'div' => array( - 'align' => true, - 'dir' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'dl' => array(), - 'dt' => array(), - 'em' => array(), - 'fieldset' => array(), - 'figure' => array( - 'align' => true, - 'dir' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'figcaption' => array( - 'align' => true, - 'dir' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'font' => array( - 'color' => true, - 'face' => true, - 'size' => true, - ), - 'footer' => array( - 'align' => true, - 'dir' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'h1' => array( - 'align' => true, - ), - 'h2' => array( - 'align' => true, - ), - 'h3' => array( - 'align' => true, - ), - 'h4' => array( - 'align' => true, - ), - 'h5' => array( - 'align' => true, - ), - 'h6' => array( - 'align' => true, - ), - 'header' => array( - 'align' => true, - 'dir' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'hgroup' => array( - 'align' => true, - 'dir' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'hr' => array( - 'align' => true, - 'noshade' => true, - 'size' => true, - 'width' => true, - ), - 'i' => array(), - 'img' => array( - 'alt' => true, - 'align' => true, - 'border' => true, - 'height' => true, - 'hspace' => true, - 'longdesc' => true, - 'vspace' => true, - 'src' => true, - 'usemap' => true, - 'width' => true, - ), - 'ins' => array( - 'datetime' => true, - 'cite' => true, - ), - 'kbd' => array(), - 'label' => array( - 'for' => true, - ), - 'legend' => array( - 'align' => true, - ), - 'li' => array( - 'align' => true, - 'value' => true, - ), - 'map' => array( - 'name' => true, - ), - 'mark' => array(), - 'menu' => array( - 'type' => true, - ), - 'nav' => array( - 'align' => true, - 'dir' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'p' => array( - 'align' => true, - 'dir' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'pre' => array( - 'width' => true, - ), - 'q' => array( - 'cite' => true, - ), - 's' => array(), - 'samp' => array(), - 'span' => array( - 'dir' => true, - 'align' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'section' => array( - 'align' => true, - 'dir' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'small' => array(), - 'strike' => array(), - 'strong' => array(), - 'sub' => array(), - 'summary' => array( - 'align' => true, - 'dir' => true, - 'lang' => true, - 'xml:lang' => true, - ), - 'sup' => array(), - 'table' => array( - 'align' => true, - 'bgcolor' => true, - 'border' => true, - 'cellpadding' => true, - 'cellspacing' => true, - 'dir' => true, - 'rules' => true, - 'summary' => true, - 'width' => true, - ), - 'tbody' => array( - 'align' => true, - 'char' => true, - 'charoff' => true, - 'valign' => true, - ), - 'td' => array( - 'abbr' => true, - 'align' => true, - 'axis' => true, - 'bgcolor' => true, - 'char' => true, - 'charoff' => true, - 'colspan' => true, - 'dir' => true, - 'headers' => true, - 'height' => true, - 'nowrap' => true, - 'rowspan' => true, - 'scope' => true, - 'valign' => true, - 'width' => true, - ), - 'textarea' => array( - 'cols' => true, - 'rows' => true, - 'disabled' => true, - 'name' => true, - 'readonly' => true, - ), - 'tfoot' => array( - 'align' => true, - 'char' => true, - 'charoff' => true, - 'valign' => true, - ), - 'th' => array( - 'abbr' => true, - 'align' => true, - 'axis' => true, - 'bgcolor' => true, - 'char' => true, - 'charoff' => true, - 'colspan' => true, - 'headers' => true, - 'height' => true, - 'nowrap' => true, - 'rowspan' => true, - 'scope' => true, - 'valign' => true, - 'width' => true, - ), - 'thead' => array( - 'align' => true, - 'char' => true, - 'charoff' => true, - 'valign' => true, - ), - 'title' => array(), - 'tr' => array( - 'align' => true, - 'bgcolor' => true, - 'char' => true, - 'charoff' => true, - 'valign' => true, - ), - 'track' => array( - 'default' => true, - 'kind' => true, - 'label' => true, - 'src' => true, - 'srclang' => true, - ), - 'tt' => array(), - 'u' => array(), - 'ul' => array( - 'type' => true, - ), - 'ol' => array( - 'start' => true, - 'type' => true, - 'reversed' => true, - ), - 'var' => array(), - 'video' => array( - 'autoplay' => true, - 'controls' => true, - 'height' => true, - 'loop' => true, - 'muted' => true, - 'poster' => true, - 'preload' => true, - 'src' => true, - 'width' => true, - ), - ); - - /** - * @var array[] $allowedtags Array of KSES allowed HTML elements. - * @since 1.0.0 - */ - $allowedtags = array( - 'a' => array( - 'href' => true, - 'title' => true, - ), - 'abbr' => array( - 'title' => true, - ), - 'acronym' => array( - 'title' => true, - ), - 'b' => array(), - 'blockquote' => array( - 'cite' => true, - ), - 'cite' => array(), - 'code' => array(), - 'del' => array( - 'datetime' => true, - ), - 'em' => array(), - 'i' => array(), - 'q' => array( - 'cite' => true, - ), - 's' => array(), - 'strike' => array(), - 'strong' => array(), - ); - - /** - * @var string[] $allowedentitynames Array of KSES allowed HTML entitity names. - * @since 1.0.0 - */ - $allowedentitynames = array( - 'nbsp', - 'iexcl', - 'cent', - 'pound', - 'curren', - 'yen', - 'brvbar', - 'sect', - 'uml', - 'copy', - 'ordf', - 'laquo', - 'not', - 'shy', - 'reg', - 'macr', - 'deg', - 'plusmn', - 'acute', - 'micro', - 'para', - 'middot', - 'cedil', - 'ordm', - 'raquo', - 'iquest', - 'Agrave', - 'Aacute', - 'Acirc', - 'Atilde', - 'Auml', - 'Aring', - 'AElig', - 'Ccedil', - 'Egrave', - 'Eacute', - 'Ecirc', - 'Euml', - 'Igrave', - 'Iacute', - 'Icirc', - 'Iuml', - 'ETH', - 'Ntilde', - 'Ograve', - 'Oacute', - 'Ocirc', - 'Otilde', - 'Ouml', - 'times', - 'Oslash', - 'Ugrave', - 'Uacute', - 'Ucirc', - 'Uuml', - 'Yacute', - 'THORN', - 'szlig', - 'agrave', - 'aacute', - 'acirc', - 'atilde', - 'auml', - 'aring', - 'aelig', - 'ccedil', - 'egrave', - 'eacute', - 'ecirc', - 'euml', - 'igrave', - 'iacute', - 'icirc', - 'iuml', - 'eth', - 'ntilde', - 'ograve', - 'oacute', - 'ocirc', - 'otilde', - 'ouml', - 'divide', - 'oslash', - 'ugrave', - 'uacute', - 'ucirc', - 'uuml', - 'yacute', - 'thorn', - 'yuml', - 'quot', - 'amp', - 'lt', - 'gt', - 'apos', - 'OElig', - 'oelig', - 'Scaron', - 'scaron', - 'Yuml', - 'circ', - 'tilde', - 'ensp', - 'emsp', - 'thinsp', - 'zwnj', - 'zwj', - 'lrm', - 'rlm', - 'ndash', - 'mdash', - 'lsquo', - 'rsquo', - 'sbquo', - 'ldquo', - 'rdquo', - 'bdquo', - 'dagger', - 'Dagger', - 'permil', - 'lsaquo', - 'rsaquo', - 'euro', - 'fnof', - 'Alpha', - 'Beta', - 'Gamma', - 'Delta', - 'Epsilon', - 'Zeta', - 'Eta', - 'Theta', - 'Iota', - 'Kappa', - 'Lambda', - 'Mu', - 'Nu', - 'Xi', - 'Omicron', - 'Pi', - 'Rho', - 'Sigma', - 'Tau', - 'Upsilon', - 'Phi', - 'Chi', - 'Psi', - 'Omega', - 'alpha', - 'beta', - 'gamma', - 'delta', - 'epsilon', - 'zeta', - 'eta', - 'theta', - 'iota', - 'kappa', - 'lambda', - 'mu', - 'nu', - 'xi', - 'omicron', - 'pi', - 'rho', - 'sigmaf', - 'sigma', - 'tau', - 'upsilon', - 'phi', - 'chi', - 'psi', - 'omega', - 'thetasym', - 'upsih', - 'piv', - 'bull', - 'hellip', - 'prime', - 'Prime', - 'oline', - 'frasl', - 'weierp', - 'image', - 'real', - 'trade', - 'alefsym', - 'larr', - 'uarr', - 'rarr', - 'darr', - 'harr', - 'crarr', - 'lArr', - 'uArr', - 'rArr', - 'dArr', - 'hArr', - 'forall', - 'part', - 'exist', - 'empty', - 'nabla', - 'isin', - 'notin', - 'ni', - 'prod', - 'sum', - 'minus', - 'lowast', - 'radic', - 'prop', - 'infin', - 'ang', - 'and', - 'or', - 'cap', - 'cup', - 'int', - 'sim', - 'cong', - 'asymp', - 'ne', - 'equiv', - 'le', - 'ge', - 'sub', - 'sup', - 'nsub', - 'sube', - 'supe', - 'oplus', - 'otimes', - 'perp', - 'sdot', - 'lceil', - 'rceil', - 'lfloor', - 'rfloor', - 'lang', - 'rang', - 'loz', - 'spades', - 'clubs', - 'hearts', - 'diams', - 'sup1', - 'sup2', - 'sup3', - 'frac14', - 'frac12', - 'frac34', - 'there4', - ); - - $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags ); -} else { - $allowedtags = wp_kses_array_lc( $allowedtags ); - $allowedposttags = wp_kses_array_lc( $allowedposttags ); -} - -/** - * Filters text content and strips out disallowed HTML. - * - * This function makes sure that only the allowed HTML element names, attribute - * names, attribute values, and HTML entities will occur in the given text string. - * - * This function expects unslashed data. - * - * @see wp_kses_post() for specifically filtering post content and fields. - * @see wp_allowed_protocols() for the default allowed protocols in link URLs. - * - * @since 1.0.0 - * - * @param string $string Text content to filter. - * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, or a - * context name such as 'post'. - * @param string[] $allowed_protocols Array of allowed URL protocols. - * @return string Filtered content containing only the allowed HTML. - */ -function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { - if ( empty( $allowed_protocols ) ) { - $allowed_protocols = wp_allowed_protocols(); - } - $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); - $string = wp_kses_normalize_entities( $string ); - $string = wp_kses_hook( $string, $allowed_html, $allowed_protocols ); - return wp_kses_split( $string, $allowed_html, $allowed_protocols ); -} - -/** - * Filters one HTML attribute and ensures its value is allowed. - * - * This function can escape data in some situations where `wp_kses()` must strip the whole attribute. - * - * @since 4.2.3 - * - * @param string $string The 'whole' attribute, including name and value. - * @param string $element The HTML element name to which the attribute belongs. - * @return string Filtered attribute. - */ -function wp_kses_one_attr( $string, $element ) { - $uris = wp_kses_uri_attributes(); - $allowed_html = wp_kses_allowed_html( 'post' ); - $allowed_protocols = wp_allowed_protocols(); - $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); - - // Preserve leading and trailing whitespace. - $matches = array(); - preg_match( '/^\s*/', $string, $matches ); - $lead = $matches[0]; - preg_match( '/\s*$/', $string, $matches ); - $trail = $matches[0]; - if ( empty( $trail ) ) { - $string = substr( $string, strlen( $lead ) ); - } else { - $string = substr( $string, strlen( $lead ), -strlen( $trail ) ); - } - - // Parse attribute name and value from input. - $split = preg_split( '/\s*=\s*/', $string, 2 ); - $name = $split[0]; - if ( count( $split ) == 2 ) { - $value = $split[1]; - - // Remove quotes surrounding $value. - // Also guarantee correct quoting in $string for this one attribute. - if ( '' == $value ) { - $quote = ''; - } else { - $quote = $value[0]; - } - if ( '"' == $quote || "'" == $quote ) { - if ( substr( $value, -1 ) != $quote ) { - return ''; - } - $value = substr( $value, 1, -1 ); - } else { - $quote = '"'; - } - - // Sanitize quotes, angle braces, and entities. - $value = esc_attr( $value ); - - // Sanitize URI values. - if ( in_array( strtolower( $name ), $uris ) ) { - $value = wp_kses_bad_protocol( $value, $allowed_protocols ); - } - - $string = "$name=$quote$value$quote"; - $vless = 'n'; - } else { - $value = ''; - $vless = 'y'; - } - - // Sanitize attribute by name. - wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html ); - - // Restore whitespace. - return $lead . $string . $trail; -} - -/** - * Returns an array of allowed HTML tags and attributes for a given context. - * - * @since 3.5.0 - * @since 5.0.1 `form` removed as allowable HTML tag. - * - * @global array $allowedposttags - * @global array $allowedtags - * @global array $allowedentitynames - * - * @param string|array $context The context for which to retrieve tags. Allowed values are 'post', - * 'strip', 'data', 'entities', or the name of a field filter such as - * 'pre_user_description'. - * @return array Array of allowed HTML tags and their allowed attributes. - */ -function wp_kses_allowed_html( $context = '' ) { - global $allowedposttags, $allowedtags, $allowedentitynames; - - if ( is_array( $context ) ) { - /** - * Filters the HTML that is allowed for a given context. - * - * @since 