function test_wp_kses_bad_protocol() { $bad = array('dummy:alert(1)', 'javascript:alert(1)', 'JaVaScRiPt:alert(1)', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert('XSS')', 'jav ascript:alert(1);', 'jav	ascript:alert(1);', 'jav
ascript:alert(1);', 'jav
ascript:alert(1);', '  javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:alert(1)//?:', 'feed:javascript:alert(1)', 'feed:javascript:feed:javascript:feed:javascript:alert(1)'); foreach ($bad as $k => $x) { $result = wp_kses_bad_protocol(wp_kses_normalize_entities($x), wp_allowed_protocols()); if (!empty($result) && $result != 'alert(1);' && $result != 'alert(1)') { switch ($k) { case 6: $this->assertEquals('javascript&#0000058alert(1);', $result); break; case 12: $this->assertEquals(str_replace('&', '&', $x), $result); break; case 22: $this->assertEquals('javascript&#0000058alert(1);', $result); break; case 23: $this->assertEquals('javascript&#0000058alert(1)//?:', $result); break; case 24: $this->assertEquals('feed:alert(1)', $result); break; default: $this->fail("wp_kses_bad_protocol failed on {$x}. Result: {$result}"); } } } $safe = array('dummy:alert(1)', 'HTTP://example.org/', 'http://example.org/', 'http://example.org/', 'http://example.org/', 'https://example.org', 'http://example.org/wp-admin/post.php?post=2&action=edit', 'http://example.org/index.php?test='blah''); foreach ($safe as $x) { $result = wp_kses_bad_protocol(wp_kses_normalize_entities($x), array('http', 'https', 'dummy')); if ($result != $x && $result != 'http://example.org/') { $this->fail("wp_kses_bad_protocol incorrectly blocked {$x}"); } } }
private static function get_allowed_protocols() { if (isset(self::$allowed_protocols)) { return self::$allowed_protocols; } $blacklisted_protocols = self::get_blacklisted_protocols(); $allowed_protocols = wp_allowed_protocols(); $allowed_protocols = array_diff_key($allowed_protocols, array_fill_keys($blacklisted_protocols, false)); self::$allowed_protocols = $allowed_protocols; return $allowed_protocols; }
/** * Filters content and keeps only allowable HTML elements. * * This function makes sure that only the allowed HTML element names, attribute * names and attribute values plus only sane HTML entities will occur in * $string. You have to remove any slashes from PHP's magic quotes before you * call this function. * * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news', * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This * covers all common link protocols, except for 'javascript' which should not * be allowed for untrusted users. * * @since 1.0.0 * * @param string $string Content to filter through kses * @param array $allowed_html List of allowed HTML elements * @param array $allowed_protocols Optional. Allowed protocol in links. * @return string Filtered content with only allowed HTML elements */ function wp_kses($string, $allowed_html, $allowed_protocols = array()) { if (empty($allowed_protocols)) { $allowed_protocols = wp_allowed_protocols(); } $string = wp_kses_no_null($string); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $allowed_html_fixed = wp_kses_array_lc($allowed_html); $string = wp_kses_hook($string, $allowed_html_fixed, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols); }
function test_protocol() { $this->assertEquals('http://example.com', esc_url('http://example.com')); $this->assertEquals('', esc_url('nasty://example.com/')); $this->assertEquals('', esc_url('example.com', array('https'))); $this->assertEquals('', esc_url('http://example.com', array('https'))); $this->assertEquals('https://example.com', esc_url('https://example.com', array('http', 'https'))); foreach (wp_allowed_protocols() as $scheme) { $this->assertEquals("{$scheme}://example.com", esc_url("{$scheme}://example.com"), $scheme); $this->assertEquals("{$scheme}://example.com", esc_url("{$scheme}://example.com", array($scheme)), $scheme); } $this->assertTrue(!in_array('data', wp_allowed_protocols(), true)); $this->assertEquals('', esc_url('data:text/plain;base64,SGVsbG8sIFdvcmxkIQ%3D%3D')); $this->assertTrue(!in_array('foo', wp_allowed_protocols(), true)); $this->assertEquals('foo://example.com', esc_url('foo://example.com', array('foo'))); }
function nextgen_esc_url($url, $protocols = null, $_context = 'display') { $original_url = $url; if ('' == $url) { return $url; } $url = preg_replace('|[^a-z0-9 \\-~+_.?#=!&;,/:%@$\\|*\'()\\x80-\\xff]|i', '', $url); $strip = array('%0d', '%0a', '%0D', '%0A'); $url = _deep_replace($strip, $url); $url = str_replace(';//', '://', $url); /* If the URL doesn't appear to contain a scheme, we * presume it needs http:// appended (unless a relative * link starting with /, # or ? or a php file). */ if (strpos($url, ':') === false && !in_array($url[0], array('/', '#', '?')) && !preg_match('/^[a-z0-9-]+?\\.php/i', $url)) { $url = 'http://' . $url; } // Replace ampersands and single quotes only when displaying. if ('display' == $_context) { $url = wp_kses_normalize_entities($url); $url = str_replace('&', '&', $url); $url = str_replace("'", ''', $url); $url = str_replace('%', '%25', $url); $url = str_replace(' ', '%20', $url); } if ('/' === $url[0]) { $good_protocol_url = $url; } else { if (!is_array($protocols)) { $protocols = wp_allowed_protocols(); } $good_protocol_url = wp_kses_bad_protocol($url, $protocols); if (strtolower($good_protocol_url) != strtolower($url)) { return ''; } } return apply_filters('clean_url', $good_protocol_url, $original_url, $_context); }
/** * Save section data * * @since 0.2.0 * * @param WP_User $user */ public function save($user = null) { // User Login if (isset($_POST['user_login'])) { // Set the login $user->user_login = sanitize_user($_POST['user_login'], true); // Invalid login if (!validate_username($user->user_login)) { $this->errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.')); } // Login already exists if (username_exists($user->user_login)) { $this->errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.')); } // Checking that username has been typed if (empty($user->user_login)) { $this->errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.')); } // Return if errored if ($this->errors->get_error_code()) { return $this->errors; } } // First $user->first_name = isset($_POST['first_name']) ? sanitize_text_field($_POST['first_name']) : ''; // Last $user->last_name = isset($_POST['last_name']) ? sanitize_text_field($_POST['last_name']) : ''; // Nickname if (isset($_POST['nickname'])) { // Set the nick $user->nickname = sanitize_text_field($_POST['nickname']); // Nickname was empty if (empty($user->nickname)) { $this->errors->add('nickname', __('<strong>ERROR</strong>: Please enter a nickname.')); return $this->errors; } } // Display $user->display_name = isset($_POST['display_name']) ? sanitize_text_field($_POST['display_name']) : ''; // Description $user->description = isset($_POST['description']) ? trim($_POST['description']) : ''; // Website if (isset($_POST['url'])) { // Emptying URL if (empty($_POST['url']) || in_array($_POST['url'], wp_allowed_protocols(), true)) { $user->user_url = ''; // Validate } else { $user->user_url = esc_url_raw($_POST['url']); $protocols = implode('|', array_map('preg_quote', wp_allowed_protocols())); $user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url; } } // Look for contact methods $methods = wp_get_user_contact_methods($user); // Contact methods foreach (array_keys($methods) as $method) { if (isset($_POST[$method])) { $user->{$method} = sanitize_text_field($_POST[$method]); } } // Allow third party plugins to save data in this section parent::save($user); }
