array (),
'a' => array (
'class' => array (),
'href' => array (),
'title' => array (),
'rel' => array (),
'rev' => array (),
'name' => array (),
'target' => array()),
'abbr' => array (
'title' => array ()),
'acronym' => array (
'title' => array ()),
'b' => array (),
'big' => array (),
'blockquote' => array (
'cite' => array ()),
'br' => array (),
'button' => array (
'disabled' => array (),
'name' => array (),
'type' => array (),
'value' => array ()),
'caption' => array (
'align' => array ()),
'cite' => array (
'dir' => array(),
'lang' => array(),
'title' => array ()),
'code' => array (),
'col' => array (
'align' => array (),
'char' => array (),
'charoff' => array (),
'span' => array (),
'dir' => array(),
'valign' => array (),
'width' => array ()),
'del' => array (
'datetime' => array ()),
'dd' => array (),
'div' => array (
'align' => array (),
'class' => array (),
'dir' => array ()),
'dl' => array (),
'dt' => array (),
'em' => array (),
'fieldset' => array (),
'font' => array (
'color' => array (),
'face' => array (),
'size' => array ()),
'form' => array (
'action' => array (),
'accept' => array (),
'accept-charset' => array (),
'enctype' => array (),
'method' => array (),
'name' => array (),
'target' => array ()),
'h1' => array (
'align' => array ()),
'h2' => array (
'align' => array ()),
'h3' => array (
'align' => array ()),
'h4' => array (
'align' => array ()),
'h5' => array (
'align' => array ()),
'h6' => array (
'align' => array ()),
'hr' => array (
'align' => array (),
'noshade' => array (),
'size' => array (),
'width' => array ()),
'i' => array (),
'iframe' => array ( // This is filtered to whitelisted domains later according to Andy
'longdesc' => array(),
'name' => array(),
'src' => array(),
'frameborder' => array(),
'marginwidth' => array(),
'marginheight' => array(),
'scroll' => array(),
'scrolling' => array(),
'align' => array(),
'height' => array(),
'width' => array ()),
'img' => array (
'alt' => array (),
'align' => array (),
'border' => array (),
'height' => array (),
'hspace' => array (),
'longdesc' => array (),
'vspace' => array (),
'src' => array (),
'width' => array ()),
'ins' => array (
'datetime' => array (),
'cite' => array ()),
'kbd' => array (),
'label' => array (
'for' => array ()),
'legend' => array (
'align' => array ()),
'li' => array (
'align' => array (),
'class' => array ()),
'p' => array (
'class' => array (),
'align' => array (),
'dir' => array()),
'pre' => array (
'width' => array ()),
'q' => array (
'cite' => array ()),
's' => array (),
'strike' => array (),
'strong' => array (),
'sub' => array (),
'sup' => array (),
'table' => array (
'align' => array (),
'bgcolor' => array (),
'border' => array (),
'cellpadding' => array (),
'cellspacing' => array (),
'dir' => array(),
'rules' => array (),
'summary' => array (),
'width' => array ()),
'tbody' => array (
'align' => array (),
'char' => array (),
'charoff' => array (),
'valign' => array ()),
'td' => array (
'abbr' => array (),
'align' => array (),
'axis' => array (),
'bgcolor' => array (),
'char' => array (),
'charoff' => array (),
'colspan' => array (),
'dir' => array(),
'headers' => array (),
'height' => array (),
'nowrap' => array (),
'rowspan' => array (),
'scope' => array (),
'valign' => array (),
'width' => array ()),
'textarea' => array (
'cols' => array (),
'rows' => array (),
'disabled' => array (),
'name' => array (),
'readonly' => array ()),
'tfoot' => array (
'align' => array (),
'char' => array (),
'charoff' => array (),
'valign' => array ()),
'th' => array (
'abbr' => array (),
'align' => array (),
'axis' => array (),
'bgcolor' => array (),
'char' => array (),
'charoff' => array (),
'colspan' => array (),
'headers' => array (),
'height' => array (),
'nowrap' => array (),
'rowspan' => array (),
'scope' => array (),
'valign' => array (),
'width' => array ()),
'thead' => array (
'align' => array (),
'char' => array (),
'charoff' => array (),
'valign' => array ()),
'title' => array (),
'tr' => array (
'align' => array (),
'bgcolor' => array (),
'char' => array (),
'charoff' => array (),
'valign' => array ()),
'tt' => array (),
'u' => array (),
'ul' => array (),
'ol' => array (),
'var' => array ());
$allowedtags = array (
'a' => array (
'href' => array (),
'title' => array ()),
'abbr' => array (
'title' => array ()),
'acronym' => array (
'title' => array ()),
'b' => array (),
'blockquote' => array (
'cite' => array ()),
// 'br' => array(),
'cite' => array (),
'code' => array (),
'del' => array(
'datetime' => array ()),
// 'dd' => array(),
// 'dl' => array(),
// 'dt' => array(),
'em' => array (), 'i' => array (),
// 'ins' => array('datetime' => array(), 'cite' => array()),
// 'li' => array(),
// 'ol' => array(),
// 'p' => array(),
'q' => array(
'cite' => array ()),
'strike' => array (),
'strong' => array (),
// 'sub' => array(),
// 'sup' => array(),
// 'u' => array(),
// 'ul' => array(),
);
}
function wp_kses($string, $allowed_html, $allowed_protocols = array ('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'feed', 'gopher', 'mailto'))
