enmi-conf.org: comparison wp/wp-includes/kses.php

equal deleted inserted replaced

-:34716fd837a4
+:be944660c56a
 * {@see 'wp_kses_allowed_html'} filter is more powerful and supplies context.
 *
 * @see wp_kses_allowed_html()
 * @since 1.2.0
 *
-* @var array[]|bool Array of default allowable HTML tags, or false to use the defaults.
+* @var array[]|false Array of default allowable HTML tags, or false to use the defaults.
 */
 if ( ! defined( 'CUSTOM_TAGS' ) ) {
 	define( 'CUSTOM_TAGS', false );
 }
 			'align' => true,
 		),
 		'li'         => array(
 			'align' => true,
 			'value' => true,
+		),
+		'main'       => array(
+			'align'    => true,
+			'dir'      => true,
+			'lang'     => true,
+			'xml:lang' => true,
 		),
 		'map'        => array(
 			'name' => true,
 		),
 		'mark'       => array(),
 * Based on `wp_kses_split2()` and `wp_kses_attr()`.
 *
 * @since 4.2.3
 *
 * @param string $element HTML element.
-* @return array|bool List of attributes found in the element. Returns false on failure.
+* @return array|false List of attributes found in the element. Returns false on failure.
 */
 function wp_kses_attr_parse( $element ) {
 	$valid = preg_match( '%^(<\s*)(/\s*)?([a-zA-Z0-9]+\s*)([^>]*)(>?)$%', $element, $matches );
 	if ( 1 !== $valid ) {
 		return false;
 * Based on `wp_kses_hair()` but does not return a multi-dimensional array.
 *
 * @since 4.2.3
 *
 * @param string $attr Attribute list from HTML element to closing HTML element tag.
-* @return array|bool List of attributes found in $attr. Returns false on failure.
+* @return array|false List of attributes found in $attr. Returns false on failure.
 */
 function wp_kses_hair_parse( $attr ) {
 	if ( '' === $attr ) {
 		return array();
 	}
 /**
 * Converts and fixes HTML entities.
 *
 * This function normalizes HTML entities. It will convert `AT&T` to the correct
-* `AT&amp;T`, `&#00058;` to `&#58;`, `&#XYZZY;` to `&amp;#XYZZY;` and so on.
+* `AT&amp;T`, `&#00058;` to `&#058;`, `&#XYZZY;` to `&amp;#XYZZY;` and so on.
 *
 * When `$context` is set to 'xml', HTML entities are converted to their code points.  For
 * example, `AT&T&hellip;&#XYZZY;` is converted to `AT&amp;T…&amp;#XYZZY;`.
 *
 * @since 1.0.0
 	 * @since 5.1.0 Added support for `text-transform`.
 	 * @since 5.2.0 Added support for `background-position` and `grid-template-columns`.
 	 * @since 5.3.0 Added support for `grid`, `flex` and `column` layout properties.
 	 *              Extend `background-*` support of individual properties.
 	 * @since 5.3.1 Added support for gradient backgrounds.
+	 * @since 5.7.1 Added support for `object-position`.
+	 * @since 5.8.0 Added support for `calc()` and `var()` values.
 	 *
 	 * @param string[] $attr Array of allowed CSS attributes.
 	 */
 	$allowed_attr = apply_filters(
 		'safe_style_css',
 			'clear',
 			'cursor',
 			'direction',
 			'float',
 			'list-style-type',
+			'object-position',
 			'overflow',
 			'vertical-align',
 		)
 	);
 				$css_test_string = str_replace( $css_value, '', $css_test_string );
 			}
 		}
 		if ( $found ) {
-			// Check for any CSS containing \ ( & } = or comments, except for url() usage checked above.
+			// Allow CSS calc().
+			$css_test_string = preg_replace( '/calc\(((?:\([^()]*\)?|[^()])*)\)/', '', $css_test_string );
+			// Allow CSS var().
+			$css_test_string = preg_replace( '/\(?var\(--[a-zA-Z0-9_-]*\)/', '', $css_test_string );
+			// Check for any CSS containing \ ( & } = or comments,
+			// except for url(), calc(), or var() usage checked above.
 			$allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
 			/**
 			 * Filters the check for unsafe CSS in `safecss_filter_attr`.
 			 *

changeset 18	be944660c56a
parent 16	a86126ab1dd4
child 19	3d72ae0968f4