function safe_clean_url($url)
{
// Clean up the string
$url = trim($url, "' \" \r \n");
// Check against whitelist for properties allowed to have URL values
if (!in_array($this->property, $this->props_w_urls)) {
return '';
}
$url = wp_kses_bad_protocol_once($url, $this->allowed_protocols);
if (empty($url)) {
return '';
}
return "url('{$url}')";
}
function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1)
{
$string2 = preg_split('/:|�*58;|�*3a;/i', $string, 2);
if (isset($string2[1]) && !preg_match('%/\\?%', $string2[0])) {
$string = trim($string2[1]);
$protocol = wp_kses_bad_protocol_once2($string2[0], $allowed_protocols);
if ('feed:' == $protocol) {
if ($count > 2) {
return '';
}
$string = wp_kses_bad_protocol_once($string, $allowed_protocols, ++$count);
if (empty($string)) {
return $string;
}
}
$string = $protocol . $string;
}
return $string;
}
/**
* Sanitize string from bad protocols.
*
* This function removes all non-allowed protocols from the beginning of
* $string. It ignores whitespace and the case of the letters, and it does
* understand HTML entities. It does its work in a while loop, so it won't be
* fooled by a string like "javascript:javascript:alert(57)".
*
* @since 1.0.0
*
* @param string $string Content to filter bad protocols from
* @param array $allowed_protocols Allowed protocols to keep
* @return string Filtered content
*/
function wp_kses_bad_protocol($string, $allowed_protocols)
{
$string = wp_kses_no_null($string);
$string2 = $string . 'a';
while ($string != $string2) {
$string2 = $string;
$string = wp_kses_bad_protocol_once($string, $allowed_protocols);
}
# while
return $string;
}
function wp_kses_bad_protocol($string, $allowed_protocols)
###############################################################################
# This function removes all non-allowed protocols from the beginning of
# $string. It ignores whitespace and the case of the letters, and it does
# understand HTML entities. It does its work in a while loop, so it won't be
# fooled by a string like "javascript:javascript:alert(57)".
###############################################################################
{
$string = wp_kses_no_null($string);
$string = preg_replace('/\xad+/', '', $string); # deals with Opera "feature"
$string2 = $string.'a';
while ($string != $string2) {
$string2 = $string;
$string = wp_kses_bad_protocol_once($string, $allowed_protocols);
} # while
return $string;
} # function wp_kses_bad_protocol
/**
* Sanitize string from bad protocols.
*
* This function removes all non-allowed protocols from the beginning of
* $string. It ignores whitespace and the case of the letters, and it does
* understand HTML entities. It does its work in a while loop, so it won't be
* fooled by a string like "javascript:javascript:alert(57)".
*
* @since 1.0.0
*
* @param string $string Content to filter bad protocols from
* @param array $allowed_protocols Allowed protocols to keep
* @return string Filtered content
*/
function wp_kses_bad_protocol($string, $allowed_protocols)
{
$string = wp_kses_no_null($string);
$string = preg_replace('/\\xad+/', '', $string);
# deals with Opera "feature"
$string2 = $string . 'a';
while ($string != $string2) {
$string2 = $string;
$string = wp_kses_bad_protocol_once($string, $allowed_protocols);
}
# while
return $string;
}