/** * Sanitize the field choices property. * * @param array|null $choices The field choices property. * * @return array|null */ public function sanitize_settings_choices($choices = null) { if (is_null($choices)) { $choices =& $this->choices; } if (!is_array($choices)) { return $choices; } foreach ($choices as &$choice) { if (isset($choice['isSelected'])) { $choice['isSelected'] = (bool) $choice['isSelected']; } if (isset($choice['price']) && !empty($choice['price'])) { $price_number = GFCommon::to_number($choice['price']); $choice['price'] = GFCommon::to_money($price_number); } if (isset($choice['text'])) { $choice['text'] = $this->maybe_wp_kses($choice['text']); } if (isset($choice['value'])) { // Strip scripts but don't encode $allowed_protocols = wp_allowed_protocols(); $choice['value'] = wp_kses_no_null($choice['value'], array('slash_zero' => 'keep')); $choice['value'] = wp_kses_hook($choice['value'], 'post', $allowed_protocols); $choice['value'] = wp_kses_split($choice['value'], 'post', $allowed_protocols); } } return $choices; }
function test_allowed_protocols() { $allowed = array('skype', 'tel', 'mailto'); foreach ($allowed as $protocol) { $this->assertContains($protocol, wp_allowed_protocols(), "{$protocol} should be also allowed protocol"); } }
/** * Filters one attribute only and ensures its value is allowed. * * This function has the advantage of being more secure than esc_attr() and can * escape data in some situations where wp_kses() must strip the whole attribute. * * @since 4.2.3 * * @param string $string The 'whole' attribute, including name and value. * @param string $element The element name to which the attribute belongs. * @return string Filtered attribute. */ function wp_kses_one_attr($string, $element) { $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action'); $allowed_html = wp_kses_allowed_html('post'); $allowed_protocols = wp_allowed_protocols(); $string = wp_kses_no_null($string, array('slash_zero' => 'keep')); $string = wp_kses_js_entities($string); // Preserve leading and trailing whitespace. $matches = array(); preg_match('/^\\s*/', $string, $matches); $lead = $matches[0]; preg_match('/\\s*$/', $string, $matches); $trail = $matches[0]; if (empty($trail)) { $string = substr($string, strlen($lead)); } else { $string = substr($string, strlen($lead), -strlen($trail)); } // Parse attribute name and value from input. $split = preg_split('/\\s*=\\s*/', $string, 2); $name = $split[0]; if (count($split) == 2) { $value = $split[1]; // Remove quotes surrounding $value. // Also guarantee correct quoting in $string for this one attribute. if ('' == $value) { $quote = ''; } else { $quote = $value[0]; } if ('"' == $quote || "'" == $quote) { if (substr($value, -1) != $quote) { return ''; } $value = substr($value, 1, -1); } else { $quote = '"'; } // Sanitize quotes, angle braces, and entities. $value = esc_attr($value); // Sanitize URI values. if (in_array(strtolower($name), $uris)) { $value = wp_kses_bad_protocol($value, $allowed_protocols); } $string = "{$name}={$quote}{$value}{$quote}"; $vless = 'n'; } else { $value = ''; $vless = 'y'; } // Sanitize attribute by name. wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html); // Restore whitespace. return $lead . $string . $trail; }
/** * Override this method to implement the appropriate sanitization specific to the field type before the value is saved. * * This base method provides a generic sanitization similar to wp_kses but values are not encoded. * Scripts are stripped out leaving allowed tags if HTMl is allowed. * * @param string $value The field value to be processed. * @param int $form_id The ID of the form currently being processed. * * @return string */ public function sanitize_entry_value($value, $form_id) { if (is_array($value)) { return ''; } //allow HTML for certain field types $allow_html = $this->allow_html(); $allowable_tags = gf_apply_filters(array('gform_allowable_tags', $form_id), $allow_html, $this, $form_id); if ($allowable_tags !== true) { $value = strip_tags($value, $allowable_tags); } $allowed_protocols = wp_allowed_protocols(); $value = wp_kses_no_null($value, array('slash_zero' => 'keep')); $value = wp_kses_hook($value, 'post', $allowed_protocols); $value = wp_kses_split($value, 'post', $allowed_protocols); return $value; }
/** * @ticket 19354 */ function test_data_is_not_an_allowed_protocol() { $this->assertNotContains('data', wp_allowed_protocols()); }
/** * Override this method to implement the appropriate sanitization specific to the field type before the value is saved. * * This base method provides a generic sanitization similar to wp_kses but values are not encoded. * Scripts are stripped out leaving tags allowed by the gform_allowable_tags filter. * * @param string $value The field value to be processed. * @param int $form_id The ID of the form currently being processed. * * @return string */ public function sanitize_entry_value($value, $form_id) { if (is_array($value)) { return ''; } /** * Provisional filter - may be subject to change or removal. * * @param bool * @param int $form_id * @para GF_Field $this */ $sanitize = apply_filters('gform_sanitize_entry_value', true, $form_id, $this); if (!$sanitize) { return $value; } //allow HTML for certain field types $allow_html = $this->allow_html(); $allowable_tags = gf_apply_filters(array('gform_allowable_tags', $form_id), $allow_html, $this, $form_id); if ($allowable_tags !== true) { $value = strip_tags($value, $allowable_tags); } $allowed_protocols = wp_allowed_protocols(); $value = wp_kses_no_null($value, array('slash_zero' => 'keep')); $value = wp_kses_hook($value, 'post', $allowed_protocols); $value = wp_kses_split($value, 'post', $allowed_protocols); return $value; }
