/**
* Sanitises a fragment of XML code.
*
* @since 1.4
*
* @param string $xml
* @return string
*/
public static function ksesXML($xml)
{
$xml = wp_kses_no_null($xml);
$xml = wp_kses_js_entities($xml);
$xml = wp_kses_normalize_entities($xml);
return preg_replace_callback('%(<[^>]*(>|$)|>)%', array('self', 'kses_split'), $xml);
}
function wp_kses($string, $allowed_html, $allowed_protocols = array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'feed', 'gopher', 'mailto'))
{
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$string = wp_kses_hook($string);
$allowed_html_fixed = wp_kses_array_lc($allowed_html);
return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);
}
/**
* Filters content and keeps only allowable HTML elements.
*
* This function makes sure that only the allowed HTML element names, attribute
* names and attribute values plus only sane HTML entities will occur in
* $string. You have to remove any slashes from PHP's magic quotes before you
* call this function.
*
* The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
* 'irc', 'gopher', 'nntp', 'feed', and finally 'telnet. This covers all common
* link protocols, except for 'javascript' which should not be allowed for
* untrusted users.
*
* @since 1.0.0
*
* @param string $string Content to filter through kses
* @param array $allowed_html List of allowed HTML elements
* @param array $allowed_protocols Optional. Allowed protocol in links.
* @return string Filtered content with only allowed HTML elements
*/
function wp_kses($string, $allowed_html, $allowed_protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet'))
{
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$allowed_html_fixed = wp_kses_array_lc($allowed_html);
$string = wp_kses_hook($string, $allowed_html_fixed, $allowed_protocols);
// WP changed the order of these funcs and added args to wp_kses_hook
return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);
}
/**
* Filters content and keeps only allowable HTML elements.
*
* This function makes sure that only the allowed HTML element names, attribute
* names and attribute values plus only sane HTML entities will occur in
* $string. You have to remove any slashes from PHP's magic quotes before you
* call this function.
*
* The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
* 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
* covers all common link protocols, except for 'javascript' which should not
* be allowed for untrusted users.
*
* @since 1.0.0
*
* @param string $string Content to filter through kses
* @param array $allowed_html List of allowed HTML elements
* @param array $allowed_protocols Optional. Allowed protocol in links.
* @return string Filtered content with only allowed HTML elements
*/
function wp_kses($string, $allowed_html, $allowed_protocols = array())
{
global $allowedprotocols;
if (empty($allowed_protocols)) {
$allowed_protocols = $allowedprotocols;
}
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
return wp_kses_split($string, $allowed_html, $allowed_protocols);
}
function wp_kses($string, $allowed_html, $allowed_protocols = array ('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'feed', 'gopher', 'mailto'))
###############################################################################
# This function makes sure that only the allowed HTML element names, attribute
# names and attribute values plus only sane HTML entities will occur in
# $string. You have to remove any slashes from PHP's magic quotes before you
# call this function.
###############################################################################
{
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$string = wp_kses_hook($string);
$allowed_html_fixed = wp_kses_array_lc($allowed_html);
return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);
} # function wp_kses
/**
* Filters one attribute only and ensures its value is allowed.
*
* This function has the advantage of being more secure than esc_attr() and can
* escape data in some situations where wp_kses() must strip the whole attribute.
*
* @since 4.2.3
*
* @param string $string The 'whole' attribute, including name and value.
* @param string $element The element name to which the attribute belongs.
* @return string Filtered attribute.
*/
function wp_kses_one_attr($string, $element)
{
$uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
$allowed_html = wp_kses_allowed_html('post');
$allowed_protocols = wp_allowed_protocols();
$string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
$string = wp_kses_js_entities($string);
// Preserve leading and trailing whitespace.
$matches = array();
preg_match('/^\\s*/', $string, $matches);
$lead = $matches[0];
preg_match('/\\s*$/', $string, $matches);
$trail = $matches[0];
if (empty($trail)) {
$string = substr($string, strlen($lead));
} else {
$string = substr($string, strlen($lead), -strlen($trail));
}
// Parse attribute name and value from input.
$split = preg_split('/\\s*=\\s*/', $string, 2);
$name = $split[0];
if (count($split) == 2) {
$value = $split[1];
// Remove quotes surrounding $value.
// Also guarantee correct quoting in $string for this one attribute.
if ('' == $value) {
$quote = '';
} else {
$quote = $value[0];
}
if ('"' == $quote || "'" == $quote) {
if (substr($value, -1) != $quote) {
return '';
}
$value = substr($value, 1, -1);
} else {
$quote = '"';
}
// Sanitize quotes, angle braces, and entities.
$value = esc_attr($value);
// Sanitize URI values.
if (in_array(strtolower($name), $uris)) {
$value = wp_kses_bad_protocol($value, $allowed_protocols);
}
$string = "{$name}={$quote}{$value}{$quote}";
$vless = 'n';
} else {
$value = '';
$vless = 'y';
}
// Sanitize attribute by name.
wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
// Restore whitespace.
return $lead . $string . $trail;
}
/**
* Filters content and keeps only allowable HTML elements.
*
* This function makes sure that only the allowed HTML element names, attribute
* names and attribute values plus only sane HTML entities will occur in
* $string. You have to remove any slashes from PHP's magic quotes before you
* call this function.
*
* The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
* 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
* covers all common link protocols, except for 'javascript' which should not
* be allowed for untrusted users.
