Changeset 4672

Show
Ignore:
Timestamp:
01/02/07 21:22:41 (2 years ago)
Author:
ryan
Message:

Add kses protocol checking to clean_url. Props Andy. fixes #3515

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • branches/2.0/wp-includes/comment-functions.php

    r4656 r4672  
    212212    do_action('wp_set_comment_status', $comment_id, 'delete'); 
    213213    return true; 
    214 } 
    215  
    216 function clean_url( $url ) { 
    217     if ('' == $url) return $url; 
    218     $url = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $url); 
    219     $strip = array('%0d', '%0a'); 
    220     $url = str_replace($strip, '', $url); 
    221     $url = str_replace(';//', '://', $url); 
    222     $url = (!strstr($url, '://')) ? 'http://'.$url : $url; 
    223     $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); 
    224     return $url; 
    225214} 
    226215 

  • branches/2.0/wp-includes/functions-formatting.php

    r4663 r4672  
    10461046} 
    10471047 
     1048function clean_url( $url, $protocols = null ) { 
     1049    if ('' == $url) return $url; 
     1050    $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%]|i', '', $url); 
     1051    $strip = array('%0d', '%0a'); 
     1052    $url = str_replace($strip, '', $url); 
     1053    $url = str_replace(';//', '://', $url); 
     1054    $url = (!strstr($url, '://')) ? 'http://'.$url : $url; 
     1055    $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); 
     1056    if ( !is_array($protocols) ) 
     1057        $protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet');  
     1058    if ( wp_kses_bad_protocol( $url, $protocols ) != $url ) 
     1059        return ''; 
     1060    return $url; 
     1061} 
     1062 
    10481063// Escape single quotes, specialchar double quotes, and fix line endings. 
    10491064function js_escape($text) { 

  • trunk/wp-includes/formatting.php

    r4669 r4672  
    10571057} 
    10581058 
    1059 function clean_url( $url ) { 
     1059function clean_url( $url, $protocols = null ) { 
    10601060    if ('' == $url) return $url; 
    10611061    $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%]|i', '', $url); 
     
    10651065    $url = (!strstr($url, '://')) ? 'http://'.$url : $url; 
    10661066    $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); 
     1067    if ( !is_array($protocols) ) 
     1068        $protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet');  
     1069    if ( wp_kses_bad_protocol( $url, $protocols ) != $url ) 
     1070        return ''; 
    10671071    return $url; 
    10681072}