function ipin_edit_user($user_id = 0) { global $wp_roles, $wpdb; $user = new stdClass(); if ($user_id) { $update = true; $user->ID = (int) $user_id; $userdata = get_userdata($user_id); $user->user_login = wp_slash($userdata->user_login); } else { $update = false; } if (!$update && isset($_POST['user_login'])) { $user->user_login = sanitize_user($_POST['user_login'], true); } $pass1 = $pass2 = ''; if (isset($_POST['pass1'])) { $pass1 = $_POST['pass1']; } if (isset($_POST['pass2'])) { $pass2 = $_POST['pass2']; } if (isset($_POST['role']) && current_user_can('edit_users')) { $new_role = sanitize_text_field($_POST['role']); $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false; // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. // Multisite super admins can freely edit their blog roles -- they possess all caps. if (is_multisite() && current_user_can('manage_sites') || $user_id != get_current_user_id() || $potential_role && $potential_role->has_cap('edit_users')) { $user->role = $new_role; } // If the new role isn't editable by the logged-in user die with error $editable_roles = get_editable_roles(); if (!empty($new_role) && empty($editable_roles[$new_role])) { wp_die(__('You can’t give users that role.', 'ipin')); } } //edited: store the original email $original_user_email = $userdata->user_email; if (isset($_POST['email'])) { $user->user_email = sanitize_text_field($_POST['email']); } if (isset($_POST['url'])) { if (empty($_POST['url']) || $_POST['url'] == 'http://') { $user->user_url = ''; } else { $user->user_url = esc_url_raw($_POST['url']); $protocols = implode('|', array_map('preg_quote', wp_allowed_protocols())); $user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url; } } if (isset($_POST['first_name'])) { $user->first_name = sanitize_text_field($_POST['first_name']); } if (isset($_POST['last_name'])) { $user->last_name = sanitize_text_field($_POST['last_name']); } if (isset($_POST['nickname'])) { $user->nickname = sanitize_text_field($_POST['nickname']); } if (isset($_POST['display_name'])) { $user->display_name = sanitize_text_field($_POST['display_name']); } if (isset($_POST['description'])) { $user->description = trim($_POST['description']); } foreach (wp_get_user_contact_methods($user) as $method => $name) { if (isset($_POST[$method])) { $user->{$method} = sanitize_text_field($_POST[$method]); } } if ($update) { $user->rich_editing = isset($_POST['rich_editing']) && 'false' == $_POST['rich_editing'] ? 'false' : 'true'; $user->admin_color = isset($_POST['admin_color']) ? sanitize_text_field($_POST['admin_color']) : 'fresh'; $user->show_admin_bar_front = isset($_POST['admin_bar_front']) ? 'true' : 'false'; } $user->comment_shortcuts = isset($_POST['comment_shortcuts']) && 'true' == $_POST['comment_shortcuts'] ? 'true' : ''; $user->use_ssl = 0; if (!empty($_POST['use_ssl'])) { $user->use_ssl = 1; } $errors = new WP_Error(); /* checking that username has been typed */ if ($user->user_login == '') { $errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.', 'ipin')); } /* checking the password has been typed twice */ do_action_ref_array('check_passwords', array($user->user_login, &$pass1, &$pass2)); if ($update) { if (empty($pass1) && !empty($pass2)) { $errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.', 'ipin'), array('form-field' => 'pass1')); } elseif (!empty($pass1) && empty($pass2)) { $errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.', 'ipin'), array('form-field' => 'pass2')); } //edited: added to check password length if (!empty($pass1) && !empty($pass2)) { if (strlen($pass1) < 6) { $errors->add('password_too_short', "<strong>ERROR</strong>: Passwords must be at least 6 characters long", 'ipin'); } } } else { if (empty($pass1)) { $errors->add('pass', __('<strong>ERROR</strong>: Please enter your password.', 'ipin'), array('form-field' => 'pass1')); } elseif (empty($pass2)) { $errors->add('pass', __('<strong>ERROR</strong>: Please enter your password twice.', 'ipin'), array('form-field' => 'pass2')); } } /* Check for "\" in password */ if (false !== strpos(wp_unslash($pass1), "\\")) { $errors->add('pass', __('<strong>ERROR</strong>: Passwords may not contain the character "\\".', 'ipin'), array('form-field' => 'pass1')); } /* checking the password has been typed twice the same */ if ($pass1 != $pass2) { $errors->add('pass', __('<strong>ERROR</strong>: Please enter the same password in the two password fields.', 'ipin'), array('form-field' => 'pass1')); } if (!empty($pass1)) { $user->user_pass = $pass1; } if (!$update && isset($_POST['user_login']) && !validate_username($_POST['user_login'])) { $errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.', 'ipin')); } if (!$update && username_exists($user->user_login)) { $errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.', 'ipin')); } /* checking e-mail address */ $verify_new_email = $user_id; if (empty($user->user_email)) { $errors->add('empty_email', __('<strong>ERROR</strong>: Please enter an email address.', 'ipin'), array('form-field' => 'email')); } elseif (!is_email($user->user_email)) { $errors->add('invalid_email', __('<strong>ERROR</strong>: The email address isn’t correct.', 'ipin'), array('form-field' => 'email')); } elseif (($owner_id = email_exists($user->user_email)) && (!$update || $owner_id != $user->ID)) { $errors->add('email_exists', __('<strong>ERROR</strong>: This email is already registered, please choose another one.', 'ipin'), array('form-field' => 'email')); //edited: requires email verification if email is changed } elseif ($userdata->user_email != $_POST['email'] && !current_user_can('administrator') && !current_user_can('editor')) { //store new email temporarily update_user_meta($user_id, '_new_email', $user->user_email); $new_email_key = wp_generate_password(20, false); update_user_meta($user_id, '_new_email_key', $new_email_key); $blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES); $message .= __('Please click the link to verify your email:', 'ipin') . "\r\n"; $message .= home_url('/settings/'); $message .= sprintf('?email=verify&login=%s&key=%s', rawurlencode($user->user_login), $new_email_key); wp_mail($user->user_email, sprintf(__('[%s] Email Verification', 'ipin'), $blogname), $message); $user->user_email = $original_user_email; $verify_new_email = 'verify_new_email'; } // Allow plugins to return their own errors. do_action_ref_array('user_profile_update_errors', array(&$errors, $update, &$user)); if ($errors->get_error_codes()) { return $errors; } if ($update) { $user_id = wp_update_user($user); } else { $user_id = wp_insert_user($user); wp_new_user_notification($user_id, isset($_POST['send_password']) ? wp_unslash($pass1) : ''); } return $verify_new_email; }