3.5.0 - * - * @param array[]|string $context Context to judge allowed tags by. - * @param string $context_type Context name. - */ - return apply_filters( 'wp_kses_allowed_html', $context, 'explicit' ); - } - - switch ( $context ) { - case 'post': - /** This filter is documented in wp-includes/kses.php */ - $tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context ); - - // 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`. - if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) { - $tags = $allowedposttags; - - $tags['form'] = array( - 'action' => true, - 'accept' => true, - 'accept-charset' => true, - 'enctype' => true, - 'method' => true, - 'name' => true, - 'target' => true, - ); - - /** This filter is documented in wp-includes/kses.php */ - $tags = apply_filters( 'wp_kses_allowed_html', $tags, $context ); - } - - return $tags; - - case 'user_description': - case 'pre_user_description': - $tags = $allowedtags; - $tags['a']['rel'] = true; - /** This filter is documented in wp-includes/kses.php */ - return apply_filters( 'wp_kses_allowed_html', $tags, $context ); - - case 'strip': - /** This filter is documented in wp-includes/kses.php */ - return apply_filters( 'wp_kses_allowed_html', array(), $context ); - - case 'entities': - /** This filter is documented in wp-includes/kses.php */ - return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context ); - - case 'data': - default: - /** This filter is documented in wp-includes/kses.php */ - return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context ); - } -} - -/** - * You add any KSES hooks here. - * - * There is currently only one KSES WordPress hook, {@see 'pre_kses'}, and it is called here. - * All parameters are passed to the hooks and expected to receive a string. - * - * @since 1.0.0 - * - * @param string $string Content to filter through KSES. - * @param array[]|string $allowed_html List of allowed HTML elements. - * @param string[] $allowed_protocols Array of allowed URL protocols. - * @return string Filtered content through {@see 'pre_kses'} hook. - */ -function wp_kses_hook( $string, $allowed_html, $allowed_protocols ) { - /** - * Filters content to be run through kses. - * - * @since 2.3.0 - * - * @param string $string Content to run through KSES. - * @param array[]|string $allowed_html Allowed HTML elements. - * @param string[] $allowed_protocols Array of allowed URL protocols. - */ - return apply_filters( 'pre_kses', $string, $allowed_html, $allowed_protocols ); -} - -/** - * Returns the version number of KSES. - * - * @since 1.0.0 - * - * @return string KSES version number. - */ -function wp_kses_version() { - return '0.2.2'; -} - -/** - * Searches for HTML tags, no matter how malformed. - * - * It also matches stray `>` characters. - * - * @since 1.0.0 - * - * @global array $pass_allowed_html - * @global array $pass_allowed_protocols - * - * @param string $string Content to filter. - * @param array $allowed_html Allowed HTML elements. - * @param string[] $allowed_protocols Array of allowed URL protocols. - * @return string Content with fixed HTML tags - */ -function wp_kses_split( $string, $allowed_html, $allowed_protocols ) { - global $pass_allowed_html, $pass_allowed_protocols; - $pass_allowed_html = $allowed_html; - $pass_allowed_protocols = $allowed_protocols; - return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string ); -} - -/** - * Helper function listing HTML attributes containing a URL. - * - * This function returns a list of all HTML attributes that must contain - * a URL according to the HTML specification. - * - * This list includes URI attributes both allowed and disallowed by KSES. - * - * @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes - * - * @since 5.0.1 - * - * @return array HTML attributes that must include a URL. - */ -function wp_kses_uri_attributes() { - $uri_attributes = array( - 'action', - 'archive', - 'background', - 'cite', - 'classid', - 