Example #1
0
 function safe_clean_url($url)
 {
     // Clean up the string
     $url = trim($url, "' \" \r \n");
     // Check against whitelist for properties allowed to have URL values
     if (!in_array($this->property, $this->props_w_urls)) {
         return '';
     }
     $url = wp_kses_bad_protocol_once($url, $this->allowed_protocols);
     if (empty($url)) {
         return '';
     }
     return "url('{$url}')";
 }
function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1)
{
    $string2 = preg_split('/:|&#0*58;|&#x0*3a;/i', $string, 2);
    if (isset($string2[1]) && !preg_match('%/\\?%', $string2[0])) {
        $string = trim($string2[1]);
        $protocol = wp_kses_bad_protocol_once2($string2[0], $allowed_protocols);
        if ('feed:' == $protocol) {
            if ($count > 2) {
                return '';
            }
            $string = wp_kses_bad_protocol_once($string, $allowed_protocols, ++$count);
            if (empty($string)) {
                return $string;
            }
        }
        $string = $protocol . $string;
    }
    return $string;
}
Example #3
0
/**
 * Sanitize string from bad protocols.
 *
 * This function removes all non-allowed protocols from the beginning of
 * $string. It ignores whitespace and the case of the letters, and it does
 * understand HTML entities. It does its work in a while loop, so it won't be
 * fooled by a string like "javascript:javascript:alert(57)".
 *
 * @since 1.0.0
 *
 * @param string $string Content to filter bad protocols from
 * @param array $allowed_protocols Allowed protocols to keep
 * @return string Filtered content
 */
function wp_kses_bad_protocol($string, $allowed_protocols)
{
    $string = wp_kses_no_null($string);
    $string2 = $string . 'a';
    while ($string != $string2) {
        $string2 = $string;
        $string = wp_kses_bad_protocol_once($string, $allowed_protocols);
    }
    # while
    return $string;
}
function wp_kses_bad_protocol($string, $allowed_protocols)
###############################################################################
# This function removes all non-allowed protocols from the beginning of
# $string. It ignores whitespace and the case of the letters, and it does
# understand HTML entities. It does its work in a while loop, so it won't be
# fooled by a string like "javascript:javascript:alert(57)".
###############################################################################
{
	$string = wp_kses_no_null($string);
	$string = preg_replace('/\xad+/', '', $string); # deals with Opera "feature"
	$string2 = $string.'a';

	while ($string != $string2) {
		$string2 = $string;
		$string = wp_kses_bad_protocol_once($string, $allowed_protocols);
	} # while

	return $string;
} # function wp_kses_bad_protocol
Example #5
0
/**
 * Sanitize string from bad protocols.
 *
 * This function removes all non-allowed protocols from the beginning of
 * $string. It ignores whitespace and the case of the letters, and it does
 * understand HTML entities. It does its work in a while loop, so it won't be
 * fooled by a string like "javascript:javascript:alert(57)".
 *
 * @since 1.0.0
 *
 * @param string $string Content to filter bad protocols from
 * @param array $allowed_protocols Allowed protocols to keep
 * @return string Filtered content
 */
function wp_kses_bad_protocol($string, $allowed_protocols)
{
    $string = wp_kses_no_null($string);
    $string = preg_replace('/\\xad+/', '', $string);
    # deals with Opera "feature"
    $string2 = $string . 'a';
    while ($string != $string2) {
        $string2 = $string;
        $string = wp_kses_bad_protocol_once($string, $allowed_protocols);
    }
    # while
    return $string;
}