/** * Escapes the given string for the KSES filter with the criteria of allowing/disallowing tags and the protocol. * * @remark Attributes are not supported at this moment. * @param array $aAllowedTags e.g. array( 'noscript', 'style', ) * @param array $aDisallowedTags e.g. array( 'table', 'tbody', 'thoot', 'thead', 'th', 'tr' ) * @since 2.0.0 */ public static function escapeKSESFilter($sString, $aAllowedTags = array(), $aDisallowedTags = array(), $aAllowedProtocols = array()) { foreach ($aAllowedTags as $sTag) { $aFormatAllowedTags[$sTag] = array(); // activate the inline style attribute. } $aAllowedHTMLTags = AmazonAutoLinks_Utility::uniteArrays($aFormatAllowedTags, $GLOBALS['allowedposttags']); // the first parameter takes over the second. foreach ($aDisallowedTags as $sTag) { if (isset($aAllowedHTMLTags[$sTag])) { unset($aAllowedHTMLTags[$sTag]); } } if (empty($aAllowedProtocols)) { $aAllowedProtocols = wp_allowed_protocols(); } $sString = addslashes($sString); // the original function call was doing this - could be redundant but haven't fully tested it $sString = stripslashes($sString); // wp_filter_post_kses() $sString = wp_kses_no_null($sString); // wp_kses() $sString = wp_kses_js_entities($sString); // wp_kses() $sString = wp_kses_normalize_entities($sString); // wp_kses() $sString = wp_kses_hook($sString, $aAllowedHTMLTags, $aAllowedProtocols); // WP changed the order of these funcs and added args to wp_kses_hook $sString = wp_kses_split($sString, $aAllowedHTMLTags, $aAllowedProtocols); $sString = addslashes($sString); // wp_filter_post_kses() $sString = stripslashes($sString); // the original function call was doing this - could be redundant but haven't fully tested it return $sString; }
/** * Edit user settings based on contents of $_POST * * Largely based on the edit_user() function, this function only throws errors * when the user has posted invalid data, vs. when the mock user object does not * contain it. * * @since 0.1.0 * * @param int $user_id Optional. User ID. * @return int|WP_Error user id of the updated user */ function wp_user_profiles_edit_user($user_id = 0) { // Bail if no user ID if (empty($user_id)) { return; } // Setup the user being saved $user = new stdClass(); $user->ID = (int) $user_id; $userdata = get_userdata($user_id); // Setup the user login if (isset($_POST['user_login'])) { $user->user_login = sanitize_user($_POST['user_login'], true); } else { $user->user_login = wp_slash($userdata->user_login); } // Password changes $pass1 = isset($_POST['pass1']) ? $_POST['pass1'] : ''; $pass2 = isset($_POST['pass2']) ? $_POST['pass2'] : ''; // Role changes if (isset($_POST['role']) && current_user_can('edit_users')) { // New roles $new_roles = $_POST['role']; // Loop through new roles foreach ($new_roles as $blog_id => $new_role) { // Switch to the blog switch_to_blog($blog_id); // If the new role isn't editable by the logged-in user die with error $editable_roles = get_editable_roles(); if (!empty($new_role) && !empty($editable_roles[$new_role])) { $update_role = get_userdata($user_id); $update_role->set_role($new_role); } // Switch back restore_current_blog(); } } // Email if (isset($_POST['email'])) { $user->user_email = sanitize_text_field(wp_unslash($_POST['email'])); } // Website if (isset($_POST['url'])) { if (empty($_POST['url']) || $_POST['url'] == 'http://') { $user->user_url = ''; } else { $user->user_url = esc_url_raw($_POST['url']); $protocols = implode('|', array_map('preg_quote', wp_allowed_protocols())); $user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url; } } // First if (isset($_POST['first_name'])) { $user->first_name = sanitize_text_field($_POST['first_name']); } // Last if (isset($_POST['last_name'])) { $user->last_name = sanitize_text_field($_POST['last_name']); } // Nick if (isset($_POST['nickname'])) { $user->nickname = sanitize_text_field($_POST['nickname']); } // Display if (isset($_POST['display_name'])) { $user->display_name = sanitize_text_field($_POST['display_name']); } // Description if (isset($_POST['description'])) { $user->description = trim($_POST['description']); } // Contact methods foreach (wp_get_user_contact_methods($user) as $method => $name) { if (isset($_POST[$method])) { $user->{$method} = sanitize_text_field($_POST[$method]); } } // Options $user->rich_editing = isset($_POST['rich_editing']) && 'false' === $_POST['rich_editing'] ? 'false' : 'true'; $user->admin_color = isset($_POST['admin_color']) ? sanitize_text_field($_POST['admin_color']) : 'fresh'; $user->show_admin_bar_front = isset($_POST['admin_bar_front']) ? 'true' : 'false'; $user->comment_shortcuts = isset($_POST['comment_shortcuts']) && 'true' === $_POST['comment_shortcuts'] ? 'true' : ''; $user->use_ssl = 0; if (!empty($_POST['use_ssl'])) { $user->use_ssl = 1; } // Error checking $errors = new WP_Error(); // Checking that username has been typed if (isset($_POST['user_login']) && empty($user->user_login)) { $errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.')); } // Checking that nickname has been typed if (isset($_POST['nickname']) && empty($user->nickname)) { $errors->add('nickname', __('<strong>ERROR</strong>: Please enter a nickname.')); } /** * Fires before the password and confirm password fields are checked for congruity. * * @since 1.5.1 * * @param string $user_login The username. * @param string &$pass1 The password, passed by reference. * @param string &$pass2 The confirmed password, passed by reference. */ do_action_ref_array('check_passwords', array($user->user_login, &$pass1, &$pass2)); // Check for "\" in password if (false !== strpos(wp_unslash($pass1), "\\")) { $errors->add('pass', __('<strong>ERROR</strong>: Passwords may not contain the character "\\".'), array('form-field' => 'pass1')); } // Checking the password has been typed twice the same if ($pass1 !== $pass2) { $errors->add('pass', __('<strong>ERROR</strong>: Please enter the same password in both password fields.'), array('form-field' => 'pass1')); } if (!empty($pass1)) { $user->user_pass = $pass1; } if (isset($_POST['user_login'])) { if (!validate_username($_POST['user_login'])) { $errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.')); } if (isset($_POST['user_login']) && username_exists($user->user_login)) { $errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.')); } } // Checking email address if (isset($_POST['email'])) { if (empty($user->user_email)) { $errors->add('empty_email', __('<strong>ERROR</strong>: Please enter an email address.'), array('form-field' => 'email')); } elseif (!is_email($user->user_email)) { $errors->add('invalid_email', __('<strong>ERROR</strong>: The email address is not correct.'), array('form-field' => 'email')); } elseif (($owner_id = email_exists($user->user_email)) && $owner_id !== $user->ID) { $errors->add('email_exists', __('<strong>ERROR</strong>: This email is already in use.'), array('form-field' => 'email')); } } /** * Fires before user profile update errors are returned. * * @since 2.8.0 * * @param WP_Error &$errors WP_Error object, passed by reference. * @param bool $update Whether this is a user update. * @param WP_User &$user WP_User object, passed by reference. */ do_action_ref_array('user_profile_update_errors', array(&$errors, true, &$user)); // Return errors if there are any if ($errors->get_error_codes()) { return $errors; } // Maybe save user status if (!empty($_POST['user_status'])) { wp_user_profiles_update_user_status($user, sanitize_key($_POST['user_status'])); } return wp_update_user($user); }
function update($new_instance, $old_instance) { $instance = $old_instance; $instance['title'] = strip_tags($new_instance['title']); $instance['content'] = $new_instance['content']; $instance['style'] = $new_instance['style']; $instance['size'] = absint($new_instance['size']); $instance['target'] = $new_instance['target']; $instance['social'] = array(); if (!empty($new_instance['social_icon'])) { $protocols = wp_allowed_protocols(); $protocols[] = 'skype'; //allow skype call protocol for ($i = 0; $i < count($new_instance['social_icon']) - 1; $i++) { $temp = array('icon' => $new_instance['social_icon'][$i], 'url' => esc_url($new_instance['social_url'][$i], $protocols)); $instance['social'][] = $temp; } } return $instance; }
function EscapeAndFilterPostKSES($strString, $arrAllowedTags = array(), $arrDisallowedTags = array(), $arrAllowedProtocols = array()) { // $arrAllowedTags : e.g. array( 'noscript' => array(), 'style' => array() ); // $arrDisallowedTags : e.g. array( 'table', 'tbody', 'thoot', 'thead', 'th', 'tr' ); global $allowedposttags; // $arrAllowedHTML = array_replace_recursive( $allowedposttags, $arrAllowedTags ); // the second parameter takes over the first. // $arrAllowedHTML = wp_parse_args( $arrAllowedTags, $allowedposttags ); // the first parameter takes over the second. $arrAllowedHTML = $this->oUtil->UniteArraysRecursive($arrAllowedTags, $allowedposttags); // the first parameter takes over the second. foreach ($arrDisallowedTags as $strTag) { if (isset($arrAllowedHTML[$strTag])) { unset($arrAllowedHTML[$strTag]); } } if (empty($arrAllowedProtocols)) { $arrAllowedProtocols = wp_allowed_protocols(); } $strString = addslashes($strString); // the original function call was doing this - could be redundant but haven't fully tested it $strString = stripslashes($strString); // wp_filter_post_kses() $strString = wp_kses_no_null($strString); // wp_kses() $strString = wp_kses_js_entities($strString); // wp_kses() $strString = wp_kses_normalize_entities($strString); // wp_kses() $strString = wp_kses_hook($strString, $arrAllowedHTML, $arrAllowedProtocols); // WP changed the order of these funcs and added args to wp_kses_hook $strString = wp_kses_split($strString, $arrAllowedHTML, $arrAllowedProtocols); $strString = addslashes($strString); // wp_filter_post_kses() $strString = stripslashes($strString); // the original function call was doing this - could be redundant but haven't fully tested it return $strString; }
/** * Filters content and keeps only allowable HTML elements. * * This function makes sure that only the allowed HTML element names, attribute * names and attribute values plus only sane HTML entities will occur in * $string. You have to remove any slashes from PHP's magic quotes before you * call this function. * * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news', * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This * covers all common link protocols, except for 'javascript' which should not * be allowed for untrusted users. * * @since 1.0.0 * * @param string $string Content to filter through kses * @param array $allowed_html List of allowed HTML elements * @param array $allowed_protocols Optional. Allowed protocol in links. * @return string Filtered content with only allowed HTML elements */ function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { if ( empty( $allowed_protocols ) ) $allowed_protocols = wp_allowed_protocols(); $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook return wp_kses_split($string, $allowed_html, $allowed_protocols); }
function woo_shortcode_box($atts, $content = null) { extract(shortcode_atts(array('type' => 'normal', 'size' => '', 'style' => '', 'border' => '', 'icon' => ''), $atts)); // "Toggle in a box" fix $allowed_tags = wp_kses_allowed_html('post'); $allowed_tags['input'] = array('type' => true, 'name' => true, 'value' => true); $allowed_protocols = wp_allowed_protocols(); $allowed_protocols[] = 'skype'; $class = ''; $custom = ''; if ($icon == 'none') { $class = 'no-icon'; $custom = ' style="padding-left:15px;background-image:none;"'; } elseif ($icon) { $class = 'custom-icon'; $custom = ' style="padding-left:50px;background-image:url( ' . esc_attr(esc_url($icon)) . ' ); background-repeat:no-repeat; background-position:20px 45%;"'; } return '<div class="woo-sc-box ' . esc_attr($class) . ' ' . esc_attr($type) . ' ' . esc_attr($size) . ' ' . esc_attr($style) . ' ' . esc_attr($border) . '"' . $custom . '>' . wp_kses(do_shortcode(woo_remove_wpautop($content)), $allowed_tags, $allowed_protocols) . '</div>'; }
/** * Edit user settings based on contents of $_POST * * Used on user-edit.php and profile.php to manage and process user options, passwords etc. * * @since 2.0 * * @param int $user_id Optional. User ID. * @return int user id of the updated user */ function edit_user($user_id = 0) { global $wp_roles, $wpdb; $user = new stdClass(); if ($user_id) { $update = true; $user->ID = (int) $user_id; $userdata = get_userdata($user_id); $user->user_login = $wpdb->escape($userdata->user_login); } else { $update = false; } if (!$update && isset($_POST['user_login'])) { $user->user_login = sanitize_user($_POST['user_login'], true); } $pass1 = $pass2 = ''; if (isset($_POST['pass1'])) { $pass1 = $_POST['pass1']; } if (isset($_POST['pass2'])) { $pass2 = $_POST['pass2']; } if (isset($_POST['role']) && current_user_can('edit_users')) { $new_role = sanitize_text_field($_POST['role']); $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false; // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. // Multisite super admins can freely edit their blog roles -- they possess all caps. if (is_multisite() && current_user_can('manage_sites') || $user_id != get_current_user_id() || $potential_role && $potential_role->has_cap('edit_users')) { $user->role = $new_role; } // If the new role isn't editable by the logged-in user die with error $editable_roles = get_editable_roles(); if (!empty($new_role) && empty($editable_roles[$new_role])) { wp_die(__('You can’t give users that role.')); } } if (isset($_POST['email'])) { $user->user_email = sanitize_text_field($_POST['email']); } if (isset($_POST['url'])) { if (empty($_POST['url']) || $_POST['url'] == 'http://') { $user->user_url = ''; } else { $user->user_url = esc_url_raw($_POST['url']); $protocols = implode('|', array_map('preg_quote', wp_allowed_protocols())); $user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url; } } if (isset($_POST['first_name'])) { $user->first_name = sanitize_text_field($_POST['first_name']); } if (isset($_POST['last_name'])) { $user->last_name = sanitize_text_field($_POST['last_name']); } if (isset($_POST['nickname'])) { $user->nickname = sanitize_text_field($_POST['nickname']); } if (isset($_POST['display_name'])) { $user->display_name = sanitize_text_field($_POST['display_name']); } if (isset($_POST['description'])) { $user->description = trim($_POST['description']); } foreach (_wp_get_user_contactmethods($user) as $method => $name) { if (isset($_POST[$method])) { $user->{$method} = sanitize_text_field($_POST[$method]); } } if ($update) { $user->rich_editing = isset($_POST['rich_editing']) && 'false' == $_POST['rich_editing'] ? 'false' : 'true'; $user->admin_color = isset($_POST['admin_color']) ? sanitize_text_field($_POST['admin_color']) : 'fresh'; $user->show_admin_bar_front = isset($_POST['admin_bar_front']) ? 'true' : 'false'; } $user->comment_shortcuts = isset($_POST['comment_shortcuts']) && 'true' == $_POST['comment_shortcuts'] ? 'true' : ''; $user->use_ssl = 0; if (!empty($_POST['use_ssl'])) { $user->use_ssl = 1; } $errors = new WP_Error(); /* checking that username has been typed */ if ($user->user_login == '') { $errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.')); } /* checking the password has been typed twice */ do_action_ref_array('check_passwords', array($user->user_login, &$pass1, &$pass2)); if ($update) { if (empty($pass1) && !empty($pass2)) { $errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.'), array('form-field' => 'pass1')); } elseif (!empty($pass1) && empty($pass2)) { $errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.'), array('form-field' => 'pass2')); } } else { if (empty($pass1)) { $errors->add('pass', __('<strong>ERROR</strong>: Please enter your password.'), array('form-field' => 'pass1')); } elseif (empty($pass2)) { $errors->add('pass', __('<strong>ERROR</strong>: Please enter your password twice.'), array('form-field' => 'pass2')); } } /* Check for "\" in password */ if (false !== strpos(stripslashes($pass1), "\\")) { $errors->add('pass', __('<strong>ERROR</strong>: Passwords may not contain the character "\\".'), array('form-field' => 'pass1')); } /* checking the password has been typed twice the same */ if ($pass1 != $pass2) { $errors->add('pass', __('<strong>ERROR</strong>: Please enter the same password in the two password fields.'), array('form-field' => 'pass1')); } if (!empty($pass1)) { $user->user_pass = $pass1; } if (!$update && isset($_POST['user_login']) && !validate_username($_POST['user_login'])) { $errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.')); } if (!$update && username_exists($user->user_login)) { $errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.')); } /* checking e-mail address */ if (empty($user->user_email)) { $errors->add('empty_email', __('<strong>ERROR</strong>: Please enter an e-mail address.'), array('form-field' => 'email')); } elseif (!is_email($user->user_email)) { $errors->add('invalid_email', __('<strong>ERROR</strong>: The e-mail address isn’t correct.'), array('form-field' => 'email')); } elseif (($owner_id = email_exists($user->user_email)) && (!$update || $owner_id != $user->ID)) { $errors->add('email_exists', __('<strong>ERROR</strong>: This email is already registered, please choose another one.'), array('form-field' => 'email')); } // Allow plugins to return their own errors. do_action_ref_array('user_profile_update_errors', array(&$errors, $update, &$user)); if ($errors->get_error_codes()) { return $errors; } if ($update) { $user_id = wp_update_user($user); } else { $user_id = wp_insert_user($user); wp_new_user_notification($user_id, isset($_POST['send_password']) ? $pass1 : ''); } return $user_id; }
/** * @depends test_allowed_protocol_has_an_example * @dataProvider data_example_urls * * @param string The scheme. * @param string Example URL. */ function test_allowed_protocols($protocol, $url) { $this->assertEquals($url, esc_url($url, $protocol)); $this->assertEquals($url, esc_url($url, wp_allowed_protocols())); }
/** * Edit user settings based on contents of $_POST * * Used on user-edit.php and profile.php to manage and process user options, passwords etc. * * @since 2.0.0 * * @param int $user_id Optional. User ID. * @return int|WP_Error user id of the updated user */ function edit_user($user_id = 0) { $wp_roles = wp_roles(); $user = new stdClass(); if ($user_id) { $update = true; $user->ID = (int) $user_id; $userdata = get_userdata($user_id); $user->user_login = wp_slash($userdata->user_login); } else { $update = false; } if (!$update && isset($_POST['user_login'])) { $user->user_login = sanitize_user($_POST['user_login'], true); } $pass1 = $pass2 = ''; if (isset($_POST['pass1'])) { $pass1 = $_POST['pass1']; } if (isset($_POST['pass2'])) { $pass2 = $_POST['pass2']; } if (isset($_POST['role']) && current_user_can('edit_users')) { $new_role = sanitize_text_field($_POST['role']); $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false; // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. // Multisite super admins can freely edit their blog roles -- they possess all caps. if (is_multisite() && current_user_can('manage_sites') || $user_id != get_current_user_id() || $potential_role && $potential_role->has_cap('edit_users')) { $user->role = $new_role; } // If the new role isn't editable by the logged-in user die with error $editable_roles = get_editable_roles(); if (!empty($new_role) && empty($editable_roles[$new_role])) { wp_die(__('You can’t give users that role.')); } } if (isset($_POST['email'])) { $user->user_email = sanitize_text_field(wp_unslash($_POST['email'])); } if (isset($_POST['url'])) { if (empty($_POST['url']) || $_POST['url'] == 'http://') { $user->user_url = ''; } else { $user->user_url = esc_url_raw($_POST['url']); $protocols = implode('|', array_map('preg_quote', wp_allowed_protocols())); $user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url; } } if (isset($_POST['first_name'])) { $user->first_name = sanitize_text_field($_POST['first_name']); } if (isset($_POST['last_name'])) { $user->last_name = sanitize_text_field($_POST['last_name']); } if (isset($_POST['nickname'])) { $user->nickname = sanitize_text_field($_POST['nickname']); } if (isset($_POST['display_name'])) { $user->display_name = sanitize_text_field($_POST['display_name']); } if (isset($_POST['description'])) { $user->description = trim($_POST['description']); } foreach (wp_get_user_contact_methods($user) as $method => $name) { if (isset($_POST[$method])) { $user->{$method} = sanitize_text_field($_POST[$method]); } } if ($update) { $user->rich_editing = isset($_POST['rich_editing']) && 'false' == $_POST['rich_editing'] ? 