*
* @since 1.0.0
*
* @param string $string Content to filter through kses
* @param array $allowed_html List of allowed HTML elements
* @param array $allowed_protocols Optional. Allowed protocol in links.
* @return string Filtered content with only allowed HTML elements
*/
function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
if ( empty( $allowed_protocols ) )
$allowed_protocols = wp_allowed_protocols();
$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook
return wp_kses_split($string, $allowed_html, $allowed_protocols);
}
/**
* Filters content and keeps only allowable HTML elements.
*
* This function makes sure that only the allowed HTML element names, attribute
* names and attribute values plus only sane HTML entities will occur in
* $string. You have to remove any slashes from PHP's magic quotes before you
* call this function.
*
* The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
* 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
* covers all common link protocols, except for 'javascript' which should not
* be allowed for untrusted users.
*
* @since 1.0.0
*
* @param string $string Content to filter through kses
* @param array $allowed_html List of allowed HTML elements
* @param array $allowed_protocols Optional. Allowed protocol in links.
* @return string Filtered content with only allowed HTML elements
*/
function wp_kses($string, $allowed_html, $allowed_protocols = array())
{
if (empty($allowed_protocols)) {
$allowed_protocols = wp_allowed_protocols();
}
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$allowed_html_fixed = wp_kses_array_lc($allowed_html);
$string = wp_kses_hook($string, $allowed_html_fixed, $allowed_protocols);
// WP changed the order of these funcs and added args to wp_kses_hook
return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);
}
static function wp_kses($string, $allowed_html, $allowed_protocols = array())
{
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
return VaultPress_kses::wp_kses_split($string, $allowed_html, $allowed_protocols);
}
/**
* Escapes the given string for the KSES filter with the criteria of allowing/disallowing tags and the protocol.
*
* @remark Attributes are not supported at this moment.
* @param array $aAllowedTags e.g. array( 'noscript', 'style', )
* @param array $aDisallowedTags e.g. array( 'table', 'tbody', 'thoot', 'thead', 'th', 'tr' )
* @since 2.0.0
*/
public static function escapeKSESFilter($sString, $aAllowedTags = array(), $aDisallowedTags = array(), $aAllowedProtocols = array())
{
foreach ($aAllowedTags as $sTag) {
$aFormatAllowedTags[$sTag] = array();
// activate the inline style attribute.
}
$aAllowedHTMLTags = AmazonAutoLinks_Utility::uniteArrays($aFormatAllowedTags, $GLOBALS['allowedposttags']);
// the first parameter takes over the second.
foreach ($aDisallowedTags as $sTag) {
if (isset($aAllowedHTMLTags[$sTag])) {
unset($aAllowedHTMLTags[$sTag]);
}
}
if (empty($aAllowedProtocols)) {
$aAllowedProtocols = wp_allowed_protocols();
}
$sString = addslashes($sString);
// the original function call was doing this - could be redundant but haven't fully tested it
$sString = stripslashes($sString);
// wp_filter_post_kses()
$sString = wp_kses_no_null($sString);
// wp_kses()
$sString = wp_kses_js_entities($sString);
// wp_kses()
$sString = wp_kses_normalize_entities($sString);
// wp_kses()
$sString = wp_kses_hook($sString, $aAllowedHTMLTags, $aAllowedProtocols);
// WP changed the order of these funcs and added args to wp_kses_hook
$sString = wp_kses_split($sString, $aAllowedHTMLTags, $aAllowedProtocols);
$sString = addslashes($sString);
// wp_filter_post_kses()
$sString = stripslashes($sString);
// the original function call was doing this - could be redundant but haven't fully tested it
return $sString;
}
function EscapeAndFilterPostKSES($strString, $arrAllowedTags = array(), $arrDisallowedTags = array(), $arrAllowedProtocols = array())
{
// $arrAllowedTags : e.g. array( 'noscript' => array(), 'style' => array() );
// $arrDisallowedTags : e.g. array( 'table', 'tbody', 'thoot', 'thead', 'th', 'tr' );
global $allowedposttags;
// $arrAllowedHTML = array_replace_recursive( $allowedposttags, $arrAllowedTags ); // the second parameter takes over the first.
// $arrAllowedHTML = wp_parse_args( $arrAllowedTags, $allowedposttags ); // the first parameter takes over the second.
$arrAllowedHTML = $this->oUtil->UniteArraysRecursive($arrAllowedTags, $allowedposttags);
// the first parameter takes over the second.
foreach ($arrDisallowedTags as $strTag) {
if (isset($arrAllowedHTML[$strTag])) {
unset($arrAllowedHTML[$strTag]);
}
}
if (empty($arrAllowedProtocols)) {
$arrAllowedProtocols = wp_allowed_protocols();
}
$strString = addslashes($strString);
// the original function call was doing this - could be redundant but haven't fully tested it
$strString = stripslashes($strString);
// wp_filter_post_kses()
$strString = wp_kses_no_null($strString);
// wp_kses()
$strString = wp_kses_js_entities($strString);
// wp_kses()
$strString = wp_kses_normalize_entities($strString);
// wp_kses()
$strString = wp_kses_hook($strString, $arrAllowedHTML, $arrAllowedProtocols);
// WP changed the order of these funcs and added args to wp_kses_hook
$strString = wp_kses_split($strString, $arrAllowedHTML, $arrAllowedProtocols);
$strString = addslashes($strString);
// wp_filter_post_kses()
$strString = stripslashes($strString);
// the original function call was doing this - could be redundant but haven't fully tested it
return $strString;
}
