_normalize_entities() regular expression. * * This function only accepts valid named entity references, which are finite, * case-sensitive, and highly scrutinized by HTML and XML validators. * * @since 3.0.0 * * @global array $allowedentitynames * * @param array $matches preg_replace_callback() matches array * @return string Correctly encoded entity */ function wp_kses_named_entities($matches) { global $allowedentitynames; if ( empty($matches[1]) ) return ''; $i = $matches[1]; return ( ! in_array( $i, $allowedentitynames ) ) ? "&$i;" : "&$i;"; } /** * Callback for wp_kses_normalize_entities() regular expression. * * This function helps wp_kses_normalize_entities() to only accept 16-bit * values and nothing more for `&#number;` entities. * * @access private * @since 1.0.0 * * @param array $matches preg_replace_callback() matches array * @return string Correctly encoded entity */ function wp_kses_normalize_entities2($matches) { if ( empty($matches[1]) ) return ''; $i = $matches[1]; if (valid_unicode($i)) { $i = str_pad(ltrim($i,'0'), 3, '0', STR_PAD_LEFT); $i = "&#$i;"; } else { $i = "&#$i;"; } return $i; } /** * Callback for wp_kses_normalize_entities() for regular expression. * * This function helps wp_kses_normalize_entities() to only accept valid Unicode * numeric entities in hex form. * * @since 2.7.0 * @access private * * @param array $matches preg_replace_callback() matches array * @return string Correctly encoded entity */ function wp_kses_normalize_entities3($matches) { if ( empty($matches[1]) ) return ''; $hexchars = $matches[1]; return ( ! valid_unicode( hexdec( $hexchars ) ) ) ? "&#x$hexchars;" : '&#x'.ltrim($hexchars,'0').';'; } /** * Helper function to determine if a Unicode value is valid. * * @since 2.7.0 * * @param int $i Unicode value * @return bool True if the value was a valid Unicode number */ function valid_unicode($i) { return ( $i == 0x9 || $i == 0xa || $i == 0xd || ($i >= 0x20 && $i <= 0xd7ff) || ($i >= 0xe000 && $i <= 0xfffd) || ($i >= 0x10000 && $i <= 0x10ffff) ); } /** * Convert all entities to their character counterparts. * * This function decodes numeric HTML entities (`A` and `A`). * It doesn't do anything with other entities like ä, but we don't * need them in the URL protocol whitelisting system anyway. * * @since 1.0.0 * * @param string $string Content to change entities * @return string Content after decoded entities */ function wp_kses_decode_entities($string) { $string = preg_replace_callback('/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string); $string = preg_replace_callback('/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string); return $string; } /** * Regex callback for wp_kses_decode_entities() * * @since 2.9.0 * * @param array $match preg match * @return string */ function _wp_kses_decode_entities_chr( $match ) { return chr( $match[1] ); } /** * Regex callback for wp_kses_decode_entities() * * @since 2.9.0 * * @param array $match preg match * @return string */ function _wp_kses_decode_entities_chr_hexdec( $match ) { return chr( hexdec( $match[1] ) ); } /** * Sanitize content with allowed HTML Kses rules. * * @since 1.0.0 * * @param string $data Content to filter, expected to be escaped with slashes * @return string Filtered content */ function wp_filter_kses( $data ) { return addslashes( wp_kses( stripslashes( $data ), current_filter() ) ); } /** * Sanitize content with allowed HTML Kses rules. * * @since 2.9.0 * * @param string $data Content to filter, expected to not be escaped * @return string Filtered content */ function wp_kses_data( $data ) { return wp_kses( $data, current_filter() ); } /** * Sanitize content for allowed HTML tags for post content. * * Post content refers to the page contents of the 'post' type and not $_POST * data from forms. * * @since 2.0.0 * * @param string $data Post content to filter, expected to be escaped with slashes * @return string Filtered post content with allowed HTML tags and attributes intact. */ function wp_filter_post_kses( $data ) { return addslashes( wp_kses( stripslashes( $data ), 'post' ) ); } /** * Sanitize content for allowed HTML tags for post content. * * Post content refers to the page contents of the 'post' type and not $_POST * data from forms. * * @since 2.9.0 * * @param string $data Post content to filter * @return string Filtered post content with allowed HTML tags and attributes intact. */ function wp_kses_post( $data ) { return wp_kses( $data, 'post' ); } /** * Navigates through an array, object, or scalar, and sanitizes content for * allowed HTML tags for post content. * * @since 4.4.2 * * @see map_deep() * * @param mixed $data The array, object, or scalar value to inspect. * @return mixed The filtered content. */ function wp_kses_post_deep( $data ) { return map_deep( $data, 'wp_kses_post' ); } /** * Strips all of the HTML in the content. * * @since 2.1.0 * * @param string $data Content to strip all HTML from * @return string Filtered content without any HTML */ function wp_filter_nohtml_kses( $data ) { return