array(),
'a' => array(
'href' => array(), 'title' => array(),
'rel' => array(), 'rev' => array(),
'name' => array()
),
'abbr' => array(
'title' => array(), 'class' => array()
),
'acronym' => array(
'title' => array()
),
'b' => array(),
'big' => array(),
'blockquote' => array(
'cite' => array(), 'xml:lang' => array(),
'lang' => array()
),
'br' => array(),
'button' => array(
'disabled' => array(), 'name' => array(),
'type' => array(), 'value' => array()
),
'caption' => array(
'align' => array()
),
'code' => array(),
'col' => array(
'align' => array(), 'char' => array(),
'charoff' => array(), 'span' => array(),
'valign' => array(), 'width' => array()
),
'del' => array(
'datetime' => array()
),
'dd' => array(),
'div' => array(
'align' => array(), 'xml:lang' => array(),
'lang' => array()
),
'dl' => array(),
'dt' => array(),
'em' => array(),
'fieldset' => array(),
'font' => array(
'color' => array(), 'face' => array(),
'size' => array()
),
'form' => array(
'action' => array(), 'accept' => array(),
'accept-charset' => array(), 'enctype' => array(),
'method' => array(), 'name' => array(),
'target' => array()
),
'h1' => array(
'align' => array()
),
'h2' => array(
'align' => array()
),
'h3' => array(
'align' => array()
),
'h4' => array(
'align' => array()
),
'h5' => array(
'align' => array()
),
'h6' => array(
'align' => array()
),
'hr' => array(
'align' => array(), 'noshade' => array(),
'size' => array(), 'width' => array()
),
'i' => array(),
'img' => array(
'alt' => array(), 'align' => array(),
'border' => array(), 'height' => array(),
'hspace' => array(), 'longdesc' => array(),
'vspace' => array(), 'src' => array(),
'width' => array()
),
'ins' => array(
'datetime' => array(), 'cite' => array()
),
'kbd' => array(),
'label' => array(
'for' => array()
),
'legend' => array(
'align' => array()
),
'li' => array(),
'p' => array(
'align' => array(), 'xml:lang' => array(),
'lang' => array()
),
'pre' => array(
'width' => array()
),
'q' => array(
'cite' => array()
),
's' => array(),
'strike' => array(),
'strong' => array(),
'sub' => array(),
'sup' => array(),
'table' => array(
'align' => array(), 'bgcolor' => array(),
'border' => array(), 'cellpadding' => array(),
'cellspacing' => array(), 'rules' => array(),
'summary' => array(), 'width' => array()
),
'tbody' => array(
'align' => array(), 'char' => array(),
'charoff' => array(), 'valign' => array()
),
'td' => array(
'abbr' => array(), 'align' => array(),
'axis' => array(), 'bgcolor' => array(),
'char' => array(), 'charoff' => array(),
'colspan' => array(), 'headers' => array(),
'height' => array(), 'nowrap' => array(),
'rowspan' => array(), 'scope' => array(),
'valign' => array(), 'width' => array()
),
'textarea' => array(
'cols' => array(), 'rows' => array(),
'disabled' => array(), 'name' => array(),
'readonly' => array()
),
'tfoot' => array(
'align' => array(), 'char' => array(),
'charoff' => array(), 'valign' => array()
),
'th' => array(
'abbr' => array(), 'align' => array(),
'axis' => array(), 'bgcolor' => array(),
'char' => array(), 'charoff' => array(),
'colspan' => array(), 'headers' => array(),
'height' => array(), 'nowrap' => array(),
'rowspan' => array(), 'scope' => array(),
'valign' => array(), 'width' => array()
),
'thead' => array(
'align' => array(), 'char' => array(),
'charoff' => array(), 'valign' => array()
),
'title' => array(),
'tr' => array(
'align' => array(), 'bgcolor' => array(),
'char' => array(), 'charoff' => array(),
'valign' => array()
),
'tt' => array(),
'u' => array(),
'ul' => array(),
'ol' => array(),
'var' => array()
);
$allowedtags = array(
'a' => array(
'href' => array(), 'title' => array()
),
'abbr' => array(
'title' => array()
),
'acronym' => array(
'title' => array()
),
'b' => array(),
'blockquote' => array(
'cite' => array()
),
// 'br' => array(),
'code' => array(),
// 'del' => array('datetime' => array()),
// 'dd' => array(),
// 'dl' => array(),
// 'dt' => array(),
'em' => array(),
'i' => array(),
// 'ins' => array('datetime' => array(), 'cite' => array()),
// 'li' => array(),
// 'ol' => array(),
// 'p' => array(),
// 'q' => array(),
'strike' => array(),
'strong' => array(),
// 'sub' => array(),
// 'sup' => array(),
// 'u' => array(),
// 'ul' => array(),
);
}
function wp_kses($string, $allowed_html, $allowed_protocols = array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet'))