'false' : 'true'; $user->admin_color = isset($_POST['admin_color']) ? sanitize_text_field($_POST['admin_color']) : 'fresh'; $user->show_admin_bar_front = isset($_POST['admin_bar_front']) ? 'true' : 'false'; } $user->comment_shortcuts = isset($_POST['comment_shortcuts']) && 'true' == $_POST['comment_shortcuts'] ? 'true' : ''; $user->use_ssl = 0; if (!empty($_POST['use_ssl'])) { $user->use_ssl = 1; } $errors = new WP_Error(); /* checking that username has been typed */ if ($user->user_login == '') { $errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.')); } /* checking that nickname has been typed */ if ($update && empty($user->nickname)) { $errors->add('nickname', __('<strong>ERROR</strong>: Please enter a nickname.')); } /* checking the password has been typed twice */ /** * Fires before the password and confirm password fields are checked for congruity. * * @since 1.5.1 * * @param string $user_login The username. * @param string &$pass1 The password, passed by reference. * @param string &$pass2 The confirmed password, passed by reference. */ do_action_ref_array('check_passwords', array($user->user_login, &$pass1, &$pass2)); /* Check for "\" in password */ if (false !== strpos(wp_unslash($pass1), "\\")) { $errors->add('pass', __('<strong>ERROR</strong>: Passwords may not contain the character "\\".'), array('form-field' => 'pass1')); } /* checking the password has been typed twice the same */ if ($pass1 != $pass2) { $errors->add('pass', __('<strong>ERROR</strong>: Please enter the same password in both password fields.'), array('form-field' => 'pass1')); } if (!empty($pass1)) { $user->user_pass = $pass1; } if (!$update && isset($_POST['user_login']) && !validate_username($_POST['user_login'])) { $errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.')); } if (!$update && username_exists($user->user_login)) { $errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.')); } /** This filter is documented in wp-includes/user.php */ $illegal_logins = (array) apply_filters('illegal_user_logins', array()); if (in_array(strtolower($user->user_login), array_map('strtolower', $illegal_logins))) { $errors->add('illegal_user_login', __('<strong>ERROR</strong>: Sorry, that username is not allowed.')); } /* checking email address */ if (empty($user->user_email)) { $errors->add('empty_email', __('<strong>ERROR</strong>: Please enter an email address.'), array('form-field' => 'email')); } elseif (!is_email($user->user_email)) { $errors->add('invalid_email', __('<strong>ERROR</strong>: The email address isn’t correct.'), array('form-field' => 'email')); } elseif (($owner_id = email_exists($user->user_email)) && (!$update || $owner_id != $user->ID)) { $errors->add('email_exists', __('<strong>ERROR</strong>: This email is already registered, please choose another one.'), array('form-field' => 'email')); } /** * Fires before user profile update errors are returned. * * @since 2.8.0 * * @param WP_Error &$errors WP_Error object, passed by reference. * @param bool $update Whether this is a user update. * @param WP_User &$user WP_User object, passed by reference. */ do_action_ref_array('user_profile_update_errors', array(&$errors, $update, &$user)); if ($errors->get_error_codes()) { return $errors; } if ($update) { $user_id = wp_update_user($user); } else { $user_id = wp_insert_user($user); /** * Fires after a new user has been created. * * @since 4.4.0 * * @param int $user_id ID of the newly created user. */ do_action('edit_user_created_user', $user_id); } return $user_id; }
/** * Checks and cleans a URL. This function is from WordPress. * * A number of characters are removed from the URL. If the URL is for displaying * (the default behaviour) ampersands are also replaced. The 'clean_url' filter * is applied to the returned cleaned URL. * * @since 2.8.0 * @uses wp_kses_bad_protocol() To only permit protocols in the URL set * via $protocols or the common ones set in the function. * * @param string $url The URL to be cleaned. * @param array $protocols Optional. An array of acceptable protocols. * Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set. * @param string $_context Private. Use esc_url_raw() for database usage. * @return string The cleaned $url after the 'clean_url' filter is applied. */ public function esc_url($url, $protocols = null, $_context = 'display') { $original_url = $url; $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\\|*\'()\\x80-\\xff]|i', '', $url); $strip = array('%0d', '%0a', '%0D', '%0A'); $url = _deep_replace($strip, $url); $url = str_replace(';//', '://', $url); // Replace ampersands and single quotes only when displaying. if ('display' == $_context) { $url = wp_kses_normalize_entities($url); $url = str_replace('&', '&', $url); $url = str_replace('\'', ''', $url); } if (!empty($url[0]) && '/' === $url[0]) { $good_protocol_url = $url; } else { if (!is_array($protocols)) { $protocols = wp_allowed_protocols(); } $good_protocol_url = wp_kses_bad_protocol($url, $protocols); if (strtolower($good_protocol_url) != strtolower($url)) { return ''; } } /** * Filter a string cleaned and escaped for output as a URL. * * @since 2.3.0 * * @param string $good_protocol_url The cleaned URL to be returned. * @param string $original_url The URL prior to cleaning. * @param string $_context If 'display', replace ampersands and single quotes only. */ return apply_filters('clean_url', $good_protocol_url, $original_url, $_context); }
/** * Callback to add a base url to relative links in passed content. * * @since 2.7.0 * @access private * * @global string $_links_add_base * * @param string $m The matched link. * @return string The processed link. */ function _links_add_base($m) { global $_links_add_base; //1 = attribute name 2 = quotation mark 3 = URL return $m[1] . '=' . $m[2] . (preg_match('#^(\\w{1,20}):#', $m[3], $protocol) && in_array($protocol[1], wp_allowed_protocols()) ? $m[3] : WP_Http::make_absolute_url($m[3], $_links_add_base)) . $m[2]; }
