Home

wp_kses_hook

February 12, 2011 by Thorsten 0 Comments

Definition:
function wp_kses_hook($string, $allowed_html, $allowed_protocols) {}

You add any kses hooks here.
There is currently only one kses WordPress hook and it is called here. All parameters are passed to the hooks and expected to receive a string.

Parameters

  • string $string: Content to filter through kses
  • array $allowed_html: List of allowed HTML elements
  • array $allowed_protocols: Allowed protocol in links

Return values

returns:Filtered content through ‘pre_kses’ hook

Defined filters

  • pre_kses
    apply_filters('pre_kses', $string, $allowed_html, $allowed_protocols)

Source code

function wp_kses_hook($string, $allowed_html, $allowed_protocols) {

	$string = apply_filters('pre_kses', $string, $allowed_html, $allowed_protocols);

	return $string;

}

3829

/wp-includes/kses.php, Documentation, Files, Filters, Filters by letter p, Functions, Functions by letter w
, , ,

wp_kses_hair

February 12, 2011 by Thorsten 0 Comments

Definition:
function wp_kses_hair($attr, $allowed_protocols) {}

Builds an attribute list from string containing attributes.
This function does a lot of work. It parses an attribute list into an array with attribute data, and tries to do the right thing even if it gets weird input. It will add quotes around attribute values that don’t have any quotes or apostrophes around them, to make it easier to produce HTML code that will conform to W3C’s HTML specification. It will also remove bad URL protocols from attribute values. It also reduces duplicate attributes by using the attribute defined first (foo=’bar’ foo=’baz’ will result in foo=’bar’).

Parameters

  • string $attr: Attribute list from HTML element to closing HTML element tag
  • array $allowed_protocols: Allowed protocols to keep

Return values

returns:List of attributes after parsing

Source code

function wp_kses_hair($attr, $allowed_protocols) {

	$attrarr = array ();

	$mode = 0;

	$attrname = '';

	$uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');



	# Loop through the whole attribute list



	while (strlen($attr) != 0) {

		$working = 0; # Was the last operation successful?



		switch ($mode) {

			case 0 : # attribute name, href for instance



				if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) {

					$attrname = $match[1];

					$working = $mode = 1;

					$attr = preg_replace('/^[-a-zA-Z]+/', '', $attr);

				}



				break;



			case 1 : # equals sign or valueless ("selected")



				if (preg_match('/^\s*=\s*/', $attr)) # equals sign

					{

					$working = 1;

					$mode = 2;

					$attr = preg_replace('/^\s*=\s*/', '', $attr);

					break;

				}



				if (preg_match('/^\s+/', $attr)) # valueless

					{

					$working = 1;

					$mode = 0;

					if(FALSE === array_key_exists($attrname, $attrarr)) {

						$attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');

					}

					$attr = preg_replace('/^\s+/', '', $attr);

				}



				break;



			case 2 : # attribute value, a URL after href= for instance



				if (preg_match('%^"([^"]*)"(\s+|/?$)%', $attr, $match))

					# "value"

					{

					$thisval = $match[1];

					if ( in_array(strtolower($attrname), $uris) )

						$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);



					if(FALSE === array_key_exists($attrname, $attrarr)) {

						$attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');

					}

					$working = 1;

					$mode = 0;

					$attr = preg_replace('/^"[^"]*"(\s+|$)/', '', $attr);

					break;

				}



				if (preg_match("%^'([^']*)'(\s+|/?$)%", $attr, $match))

					# 'value'

					{

					$thisval = $match[1];

					if ( in_array(strtolower($attrname), $uris) )

						$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);



					if(FALSE === array_key_exists($attrname, $attrarr)) {

						$attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname='$thisval'", 'vless' => 'n');

					}

					$working = 1;

					$mode = 0;

					$attr = preg_replace("/^'[^']*'(\s+|$)/", '', $attr);

					break;

				}



				if (preg_match("%^([^\s\"']+)(\s+|/?$)%", $attr, $match))

					# value

					{

					$thisval = $match[1];

					if ( in_array(strtolower($attrname), $uris) )

