[wp-trac] [WordPress Trac] #37698: wp_kses_split global variable pollution

WordPress Trac noreply at wordpress.org
Wed Aug 17 20:20:16 UTC 2016 

#37698: wp_kses_split global variable pollution
--------------------------+-----------------------------
 Reporter:  xknown        |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 In r10339, `wp_kses_split` was modified so it doesn't longer require the
 `preg_replace` with the `e` (eval) modifier. This implementation uses
 globals to pass the values of `$allowed_html` and `$allowed_protocols` to
 the `_wp_kses_split_callback` function.
 While in most cases this isn't really a problem, we noticed that a call to
 `wp_kses_split` (via a filter) from within `_wp_kses_split_callback` may
 have undesirable effects on the next replacements.
 The snippet below illustrates this problem, you can see in action in
 https://3v4l.org/YmYTZ

 {{{
 <?php

 function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
     global $pass_allowed_html, $pass_allowed_protocols;
     $pass_allowed_html = $allowed_html;
     $pass_allowed_protocols = $allowed_protocols;
     return preg_replace_callback( '%((<!--.*?(-->|$))|(<[^>]*(>|$)|>))%',
 '_wp_kses_split_callback', $string );
 }
 function _wp_kses_split_callback( $match ) {
     global $pass_allowed_html, $pass_allowed_protocols;
     return wp_kses_split2( $match[1], $pass_allowed_html,
 $pass_allowed_protocols );
 }

 function wp_kses_split2($string, $allowed_html, $allowed_protocols) {
     wp_kses_split('', array(), array()); // this overrides the globals.
     print_r( array( $allowed_html, $allowed_protocols ) );
 }

 wp_kses_split("<a style='color: red;'>I link this</a>", array('a'=>array(
 'style' => array() )), array('http') );
 }}}
 One way to fix this would be to use an anonymous function, but I guess
 that's only available on PHP >= 5.3. Another way is to encapsulate the
 callback in a class and tie the arguments to an instance of this class.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37698>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list