###############################################################################
# This function makes sure that only the allowed HTML element names, attribute
# names and attribute values plus only sane HTML entities will occur in
# $string. You have to remove any slashes from PHP's magic quotes before you
# call this function.
###############################################################################
{
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$string = wp_kses_hook($string);
$allowed_html_fixed = wp_kses_array_lc($allowed_html);
return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);
} # function wp_kses
function wp_kses_hook($string)
###############################################################################
# You add any kses hooks here.
###############################################################################
{
$string = apply_filters('pre_kses', $string);
return $string;
} # function wp_kses_hook
function wp_kses_version()
###############################################################################
# This function returns kses' version number.
###############################################################################
{
return '0.2.2';
} # function wp_kses_version
function wp_kses_split($string, $allowed_html, $allowed_protocols)
###############################################################################
# This function searches for HTML tags, no matter how malformed. It also
# matches stray ">" characters.
###############################################################################
{
return preg_replace('%((|$))|(<[^>]*(>|$)|>))%e',
"wp_kses_split2('\\1', \$allowed_html, ".'$allowed_protocols)', $string);
} # function wp_kses_split
function wp_kses_split2($string, $allowed_html, $allowed_protocols)
###############################################################################
# This function does a lot of work. It rejects some very malformed things
# like <:::>. It returns an empty string, if the element isn't allowed (look
# ma, no strip_tags()!). Otherwise it splits the tag into an element and an
# attribute list.
###############################################################################
{
$string = wp_kses_stripslashes($string);
if (substr($string, 0, 1) != '<')
return '>';
# It matched a ">" character
if (preg_match('%^)?$%', $string, $matches)) {
$string = str_replace(array(''), '', $matches[1]);
while ( $string != $newstring = wp_kses($string, $allowed_html, $allowed_protocols) )
$string = $newstring;
if ( $string == '' )
return '';
return "";
}
# Allow HTML comments
if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches)) {
wp_kses_reject(__('Seriously malformed HTML removed'));
return '';
# It's seriously malformed
}
$slash = trim($matches[1]);
$elem = $matches[2];
$attrlist = $matches[3];
if (!@isset($allowed_html[strtolower($elem)])) {
wp_kses_reject(sprintf(__('Removed <%1$s%2$s>
tag'), $slash, $elem));
return '';
# They are using a not allowed HTML element
}
if ($slash != '')
return "<$slash$elem>";
# No attributes are allowed for closing elements
return wp_kses_attr("$slash$elem", $attrlist, $allowed_html, $allowed_protocols);
} # function wp_kses_split2
$kses_messages = array();
function wp_kses_reject($message) {
global $kses_messages;
return; // Disabled
if ( count($kses_messages) == 0 )
add_action('save_post', 'wp_kses_save_message');
$kses_messages[] = $message;
return '';
}
function wp_kses_save_message($id) {
global $kses_messages;
foreach ( $kses_messages as $text )
$message .= "$text\n";
$kses_messages[] = "";
update_option('kses_message', $message);
}
function wp_kses_show_message() {
$message = get_option('kses_message');
if ( empty($message) )
return;
echo "
%1$s
removed from <%2$s>
tag'), $arreach['name'], $element));
continue; # the attribute is not allowed
}
$current = $allowed_html[strtolower($element)][strtolower($arreach['name'])];
if ($current == '') {
wp_kses_reject(sprintf(__('Attribute %1$s
removed from <%2$s>
tag'), $arreach['name'], $element));
continue; # the attribute is not allowed
}
if (!is_array($current))
$attr2 .= ' '.$arreach['whole'];
# there are no checks
else {
# there are some checks
$ok = true;
foreach ($current as $currkey => $currval)
if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) {
wp_kses_reject(sprintf(__('Attribute %1$s
removed from <%2$s>
tag due to illegal value'), $arreach['name'], $element));
$ok = false;
break;
}
if ($ok)
$attr2 .= ' '.$arreach['whole']; # it passed them
} # if !is_array($current)
} # foreach
# Remove any "<" or ">" characters
$attr2 = preg_replace('/[<>]/', '', $attr2);
return "<$element$attr2$xhtml_slash>";
} # function wp_kses_attr
function wp_kses_hair($attr, $allowed_protocols)