						$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);



					if(FALSE === array_key_exists($attrname, $attrarr)) {

						$attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');

					}

					# We add quotes to conform to W3C's HTML spec.

					$working = 1;

					$mode = 0;

					$attr = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attr);

				}



				break;

		} # switch



		if ($working == 0) # not well formed, remove and try again

		{

			$attr = wp_kses_html_error($attr);

			$mode = 0;

		}

	} # while



	if ($mode == 1 && FALSE === array_key_exists($attrname, $attrarr))

		# special case, for when the attribute list ends with a valueless

		# attribute like "selected"

		$attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');



	return $attrarr;

}

3827

/wp-includes/kses.php, Documentation, Files, Functions, Functions by letter w
, ,

wp_kses_decode_entities

February 12, 2011 by Thorsten 0 Comments

Definition:
function wp_kses_decode_entities($string) {}

Convert all entities to their character counterparts.
This function decodes numeric HTML entities (A and A). It doesn’t do anything with other entities like ä, but we don’t need them in the URL protocol whitelisting system anyway.

Parameters

  • string $string: Content to change entities

Return values

returns:Content after decoded entities

Source code

function wp_kses_decode_entities($string) {

	$string = preg_replace_callback('/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string);

	$string = preg_replace_callback('/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string);



	return $string;

}

3825

/wp-includes/kses.php, Documentation, Files, Functions, Functions by letter w
, ,

wp_kses_data

February 12, 2011 by Thorsten 0 Comments

Definition:
function wp_kses_data($data) {}

Sanitize content with allowed HTML Kses rules.

Parameters

  • string $data: Content to filter, expected to not be escaped

Return values

returns:Filtered content

Source code

function wp_kses_data($data) {

	global $allowedtags;

	return wp_kses( $data , $allowedtags );

}

3823

/wp-includes/kses.php, Documentation, Files, Functions, Functions by letter w
,

wp_kses_check_attr_val

February 12, 2011 by Thorsten 0 Comments

Definition:
function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) {}

Performs different checks for attribute values.
The currently implemented checks are "maxlen", "minlen", "maxval", "minval" and "valueless".

Parameters

  • string $value: Attribute value
  • string $vless: Whether the value is valueless. Use ‘y’ or ‘n’
  • string $checkname: What $checkvalue is checking for.
  • mixed $checkvalue: What constraint the value should pass

Return values

returns:Whether check passes

Source code

function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) {

	$ok = true;



	switch (strtolower($checkname)) {

		case 'maxlen' :

			# The maxlen check makes sure that the attribute value has a length not

			# greater than the given value. This can be used to avoid Buffer Overflows

			# in WWW clients and various Internet servers.



			if (strlen($value) > $checkvalue)

				$ok = false;

			break;



		case 'minlen' :

			# The minlen check makes sure that the attribute value has a length not

			# smaller than the given value.



			if (strlen($value) < $checkvalue)

				$ok = false;

			break;



		case 'maxval' :

			# The maxval check does two things: it checks that the attribute value is

			# an integer from 0 and up, without an excessive amount of zeroes or

			# whitespace (to avoid Buffer Overflows). It also checks that the attribute

			# value is not greater than the given value.

			# This check can be used to avoid Denial of Service attacks.



			if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))

				$ok = false;

			if ($value > $checkvalue)

				$ok = false;

			break;



		case 'minval' :

			# The minval check makes sure that the attribute value is a positive integer,

			# and that it is not smaller than the given value.



			if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))

				$ok = false;

			if ($value < $checkvalue)

				$ok = false;

			break;



		case 'valueless' :

			# The valueless check makes sure if the attribute has a value

			# (like <a href="blah">) or not (<option selected>). If the given value

			# is a "y" or a "Y", the attribute must not have a value.

			# If the given value is an "n" or an "N", the attribute must have one.



			if (strtolower($checkvalue) != $vless)

				$ok = false;

			break;

	} # switch



	return $ok;

}

3821

/wp-includes/kses.php, Documentation, Files, Functions, Functions by letter w
, ,
Newer Entries
Older Entries