/**
* Determine whether an attribute is allowed.
*
* @since 4.2.3
*
* @param string $name The attribute name. Returns empty string when not allowed.
* @param string $value The attribute value. Returns a filtered value.
* @param string $whole The name=value input. Returns filtered input.
* @param string $vless 'y' when attribute like "enabled", otherwise 'n'.
* @param string $element The name of the element to which this attribute belongs.
* @param array $allowed_html The full list of allowed elements and attributes.
* @return bool Is the attribute allowed?
*/
function wp_kses_attr_check(&$name, &$value, &$whole, $vless, $element, $allowed_html)
{
$allowed_attr = $allowed_html[strtolower($element)];
$name_low = strtolower($name);
if (!isset($allowed_attr[$name_low]) || '' == $allowed_attr[$name_low]) {
$name = $value = $whole = '';
return false;
}
if ('style' == $name_low) {
$new_value = safecss_filter_attr($value);
if (empty($new_value)) {
$name = $value = $whole = '';
return false;
}
$whole = str_replace($value, $new_value, $whole);
$value = $new_value;
}
if (is_array($allowed_attr[$name_low])) {
// there are some checks
foreach ($allowed_attr[$name_low] as $currkey => $currval) {
if (!wp_kses_check_attr_val($value, $vless, $currkey, $currval)) {
$name = $value = $whole = '';
return false;
}
}
}
return true;
}
function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols)
###############################################################################
# This function removes all attributes, if none are allowed for this element.
# If some are allowed it calls wp_kses_hair() to split them further, and then it
# builds up new HTML code from the data that kses_hair() returns. It also
# removes "<" and ">" characters, if there are any left. One more thing it
# does is to check if the tag has a closing XHTML slash, and if it does,
# it puts one in the returned code as well.
###############################################################################
{
# Is there a closing XHTML slash at the end of the attributes?
$xhtml_slash = '';
if (preg_match('%\s/\s*$%', $attr))
$xhtml_slash = ' /';
# Are any attributes allowed at all for this element?
if (@ count($allowed_html[strtolower($element)]) == 0)
return "<$element$xhtml_slash>";
# Split it
$attrarr = wp_kses_hair($attr, $allowed_protocols);
# Go through $attrarr, and save the allowed attributes for this element
# in $attr2
$attr2 = '';
foreach ($attrarr as $arreach) {
if (!@ isset ($allowed_html[strtolower($element)][strtolower($arreach['name'])]))
continue; # the attribute is not allowed
$current = $allowed_html[strtolower($element)][strtolower($arreach['name'])];
if ($current == '')
continue; # the attribute is not allowed
if (!is_array($current))
$attr2 .= ' '.$arreach['whole'];
# there are no checks
else {
# there are some checks
$ok = true;
foreach ($current as $currkey => $currval)
if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) {
$ok = false;
break;
}
if ($ok)
$attr2 .= ' '.$arreach['whole']; # it passed them
} # if !is_array($current)
} # foreach
# Remove any "<" or ">" characters
$attr2 = preg_replace('/[<>]/', '', $attr2);
return "<$element$attr2$xhtml_slash>";
} # function wp_kses_attr
/**
* Removes all attributes, if none are allowed for this element.
*
* If some are allowed it calls wp_kses_hair() to split them further, and then
* it builds up new HTML code from the data that kses_hair() returns. It also
* removes "<" and ">" characters, if there are any left. One more thing it does
* is to check if the tag has a closing XHTML slash, and if it does, it puts one
* in the returned code as well.
*
* @since 1.0.0
*
* @param string $element HTML element/tag
* @param string $attr HTML attributes from HTML element to closing HTML element tag
* @param array $allowed_html Allowed HTML elements
* @param array $allowed_protocols Allowed protocols to keep
* @return string Sanitized HTML element
*/
function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols)
{
# Is there a closing XHTML slash at the end of the attributes?
$xhtml_slash = '';
if (preg_match('%\\s*/\\s*$%', $attr)) {
$xhtml_slash = ' /';
}
# Are any attributes allowed at all for this element?
if (!isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0) {
return "<{$element}{$xhtml_slash}>";
}
# Split it
$attrarr = wp_kses_hair($attr, $allowed_protocols);
# Go through $attrarr, and save the allowed attributes for this element
# in $attr2
$attr2 = '';
$allowed_attr = $allowed_html[strtolower($element)];
foreach ($attrarr as $arreach) {
if (!isset($allowed_attr[strtolower($arreach['name'])])) {
continue;
}
# the attribute is not allowed
$current = $allowed_attr[strtolower($arreach['name'])];
if ($current == '') {
continue;
}
# the attribute is not allowed
if (!is_array($current)) {
$attr2 .= ' ' . $arreach['whole'];
# there are no checks
} else {
# there are some checks
$ok = true;
foreach ($current as $currkey => $currval) {
if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) {
$ok = false;
break;
}
}
if (strtolower($arreach['name']) == 'style') {
$orig_value = $arreach['value'];
$value = safecss_filter_attr($orig_value);
if (empty($value)) {
continue;
}
$arreach['value'] = $value;
$arreach['whole'] = str_replace($orig_value, $value, $arreach['whole']);
}
if ($ok) {
$attr2 .= ' ' . $arreach['whole'];
}
# it passed them
}
# if !is_array($current)
}
# foreach
# Remove any "<" or ">" characters
$attr2 = preg_replace('/[<>]/', '', $attr2);
return "<{$element}{$attr2}{$xhtml_slash}>";
}
/**
* Removes all attributes, if none are allowed for this element.
*
* If some are allowed it calls wp_kses_hair() to split them further, and then
* it builds up new HTML code from the data that kses_hair() returns. It also
* removes "<" and ">" characters, if there are any left. One more thing it does
* is to check if the tag has a closing XHTML slash, and if it does, it puts one
* in the returned code as well.
*
* @since 1.0.0
*
* @param string $element HTML element/tag
* @param string $attr HTML attributes from HTML element to closing HTML element tag
* @param array $allowed_html Allowed HTML elements
* @param array $allowed_protocols Allowed protocols to keep
* @return string Sanitized HTML element
*/
function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) {
# Is there a closing XHTML slash at the end of the attributes?
$xhtml_slash = '';
if (preg_match('%\s/\s*$%', $attr))
$xhtml_slash = ' /';
# Are any attributes allowed at all for this element?
if (@ count($allowed_html[strtolower($element)]) == 0)
return "<$element$xhtml_slash>";
# Split it
$attrarr = wp_kses_hair($attr, $allowed_protocols);
# Go through $attrarr, and save the allowed attributes for this element
# in $attr2
$attr2 = '';
foreach ($attrarr as $arreach) {
if (!@ isset ($allowed_html[strtolower($element)][strtolower($arreach['name'])]))
continue; # the attribute is not allowed
$current = $allowed_html[strtolower($element)][strtolower($arreach['name'])];
if ($current == '')
continue; # the attribute is not allowed
if (!is_array($current))
$attr2 .= ' '.$arreach['whole'];
# there are no checks
else {
# there are some checks
$ok = true;
foreach ($current as $currkey => $currval)
if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) {
$ok = false;
break;
}
if ($ok)
$attr2 .= ' '.$arreach['whole']; # it passed them
} # if !is_array($current)
} # foreach
# Remove any "<" or ">" characters
$attr2 = preg_replace('/[<>]/', '', $attr2);
return "<$element$attr2$xhtml_slash>";
}