/** * Strip scripts and some HTML tags. * * @param string $value The field value to be processed. * @param int $form_id The ID of the form currently being processed. * * @return string */ public function sanitize_entry_value($value, $form_id) { if (is_array($value)) { return ''; } $allowable_tags = $this->get_allowable_tags($form_id); if ($allowable_tags !== true) { $value = strip_tags($value, $allowable_tags); } $allowed_protocols = wp_allowed_protocols(); $value = wp_kses_no_null($value, array('slash_zero' => 'keep')); $value = wp_kses_hook($value, 'post', $allowed_protocols); $value = wp_kses_split($value, 'post', $allowed_protocols); return $value; }
/** * A special URL escaping function that handles additional protocols * * @param $url * * @return string */ function sow_esc_url_raw($url) { if (preg_match('/^post: *([0-9]+)/', $url, $matches)) { // Convert the special post URL into a permalink $url = get_the_permalink(intval($matches[1])); } $protocols = wp_allowed_protocols(); $protocols[] = 'skype'; return esc_url_raw($url, $protocols); }
/** * AJAX hook for the inline link editor on Tools -> Broken Links. * * @return void */ function ajax_edit() { if (!current_user_can('edit_others_posts') || !check_ajax_referer('blc_edit', false, false)) { die(json_encode(array('error' => __("You're not allowed to do that!", 'broken-link-checker')))); } if (empty($_POST['link_id']) || empty($_POST['new_url']) || !is_numeric($_POST['link_id'])) { die(json_encode(array('error' => __("Error : link_id or new_url not specified", 'broken-link-checker')))); } //Load the link $link = new blcLink(intval($_POST['link_id'])); if (!$link->valid()) { die(json_encode(array('error' => sprintf(__("Oops, I can't find the link %d", 'broken-link-checker'), intval($_POST['link_id']))))); } //Validate the new URL. $new_url = stripslashes($_POST['new_url']); $parsed = @parse_url($new_url); if (!$parsed) { die(json_encode(array('error' => __("Oops, the new URL is invalid!", 'broken-link-checker')))); } if (!current_user_can('unfiltered_html')) { //Disallow potentially dangerous URLs like "javascript:...". $protocols = wp_allowed_protocols(); $good_protocol_url = wp_kses_bad_protocol($new_url, $protocols); if ($new_url != $good_protocol_url) { die(json_encode(array('error' => __("Oops, the new URL is invalid!", 'broken-link-checker')))); } } $new_text = isset($_POST['new_text']) && is_string($_POST['new_text']) ? stripslashes($_POST['new_text']) : null; if ($new_text === '') { $new_text = null; } if (!empty($new_text) && !current_user_can('unfiltered_html')) { $new_text = stripslashes(wp_filter_post_kses(addslashes($new_text))); //wp_filter_post_kses expects slashed data. } $rez = $link->edit($new_url, $new_text); if ($rez === false) { die(json_encode(array('error' => __("An unexpected error occurred!", 'broken-link-checker')))); } else { $new_link = $rez['new_link']; /** @var blcLink $new_link */ $new_status = $new_link->analyse_status(); $ui_link_text = null; if (isset($new_text)) { $instances = $new_link->get_instances(); if (!empty($instances)) { $first_instance = reset($instances); $ui_link_text = $first_instance->ui_get_link_text(); } } $response = array('new_link_id' => $rez['new_link_id'], 'cnt_okay' => $rez['cnt_okay'], 'cnt_error' => $rez['cnt_error'], 'status_text' => $new_status['text'], 'status_code' => $new_status['code'], 'http_code' => empty($new_link->http_code) ? '' : $new_link->http_code, 'redirect_count' => $new_link->redirect_count, 'url' => $new_link->url, 'escaped_url' => esc_url_raw($new_link->url), 'final_url' => $new_link->final_url, 'link_text' => isset($new_text) ? $new_text : null, 'ui_link_text' => isset($new_text) ? $ui_link_text : null, 'errors' => array()); //url, status text, status code, link text, editable link text foreach ($rez['errors'] as $error) { /** @var $error WP_Error */ array_push($response['errors'], implode(', ', $error->get_error_messages())); } die(json_encode($response)); } }
/** * Callback to add a base url to relative links in passed content. * * @since 2.7.0 * @access private * * @param string $m The matched link. * @return string The processed link. */ function _links_add_base($m) { global $_links_add_base; //1 = attribute name 2 = quotation mark 3 = URL return $m[1] . '=' . $m[2] . (preg_match('#^(\\w{1,20}):#', $m[3], $protocol) && in_array($protocol[1], wp_allowed_protocols()) ? $m[3] : path_join($_links_add_base, $m[3])) . $m[2]; }
function esc_url($url, $protocols = null, $_context = 'display') { $original_url = $url; if ('' == $url) { return $url; } $url = str_replace(' ', '%20', $url); $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\\|*\'()\\[\\]\\x80-\\xff]|i', '', $url); if ('' === $url) { return $url; } if (0 !== stripos($url, 'mailto:')) { $strip = array('%0d', '%0a', '%0D', '%0A'); $url = _deep_replace($strip, $url); } $url = str_replace(';//', '://', $url); /* If the URL doesn't appear to contain a scheme, we * presume it needs http:// prepended (unless a relative * link starting with /, # or ? or a php file). */ if (strpos($url, ':') === false && !in_array($url[0], array('/', '#', '?')) && !preg_match('/^[a-z0-9-]+?\\.php/i', $url)) { $url = 'http://' . $url; } // Replace ampersands and single quotes only when displaying. if ('display' == $_context) { $url = wp_kses_normalize_entities($url); $url = str_replace('&', '&', $url); $url = str_replace("'", ''', $url); } if (false !== strpos($url, '[') || false !== strpos($url, ']')) { $parsed = wp_parse_url($url); $front = ''; if (isset($parsed['scheme'])) { $front .= $parsed['scheme'] . '://'; } elseif ('/' === $url[0]) { $front .= '//'; } if (isset($parsed['user'])) { $front .= $parsed['user']; } if (isset($parsed['pass'])) { $front .= ':' . $parsed['pass']; } if (isset($parsed['user']) || isset($parsed['pass'])) { $front .= '@'; } if (isset($parsed['host'])) { $front .= $parsed['host']; } if (isset($parsed['port'])) { $front .= ':' . $parsed['port']; } $end_dirty = str_replace($front, '', $url); $end_clean = str_replace(array('[', ']'), array('%5B', '%5D'), $end_dirty); $url = str_replace($end_dirty, $end_clean, $url); } if ('/' === $url[0]) { $good_protocol_url = $url; } else { if (!is_array($protocols)) { $protocols = wp_allowed_protocols(); } $good_protocol_url = wp_kses_bad_protocol($url, $protocols); if (strtolower($good_protocol_url) != strtolower($url)) { return ''; } } return apply_filters('clean_url', $good_protocol_url, $original_url, $_context); }