'codebase', - 'data', - 'formaction', - 'href', - 'icon', - 'longdesc', - 'manifest', - 'poster', - 'profile', - 'src', - 'usemap', - 'xmlns', - ); - - /** - * Filters the list of attributes that are required to contain a URL. - * - * Use this filter to add any `data-` attributes that are required to be - * validated as a URL. - * - * @since 5.0.1 - * - * @param array $uri_attributes HTML attributes requiring validation as a URL. - */ - $uri_attributes = apply_filters( 'wp_kses_uri_attributes', $uri_attributes ); - - return $uri_attributes; -} - -/** - * Callback for `wp_kses_split()`. - * - * @since 3.1.0 - * @access private - * @ignore - * - * @global array $pass_allowed_html - * @global array $pass_allowed_protocols - * - * @return string - */ -function _wp_kses_split_callback( $match ) { - global $pass_allowed_html, $pass_allowed_protocols; - return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols ); -} - -/** - * Callback for `wp_kses_split()` for fixing malformed HTML tags. - * - * This function does a lot of work. It rejects some very malformed things like - * `<:::>`. It returns an empty string, if the element isn't allowed (look ma, no - * `strip_tags()`!). Otherwise it splits the tag into an element and an attribute - * list. - * - * After the tag is split into an element and an attribute list, it is run - * through another filter which will remove illegal attributes and once that is - * completed, will be returned. - * - * @access private - * @ignore - * @since 1.0.0 - * - * @param string $string Content to filter. - * @param array $allowed_html Allowed HTML elements. - * @param string[] $allowed_protocols Array of allowed URL protocols. - * @return string Fixed HTML element - */ -function wp_kses_split2( $string, $allowed_html, $allowed_protocols ) { - $string = wp_kses_stripslashes( $string ); - - // It matched a ">" character. - if ( substr( $string, 0, 1 ) != '<' ) { - return '>'; - } - - // Allow HTML comments. - if ( '<!--' == substr( $string, 0, 4 ) ) { - $string = str_replace( array( '<!--', '-->' ), '', $string ); - while ( $string != ( $newstring = wp_kses( $string, $allowed_html, $allowed_protocols ) ) ) { - $string = $newstring; - } - if ( $string == '' ) { - return ''; - } - // prevent multiple dashes in comments - $string = preg_replace( '/--+/', '-', $string ); - // prevent three dashes closing a comment - $string = preg_replace( '/-$/', '', $string ); - return "<!--{$string}-->"; - } - - // It's seriously malformed. - if ( ! preg_match( '%^<\s*(/\s*)?([a-zA-Z0-9-]+)([^>]*)>?$%', $string, $matches ) ) { - return ''; - } - - $slash = trim( $matches[1] ); - $elem = $matches[2]; - $attrlist = $matches[3]; - - if ( ! is_array( $allowed_html ) ) { - $allowed_html = wp_kses_allowed_html( $allowed_html ); - } - - // They are using a not allowed HTML element. - if ( ! isset( $allowed_html[ strtolower( $elem ) ] ) ) { - return ''; - } - - // No attributes are allowed for closing elements. - if ( $slash != '' ) { - return "</$elem>"; - } - - return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols ); -} - -/** - * Removes all attributes, if none are allowed for this element. - * - * If some are allowed it calls `wp_kses_hair()` to split them further, and then - * it builds up new HTML code from the data that `kses_hair()` returns. It also - * removes `<` and `>` characters, if there are any left. One more thing it does - * is to check if the tag has a closing XHTML slash, and if it does, it puts one - * in the returned code as well. - * - * @since 1.0.0 - * - * @param string $element HTML element/tag. - * @param string $attr HTML attributes from HTML element to closing HTML element tag. - * @param array $allowed_html Allowed HTML elements. - * @param string[] $allowed_protocols Array of allowed URL protocols. - * @return string Sanitized HTML element. - */ -function wp_kses_attr( $element, $attr, $allowed_html, $allowed_protocols ) { - if ( ! is_array( $allowed_html ) ) { - $allowed_html = wp_kses_allowed_html( $allowed_html ); - } - - // Is there a closing XHTML slash at the end of the attributes? - $xhtml_slash = ''; - if ( preg_match( '%\s*/\s*$%', $attr ) ) { - $xhtml_slash = ' /'; - } - - // Are any attributes allowed at all for this element? - $element_low = strtolower( $element ); - if ( empty( $allowed_html[ $element_low ] ) || true === $allowed_html[ $element_low ] ) { - return "<$element$xhtml_slash>"; - } - - // Split it - $attrarr = wp_kses_hair( $attr, $allowed_protocols ); - - // Go through $attrarr, and save the allowed attributes for this element - // in $attr2 - $attr2 = ''; - foreach ( $attrarr as $arreach ) { - if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) { - $attr2 .= ' ' . $arreach['whole']; - } - } - - // Remove any "<" or ">" characters - $attr2 = preg_replace( '/[<>]/', '', $attr2 ); - - return "<$element$attr2$xhtml_slash>"; -} - -/** - * Determines whether an attribute is allowed. - * - * @since 4.2.3 - * @since 5.0.0 Add support for `data-*` wildcard attributes. - * - * @param string $name The attribute name. Passed by reference. Returns empty string when not allowed. - * @param string $value The attribute value. Passed by reference. Returns a filtered value. - * @param string $whole The `name=value` input. Passed by reference. Returns filtered input. - * @param string $vless Whether the attribute is valueless. Use 'y' or 'n'. - * @param string $element The name of the element to which this attribute belongs. - * @param array $allowed_html The full list of allowed elements and attributes. - * @return bool Whether or not the attribute is allowed. - */ -function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) { - $allowed_attr = $allowed_html[ strtolower( $element ) ]; - - $name_low = strtolower( $name ); - if ( ! isset( $allowed_attr[ $name_low ] ) || '' == $allowed_attr[ $name_low ] ) { - /* - * Allow `data-*` attributes. - * - * When specifying `$allowed_html`, the attribute name should be set as - * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see - * https://www.w3.org/TR/html40/struct/objects.html#adef-data). - * - * Note: the attribute name should only contain `A-Za-z0-9_-` chars, - * double hyphens `--` are not accepted by WordPress. - */ - if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] ) && preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match ) ) { - /* - * Add the whole attribute name to the allowed attributes and set any restrictions - * for the `data-*` attribute values for the current element. - */ - $allowed_attr[ $match[0] ] = $allowed_attr['data-*']; - } else { - $name = ''; - $value = ''; - $whole = ''; - return false; - } - } - - if ( 'style' == $name_low ) { - $new_value = safecss_filter_attr( $value ); - - if ( empty( $new_value ) ) { - $name = ''; - $value = ''; - $whole = ''; - return false; - } - - $whole = str_replace( $value, $new_value, $whole ); - $value = $new_value; - } - - if ( is_array( $allowed_attr[ $name_low ] ) ) { - // there are some checks - foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) { - if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) { - $name = ''; - $value = ''; - $whole = ''; - return false; - } - } - } - - return true; -} - -/** - * Builds an attribute list from string containing attributes. - * - * This function does a lot of work. It parses an attribute list into an array - * with attribute data, and tries to do the right thing even if it gets weird - * input. It will add quotes around attribute values that don't have any quotes - * or apostrophes around them, to make it easier to produce HTML code that will - * conform to W3C's HTML specification. It will also remove bad URL protocols - * from attribute values. It also reduces duplicate attributes by using the - * attribute defined first (`foo='bar' foo='baz'` will result in `foo='bar'`). - * - * @since 1.0.0 - * - * @param string $attr |