[wp-trac] [WordPress Trac] #36033: 'kses_allowed_protocols' filter is not really filterable.

[WordPress Trac]

#36033: 'kses_allowed_protocols' filter is not really filterable.
--------------------------+-----------------------------
 Reporter:  turtlepod     |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Future Release
Component:  Security      |     Version:  4.4.2
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+-----------------------------

Comment (by jpolakovic):

 When Jetpack is network activated, it will call
 `Jetpack::normalize_url_protocol_agnostic()` that invokes `esc_url_raw` on
 every page load before `muplugins_loaded` action, making the
 `kses_allowed_protocols` filter unreachable for majority of plugins.

 Replying to [comment:1 SergeyBiryukov]:

 > We can't remove the static variable entirely, but we could probably use
 the approach from [31104]. If `esc_url()` was called before
 `plugins_loaded`, it will not prevent plugins from filtering the value on
 `plugins_loaded` or `init`. See [attachment:36033.patch].

 I like your quick fix. What needs to happen in order to get this merged?

 A more robust solution would deprecate the `kses_allowed_protocols` filter
 and implement explicit static "cache" invalidation, something along these
 lines:

 {{{#!php
 class WP_Allowed_Protocols {
         private static $protocols = [ 'http', 'https', 'ftp', 'ftps',
 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms',
 'rtsp', 'svn', 'tel', 'fax', 'xmpp', 'webcal', 'urn' ];

         public static function get() {
                 return self::$protocols;
         }

         public static function add( $protocols ) {
                 $protocols = (array) $protocols;

                 $protocols = array_filter( $protocols, function( $protocol
 ) {
                         return preg_match( '~^[a-z][a-z0-9\+\.\-]*$~',
 $protocol );
                 } );

                 self::$protocols = array_unique( array_merge(
 self::$protocols, $protocols ) );
         }

         public static function remove( $protocols ) {
                 $protocols = (array) $protocols;

                 self::$protocols = array_diff( self::$protocols,
 $protocols );
         }
 }

 function wp_allowed_protocols() {
         return WP_Allowed_Protocols::get();
 }
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36033#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform