diff options
author | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2008-04-14 16:03:34 +0000 |
---|---|---|
committer | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2008-04-14 16:03:34 +0000 |
commit | 4bd0e859f57148278d908be85f2cac2fde3e46bd (patch) | |
tree | 08589c583367d6b4faf96b5c897e813d7d228d56 /wp-includes | |
parent | 1d88055344cae85577bf8b5538f572ab1fb65651 (diff) | |
download | wordpress-mu-4bd0e859f57148278d908be85f2cac2fde3e46bd.tar.gz wordpress-mu-4bd0e859f57148278d908be85f2cac2fde3e46bd.tar.xz wordpress-mu-4bd0e859f57148278d908be85f2cac2fde3e46bd.zip |
Allow 'style' attribute, but filter the styles allowed
git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@1235 7be80a69-a1ef-0310-a953-fb0f7c49ff36
Diffstat (limited to 'wp-includes')
-rw-r--r-- | wp-includes/kses.php | 15 | ||||
-rw-r--r-- | wp-includes/wpmu-functions.php | 44 |
2 files changed, 47 insertions, 12 deletions
diff --git a/wp-includes/kses.php b/wp-includes/kses.php index 4becb79..3c5688e 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -518,6 +518,19 @@ function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) { break; } + if ( $arreach['name'] == 'style' ) { + $orig_value = $arreach['value']; + + $value = safecss_filter_attr($orig_value, $element); + + if ( empty($value) ) + continue; + + $arreach['value'] = $value; + + $arreach['whole'] = str_replace($orig_value, $value, $arreach['whole']); + } + if ($ok) $attr2 .= ' '.$arreach['whole']; # it passed them } # if !is_array($current) @@ -592,7 +605,7 @@ function wp_kses_hair($attr, $allowed_protocols) { if (preg_match('/^"([^"]*)"(\s+|$)/', $attr, $match)) # "value" { - $thisval = wp_kses_bad_protocol($match[1], $allowed_protocols); + $thisval = ($attrname=='style') ? $match[1] : wp_kses_bad_protocol($match[1], $allowed_protocols); $attrarr[] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n'); $working = 1; diff --git a/wp-includes/wpmu-functions.php b/wp-includes/wpmu-functions.php index 3b9740b..5a1dd09 100644 --- a/wp-includes/wpmu-functions.php +++ b/wp-includes/wpmu-functions.php @@ -1807,19 +1807,41 @@ function upload_is_file_too_big( $upload ) { } add_filter( "wp_upload_bits", "upload_is_file_too_big" ); -/* -Strip class, id and style attributes from post HTML -*/ -function wordpressmu_kses( $tags ) { - foreach( $tags as $tag => $attr ) { - if( is_array( $attr[ 'style' ] ) ) - unset( $attr[ 'style' ] ); - $tags[ $tag ] = $attr; +function safecss_filter_attr( $css, $element ) { + $css = wp_kses_no_null($css); + $css = str_replace(array("\n","\r","\t"), '', $css); + $css_array = split( ';', trim( $css ) ); + $allowed_attr = apply_filters( 'safe_style_css', array( 'text-align', 'margin', 'color', 'float', + 'border', 'background', 'background-color', 'border-bottom', 'border-bottom-color', + 'border-bottom-style', 'border-bottom-width', 'border-collapse', 'border-color', 'border-left', + 'border-left-color', 'border-left-style', 'border-left-width', 'border-right', 'border-right-color', + 'border-right-style', 'border-right-width', 'border-spacing', 'border-style', 'border-top', + 'border-top-color', 'border-top-style', 'border-top-width', 'border-width', 'caption-side', + 'clear', 'cursor', 'direction', 'font', 'font-family', 'font-size', 'font-style', + 'font-variant', 'font-weight', 'height', 'letter-spacing', 'line-height', 'margin-bottom', + 'margin-left', 'margin-right', 'margin-top', 'overflow', 'padding', 'padding-bottom', + 'padding-left', 'padding-right', 'padding-top', 'text-decoration', 'text-indent', 'vertical-align', + 'width' ) ); + $css = ''; + foreach( $css_array as $css_item ) { + if( $css_item == '' ) + continue; + $css_item = trim( $css_item ); + $found = false; + if( strpos( $css_item, ':' ) === false ) { + $found = true; + } elseif( in_array( substr( $css_item, 0, strpos( $css_item, ':' ) ), $allowed_attr ) ) { + $found = true; + } + if( $found ) { + if( $css != '' ) + $css .= ';'; + $css .= $css_item; + } } - return $tags; + + return $css; } -add_filter( 'edit_allowedtags', 'wordpressmu_kses' ); -add_filter( 'edit_allowedposttags', 'wordpressmu_kses' ); function wordpressmu_authenticate_siteadmin( $user, $password ) { if( is_site_admin( $user->user_login ) == false && ( $primary_blog = get_usermeta( $user->user_id, "primary_blog" ) ) ) { |