###############################################################################
# This function makes sure that only the allowed HTML element names, attribute
# names and attribute values plus only sane HTML entities will occur in
# $string. You have to remove any slashes from PHP's magic quotes before you
# call this function.
###############################################################################
{
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$string = wp_kses_hook($string);
$allowed_html_fixed = wp_kses_array_lc($allowed_html);
return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);
} # function wp_kses
function wp_kses_hook($string)
###############################################################################
# You add any kses hooks here.
###############################################################################
{
$string = apply_filters('pre_kses', $string);
return $string;
} # function wp_kses_hook
function wp_kses_version()
###############################################################################
# This function returns kses' version number.
###############################################################################
{
return '0.2.2';
} # function wp_kses_version
function wp_kses_split($string, $allowed_html, $allowed_protocols)
###############################################################################
# This function searches for HTML tags, no matter how malformed. It also
# matches stray ">" characters.
###############################################################################
{
return preg_replace('%((|$))|(<[^>]*(>|$)|>))%e',
"wp_kses_split2('\\1', \$allowed_html, ".'$allowed_protocols)', $string);
} # function wp_kses_split
function wp_kses_split2($string, $allowed_html, $allowed_protocols)
###############################################################################
# This function does a lot of work. It rejects some very malformed things
# like <:::>. It returns an empty string, if the element isn't allowed (look
# ma, no strip_tags()!). Otherwise it splits the tag into an element and an
# attribute list.
###############################################################################
{
$string = wp_kses_stripslashes($string);
if (substr($string, 0, 1) != '<')
return '>';
# It matched a ">" character
if (preg_match('%^)?$%', $string, $matches)) {
$string = str_replace(array(''), '', $matches[1]);
while ( $string != $newstring = wp_kses($string, $allowed_html, $allowed_protocols) )
$string = $newstring;
if ( $string == '' )
return '';
return "";
}
# Allow HTML comments
if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches)) {
wp_kses_reject(__('Seriously malformed HTML removed'));
return '';
# It's seriously malformed
}
$slash = trim($matches[1]);
$elem = $matches[2];
$attrlist = $matches[3];
if (!@isset($allowed_html[strtolower($elem)])) {
wp_kses_reject(sprintf(__('Removed <%1$s%2$s>
tag'), $slash, $elem));
return '';
# They are using a not allowed HTML element
}
if ($slash != '')
return "<$slash$elem>";
# No attributes are allowed for closing elements
return wp_kses_attr("$slash$elem", $attrlist, $allowed_html, $allowed_protocols);
} # function wp_kses_split2
$kses_messages = array();
function wp_kses_reject($message) {
global $kses_messages;
return; // Disabled
if ( count($kses_messages) == 0 )
add_action('save_post', 'wp_kses_save_message');
$kses_messages[] = $message;
return '';
}
function wp_kses_save_message($id) {
global $kses_messages;
foreach ( $kses_messages as $text )
$message .= "$text\n";
$kses_messages[] = "";
update_option('kses_message', $message);
}
function wp_kses_show_message() {
$message = get_option('kses_message');
if ( empty($message) )
return;
echo "
%1$s
removed from <%2$s>
tag'), $arreach['name'], $element));
continue; # the attribute is not allowed
}
$current = $allowed_html[strtolower($element)][strtolower($arreach['name'])];
if ($current == '') {
wp_kses_reject(sprintf(__('Attribute %1$s
removed from <%2$s>
tag'), $arreach['name'], $element));
continue; # the attribute is not allowed
}
if (!is_array($current))
$attr2 .= ' '.$arreach['whole'];
# there are no checks
else {
# there are some checks
$ok = true;
foreach ($current as $currkey => $currval)
if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) {
wp_kses_reject(sprintf(__('Attribute %1$s
removed from <%2$s>
tag due to illegal value'), $arreach['name'], $element));
$ok = false;
break;
}
if ($ok)
$attr2 .= ' '.$arreach['whole']; # it passed them
} # if !is_array($current)
} # foreach
# Remove any "<" or ">" characters
$attr2 = preg_replace('/[<>]/', '', $attr2);
return "<$element$attr2$xhtml_slash>";
} # function wp_kses_attr
function wp_kses_hair($attr, $allowed_protocols)
