/** * Sanitizes a URL for use in a redirect. * * @since 0.0.1 * * @return string redirect-sanitized URL **/ function hq_sanitize_redirect($location) { $regex = '/ ( (?: [\\xC2-\\xDF][\\x80-\\xBF] # double-byte sequences 110xxxxx 10xxxxxx | \\xE0[\\xA0-\\xBF][\\x80-\\xBF] # triple-byte sequences 1110xxxx 10xxxxxx * 2 | [\\xE1-\\xEC][\\x80-\\xBF]{2} | \\xED[\\x80-\\x9F][\\x80-\\xBF] | [\\xEE-\\xEF][\\x80-\\xBF]{2} | \\xF0[\\x90-\\xBF][\\x80-\\xBF]{2} # four-byte sequences 11110xxx 10xxxxxx * 3 | [\\xF1-\\xF3][\\x80-\\xBF]{3} | \\xF4[\\x80-\\x8F][\\x80-\\xBF]{2} ){1,40} # ...one or more times )/x'; $location = preg_replace_callback($regex, '_hq_sanitize_utf8_in_redirect', $location); $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*\\[\\]()]|i', '', $location); $location = hq_kses_no_null($location); // remove %0d and %0a from location $strip = array('%0d', '%0a', '%0D', '%0A'); return _deep_replace($strip, $location); }
/** * Inline CSS filter * * @since 0.0.1 */ function safecss_filter_attr($css, $deprecated = '') { if (!empty($deprecated)) { _deprecated_argument(__FUNCTION__, '2.8.1'); } // Never implemented $css = hq_kses_no_null($css); $css = str_replace(array("\n", "\r", "\t"), '', $css); if (preg_match('%[\\\\(&=}]|/\\*%', $css)) { // remove any inline css containing \ ( & } = or comments return ''; } $css_array = explode(';', trim($css)); /** * Filter list of allowed CSS attributes. * * @since 0.0.1 * * @param array $attr List of allowed CSS attributes. */ $allowed_attr = apply_filters('safe_style_css', array('text-align', 'margin', 'color', 'float', 'border', 'background', 'background-color', 'border-bottom', 'border-bottom-color', 'border-bottom-style', 'border-bottom-width', 'border-collapse', 'border-color', 'border-left', 'border-left-color', 'border-left-style', 'border-left-width', 'border-right', 'border-right-color', 'border-right-style', 'border-right-width', 'border-spacing', 'border-style', 'border-top', 'border-top-color', 'border-top-style', 'border-top-width', 'border-width', 'caption-side', 'clear', 'cursor', 'direction', 'font', 'font-family', 'font-size', 'font-style', 'font-variant', 'font-weight', 'height', 'letter-spacing', 'line-height', 'margin-bottom', 'margin-left', 'margin-right', 'margin-top', 'overflow', 'padding', 'padding-bottom', 'padding-left', 'padding-right', 'padding-top', 'text-decoration', 'text-indent', 'vertical-align', 'width')); if (empty($allowed_attr)) { return $css; } $css = ''; foreach ($css_array as $css_item) { if ($css_item == '') { continue; } $css_item = trim($css_item); $found = false; if (strpos($css_item, ':') === false) { $found = true; } else { $parts = explode(':', $css_item); if (in_array(trim($parts[0]), $allowed_attr)) { $found = true; } } if ($found) { if ($css != '') { $css .= ';'; } $css .= $css_item; } } return $css; }