addslashes( wp_kses( stripslashes( $data ), 'strip' ) ); } /** * Adds all Kses input form content filters. * * All hooks have default priority. The wp_filter_kses() function is added to * the 'pre_comment_content' and 'title_save_pre' hooks. * * The wp_filter_post_kses() function is added to the 'content_save_pre', * 'excerpt_save_pre', and 'content_filtered_save_pre' hooks. * * @since 2.0.0 */ function kses_init_filters() { // Normal filtering add_filter('title_save_pre', 'wp_filter_kses'); // Comment filtering if ( current_user_can( 'unfiltered_html' ) ) add_filter( 'pre_comment_content', 'wp_filter_post_kses' ); else add_filter( 'pre_comment_content', 'wp_filter_kses' ); // Post filtering add_filter('content_save_pre', 'wp_filter_post_kses'); add_filter('excerpt_save_pre', 'wp_filter_post_kses'); add_filter('content_filtered_save_pre', 'wp_filter_post_kses'); } /** * Removes all Kses input form content filters. * * A quick procedural method to removing all of the filters that kses uses for * content in WordPress Loop. * * Does not remove the kses_init() function from {@see 'init'} hook (priority is * default). Also does not remove kses_init() function from {@see 'set_current_user'} * hook (priority is also default). * * @since 2.0.6 */ function kses_remove_filters() { // Normal filtering remove_filter('title_save_pre', 'wp_filter_kses'); // Comment filtering remove_filter( 'pre_comment_content', 'wp_filter_post_kses' ); remove_filter( 'pre_comment_content', 'wp_filter_kses' ); // Post filtering remove_filter('content_save_pre', 'wp_filter_post_kses'); remove_filter('excerpt_save_pre', 'wp_filter_post_kses'); remove_filter('content_filtered_save_pre', 'wp_filter_post_kses'); } /** * Sets up most of the Kses filters for input form content. * * If you remove the kses_init() function from {@see 'init'} hook and * {@see 'set_current_user'} (priority is default), then none of the Kses filter hooks * will be added. * * First removes all of the Kses filters in case the current user does not need * to have Kses filter the content. If the user does not have unfiltered_html * capability, then Kses filters are added. * * @since 2.0.0 */ function kses_init() { kses_remove_filters(); if ( ! current_user_can( 'unfiltered_html' ) ) { kses_init_filters(); } } /** * Inline CSS filter * * @since 2.8.1 * * @param string $css A string of CSS rules. * @param string $deprecated Not used. * @return string Filtered string of CSS rules. */ function safecss_filter_attr( $css, $deprecated = '' ) { if ( !empty( $deprecated ) ) _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented $css = wp_kses_no_null($css); $css = str_replace(array("\n","\r","\t"), '', $css); if ( preg_match( '%[\\\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments return ''; $css_array = explode( ';', trim( $css ) ); /** * Filters list of allowed CSS attributes. * * @since 2.8.1 * @since 4.4.0 Added support for `min-height`, `max-height`, `min-width`, and `max-width`. * @since 4.6.0 Added support for `list-style-type`. * * @param array $attr List of allowed CSS attributes. */ $allowed_attr = apply_filters( 'safe_style_css', array( 'background', 'background-color', 'border', 'border-width', 'border-color', 'border-style', 'border-right', 'border-right-color', 'border-right-style', 'border-right-width', 'border-bottom', 'border-bottom-color', 'border-bottom-style', 'border-bottom-width', 'border-left', 'border-left-color', 'border-left-style', 'border-left-width', 'border-top', 'border-top-color', 'border-top-style', 'border-top-width', 'border-spacing', 'border-collapse', 'caption-side', 'color', 'font', 'font-family', 'font-size', 'font-style', 'font-variant', 'font-weight', 'letter-spacing', 'line-height', 'text-decoration', 'text-indent', 'text-align', 'height', 'min-height', 'max-height', 'width', 'min-width', 'max-width', 'margin', 'margin-right', 'margin-bottom', 'margin-left', 'margin-top', 'padding', 'padding-right', 'padding-bottom', 'padding-left', 'padding-top', 'clear', 'cursor', 'direction', 'float', 'overflow', 'vertical-align', 'list-style-type', ) ); if ( empty($allowed_attr) ) return $css; $css = ''; foreach ( $css_array as $css_item ) { if ( $css_item == '' ) continue; $css_item = trim( $css_item ); $found = false; if ( strpos( $css_item, ':' ) === false ) { $found = true; } else { $parts = explode( ':', $css_item ); if ( in_array( trim( $parts[0] ), $allowed_attr ) ) $found = true; } if ( $found ) { if( $css != '' ) $css .= ';'; $css .= $css_item; } } return $css; } /** * Helper function to add global attributes to a tag in the allowed html list. * * @since 3.5.0 * @access private * * @param array $value An array of attributes. * @return array The array of attributes with global attributes added. */ function _wp_add_global_attributes( $value ) { $global_attributes = array( 'class' => true, 'id' => true, 'style' => true, 'title' => true, 'role' => true, ); if ( true === $value ) $value = array(); if ( is_array( $value ) ) return array_merge( $value, $global_attributes ); return $value; }