###############################################################################
# This function does a lot of work. It parses an attribute list into an array
# with attribute data, and tries to do the right thing even if it gets weird
# input. It will add quotes around attribute values that don't have any quotes
# or apostrophes around them, to make it easier to produce HTML code that will
# conform to W3C's HTML specification. It will also remove bad URL protocols
# from attribute values.
###############################################################################
{
$attrarr = array ();
$mode = 0;
$attrname = '';
# Loop through the whole attribute list
while (strlen($attr) != 0) {
$working = 0; # Was the last operation successful?
switch ($mode) {
case 0 : # attribute name, href for instance
if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) {
$attrname = $match[1];
$working = $mode = 1;
$attr = preg_replace('/^[-a-zA-Z]+/', '', $attr);
}
break;
case 1 : # equals sign or valueless ("selected")
if (preg_match('/^\s*=\s*/', $attr)) # equals sign
{
$working = 1;
$mode = 2;
$attr = preg_replace('/^\s*=\s*/', '', $attr);
break;
}
if (preg_match('/^\s+/', $attr)) # valueless
{
$working = 1;
$mode = 0;
$attrarr[] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
$attr = preg_replace('/^\s+/', '', $attr);
}
break;
case 2 : # attribute value, a URL after href= for instance
if (preg_match('/^"([^"]*)"(\s+|$)/', $attr, $match))
# "value"
{
$thisval = wp_kses_bad_protocol($match[1], $allowed_protocols);
$attrarr[] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');
$working = 1;
$mode = 0;
$attr = preg_replace('/^"[^"]*"(\s+|$)/', '', $attr);
break;
}
if (preg_match("/^'([^']*)'(\s+|$)/", $attr, $match))
# 'value'
{
$thisval = wp_kses_bad_protocol($match[1], $allowed_protocols);
$attrarr[] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname='$thisval'", 'vless' => 'n');
$working = 1;
$mode = 0;
$attr = preg_replace("/^'[^']*'(\s+|$)/", '', $attr);
break;
}
if (preg_match("%^([^\s\"']+)(\s+|$)%", $attr, $match))
# value
{
$thisval = wp_kses_bad_protocol($match[1], $allowed_protocols);
$attrarr[] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n');
# We add quotes to conform to W3C's HTML spec.
$working = 1;
$mode = 0;
$attr = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attr);
}
break;
} # switch
if ($working == 0) # not well formed, remove and try again
{
$attr = wp_kses_html_error($attr);
$mode = 0;
}
} # while
if ($mode == 1)
# special case, for when the attribute list ends with a valueless
# attribute like "selected"
$attrarr[] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
return $attrarr;
} # function wp_kses_hair
function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue)
###############################################################################
# This function performs different checks for attribute values. The currently
# implemented checks are "maxlen", "minlen", "maxval", "minval" and "valueless"
# with even more checks to come soon.
###############################################################################
{
$ok = true;
switch (strtolower($checkname)) {
case 'maxlen' :
# The maxlen check makes sure that the attribute value has a length not
# greater than the given value. This can be used to avoid Buffer Overflows
# in WWW clients and various Internet servers.
if (strlen($value) > $checkvalue)
$ok = false;
break;
case 'minlen' :
# The minlen check makes sure that the attribute value has a length not
# smaller than the given value.
if (strlen($value) < $checkvalue)
$ok = false;
break;
case 'maxval' :
# The maxval check does two things: it checks that the attribute value is
# an integer from 0 and up, without an excessive amount of zeroes or
# whitespace (to avoid Buffer Overflows). It also checks that the attribute
# value is not greater than the given value.
# This check can be used to avoid Denial of Service attacks.
if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))
$ok = false;
if ($value > $checkvalue)
$ok = false;
break;
case 'minval' :
# The minval check checks that the attribute value is a positive integer,
# and that it is not smaller than the given value.
if (!preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))
$ok = false;
if ($value < $checkvalue)
$ok = false;
break;
case 'valueless' :
# The valueless check checks if the attribute has a value
# (like ) or not (