###############################################################################
# This function does a lot of work. It parses an attribute list into an array
# with attribute data, and tries to do the right thing even if it gets weird
# input. It will add quotes around attribute values that don't have any quotes
# or apostrophes around them, to make it easier to produce HTML code that will
# conform to W3C's HTML specification. It will also remove bad URL protocols
# from attribute values.
###############################################################################
{
$attrarr = array ();
$mode = 0;
$attrname = '';
# Loop through the whole attribute list
while (strlen($attr) != 0) {
$working = 0; # Was the last operation successful?
switch ($mode) {
case 0 : # attribute name, href for instance
if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) {
$attrname = $match[1];
$working = $mode = 1;
$attr = preg_replace('/^[-a-zA-Z]+/', '', $attr);
}
break;
case 1 : # equals sign or valueless ("selected")
if (preg_match('/^\s*=\s*/', $attr)) # equals sign
{
$working = 1;
$mode = 2;
$attr = preg_replace('/^\s*=\s*/', '', $attr);
break;
}
if (preg_match('/^\s+/', $attr)) # valueless
{
$working = 1;
$mode = 0;
$attrarr[] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
$attr = preg_replace('/^\s+/', '', $attr);
}
break;
case 2 : # attribute value, a URL after href= for instance
if (preg_match('/^"([^"]*)"(\s+|$)/', $attr, $match))
# "value"
{
$thisval = wp_kses_bad_protocol($match[1], $allowed_protocols);
$attrarr[] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');
$working = 1;
$mode = 0;
$attr = preg_replace('/^"[^"]*"(\s+|$)/', '', $attr);
break;
}
if (preg_match("/^'([^']*)'(\s+|$)/", $attr, $match))
# 'value'
{
$thisval = wp_kses_bad_protocol($match[1], $allowed_protocols);
$attrarr[] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname='$thisval'", 'vless' => 'n');
$working = 1;
$mode = 0;
$attr = preg_replace("/^'[^']*'(\s+|$)/", '', $attr);
break;
}
if (preg_match("%^([^\s\"']+)(\s+|$)%", $attr, $match))
# value
{
$thisval = wp_kses_bad_protocol($match[1], $allowed_protocols);
$attrarr[] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');
# We add quotes to conform to W3C's HTML spec.
$working = 1;
$mode = 0;
$attr = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attr);
}
break;
} # switch
if ($working == 0) # not well formed, remove and try again
{
$attr = wp_kses_html_error($attr);
$mode = 0;
}
} # while
if ($mode == 1)
# special case, for when the attribute list ends with a valueless
# attribute like "selected"
$attrarr[] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
return $attrarr;
} # function wp_kses_hair
function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue)
###############################################################################
# This function performs different checks for attribute values. The currently
# implemented checks are "maxlen", "minlen", "maxval", "minval" and "valueless"
# with even more checks to come soon.
###############################################################################
{
$ok = true;
switch (strtolower($checkname)) {
case 'maxlen' :
# The maxlen check makes sure that the attribute value has a length not
# greater than the given value. This can be used to avoid Buffer Overflows
# in WWW clients and various Internet servers.
if (strlen($value) > $checkvalue)
$ok = false;
break;
case 'minlen' :
# The minlen check makes sure that the attribute value has a length not
# smaller than the given value.
if (strlen($value) < $checkvalue)
$ok = false;
break;
case 'maxval' :
# The maxval check does two things: it checks that the attribute value is
# an integer from 0 and up, without an excessive amount of zeroes or
# whitespace (to avoid Buffer Overflows). It also checks that the attribute
# value is not greater than the given value.
# This check can be used to avoid Denial of Service attacks.
if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))
$ok = false;
if ($value > $checkvalue)
$ok = false;
break;
case 'minval' :
# The minval check checks that the attribute value is a positive integer,
# and that it is not smaller than the given value.
if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))
$ok = false;
if ($value < $checkvalue)
$ok = false;
break;
case 'valueless' :
# The valueless check checks if the attribute has a value
# (like ) or not (