/** * Determine whether an attribute is allowed. * * @since 4.2.3 * * @param string $name The attribute name. Returns empty string when not allowed. * @param string $value The attribute value. Returns a filtered value. * @param string $whole The name=value input. Returns filtered input. * @param string $vless 'y' when attribute like "enabled", otherwise 'n'. * @param string $element The name of the element to which this attribute belongs. * @param array $allowed_html The full list of allowed elements and attributes. * @return bool Is the attribute allowed? */ function wp_kses_attr_check(&$name, &$value, &$whole, $vless, $element, $allowed_html) { $allowed_attr = $allowed_html[strtolower($element)]; $name_low = strtolower($name); if (!isset($allowed_attr[$name_low]) || '' == $allowed_attr[$name_low]) { $name = $value = $whole = ''; return false; } if ('style' == $name_low) { $new_value = safecss_filter_attr($value); if (empty($new_value)) { $name = $value = $whole = ''; return false; } $whole = str_replace($value, $new_value, $whole); $value = $new_value; } if (is_array($allowed_attr[$name_low])) { // there are some checks foreach ($allowed_attr[$name_low] as $currkey => $currval) { if (!wp_kses_check_attr_val($value, $vless, $currkey, $currval)) { $name = $value = $whole = ''; return false; } } } return true; }
function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) ############################################################################### # This function removes all attributes, if none are allowed for this element. # If some are allowed it calls wp_kses_hair() to split them further, and then it # builds up new HTML code from the data that kses_hair() returns. It also # removes "<" and ">" characters, if there are any left. One more thing it # does is to check if the tag has a closing XHTML slash, and if it does, # it puts one in the returned code as well. ############################################################################### { # Is there a closing XHTML slash at the end of the attributes? $xhtml_slash = ''; if (preg_match('%\s/\s*$%', $attr)) $xhtml_slash = ' /'; # Are any attributes allowed at all for this element? if (@ count($allowed_html[strtolower($element)]) == 0) return "<$element$xhtml_slash>"; # Split it $attrarr = wp_kses_hair($attr, $allowed_protocols); # Go through $attrarr, and save the allowed attributes for this element # in $attr2 $attr2 = ''; foreach ($attrarr as $arreach) { if (!@ isset ($allowed_html[strtolower($element)][strtolower($arreach['name'])])) continue; # the attribute is not allowed $current = $allowed_html[strtolower($element)][strtolower($arreach['name'])]; if ($current == '') continue; # the attribute is not allowed if (!is_array($current)) $attr2 .= ' '.$arreach['whole']; # there are no checks else { # there are some checks $ok = true; foreach ($current as $currkey => $currval) if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) { $ok = false; break; } if ($ok) $attr2 .= ' '.$arreach['whole']; # it passed them } # if !is_array($current) } # foreach # Remove any "<" or ">" characters $attr2 = preg_replace('/[<>]/', '', $attr2); return "<$element$attr2$xhtml_slash>"; } # function wp_kses_attr
/** * Removes all attributes, if none are allowed for this element. * * If some are allowed it calls wp_kses_hair() to split them further, and then * it builds up new HTML code from the data that kses_hair() returns. It also * removes "<" and ">" characters, if there are any left. One more thing it does * is to check if the tag has a closing XHTML slash, and if it does, it puts one * in the returned code as well. * * @since 1.0.0 * * @param string $element HTML element/tag * @param string $attr HTML attributes from HTML element to closing HTML element tag * @param array $allowed_html Allowed HTML elements * @param array $allowed_protocols Allowed protocols to keep * @return string Sanitized HTML element */ function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) { # Is there a closing XHTML slash at the end of the attributes? $xhtml_slash = ''; if (preg_match('%\\s*/\\s*$%', $attr)) { $xhtml_slash = ' /'; } # Are any attributes allowed at all for this element? if (!isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0) { return "<{$element}{$xhtml_slash}>"; } # Split it $attrarr = wp_kses_hair($attr, $allowed_protocols); # Go through $attrarr, and save the allowed attributes for this element # in $attr2 $attr2 = ''; $allowed_attr = $allowed_html[strtolower($element)]; foreach ($attrarr as $arreach) { if (!isset($allowed_attr[strtolower($arreach['name'])])) { continue; } # the attribute is not allowed $current = $allowed_attr[strtolower($arreach['name'])]; if ($current == '') { continue; } # the attribute is not allowed if (!is_array($current)) { $attr2 .= ' ' . $arreach['whole']; # there are no checks } else { # there are some checks $ok = true; foreach ($current as $currkey => $currval) { if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) { $ok = false; break; } } if (strtolower($arreach['name']) == 'style') { $orig_value = $arreach['value']; $value = safecss_filter_attr($orig_value); if (empty($value)) { continue; } $arreach['value'] = $value; $arreach['whole'] = str_replace($orig_value, $value, $arreach['whole']); } if ($ok) { $attr2 .= ' ' . $arreach['whole']; } # it passed them } # if !is_array($current) } # foreach # Remove any "<" or ">" characters $attr2 = preg_replace('/[<>]/', '', $attr2); return "<{$element}{$attr2}{$xhtml_slash}>"; }
/** * Removes all attributes, if none are allowed for this element. * * If some are allowed it calls wp_kses_hair() to split them further, and then * it builds up new HTML code from the data that kses_hair() returns. It also * removes "<" and ">" characters, if there are any left. One more thing it does * is to check if the tag has a closing XHTML slash, and if it does, it puts one * in the returned code as well. * * @since 1.0.0 * * @param string $element HTML element/tag * @param string $attr HTML attributes from HTML element to closing HTML element tag * @param array $allowed_html Allowed HTML elements * @param array $allowed_protocols Allowed protocols to keep * @return string Sanitized HTML element */ function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) { # Is there a closing XHTML slash at the end of the attributes? $xhtml_slash = ''; if (preg_match('%\s/\s*$%', $attr)) $xhtml_slash = ' /'; # Are any attributes allowed at all for this element? if (@ count($allowed_html[strtolower($element)]) == 0) return "<$element$xhtml_slash>"; # Split it $attrarr = wp_kses_hair($attr, $allowed_protocols); # Go through $attrarr, and save the allowed attributes for this element # in $attr2 $attr2 = ''; foreach ($attrarr as $arreach) { if (!@ isset ($allowed_html[strtolower($element)][strtolower($arreach['name'])])) continue; # the attribute is not allowed $current = $allowed_html[strtolower($element)][strtolower($arreach['name'])]; if ($current == '') continue; # the attribute is not allowed if (!is_array($current)) $attr2 .= ' '.$arreach['whole']; # there are no checks else { # there are some checks $ok = true; foreach ($current as $currkey => $currval) if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) { $ok = false; break; } if ($ok) $attr2 .= ' '.$arreach['whole']; # it passed them } # if !is_array($current) } # foreach # Remove any "<" or ">" characters $attr2 = preg_replace('/[<>]/', '', $attr2); return "<$element$attr2$xhtml_slash>"; }