--- a/wp/wp-includes/kses.php Tue Dec 15 15:52:01 2020 +0100
+++ b/wp/wp-includes/kses.php Wed Sep 21 18:19:35 2022 +0200
@@ -39,7 +39,7 @@
* @see wp_kses_allowed_html()
* @since 1.2.0
*
- * @var array[]|bool Array of default allowable HTML tags, or false to use the defaults.
+ * @var array[]|false Array of default allowable HTML tags, or false to use the defaults.
*/
if ( ! defined( 'CUSTOM_TAGS' ) ) {
define( 'CUSTOM_TAGS', false );
@@ -252,6 +252,12 @@
'align' => true,
'value' => true,
),
+ 'main' => array(
+ 'align' => true,
+ 'dir' => true,
+ 'lang' => true,
+ 'xml:lang' => true,
+ ),
'map' => array(
'name' => true,
),
@@ -1411,7 +1417,7 @@
* @since 4.2.3
*
* @param string $element HTML element.
- * @return array|bool List of attributes found in the element. Returns false on failure.
+ * @return array|false List of attributes found in the element. Returns false on failure.
*/
function wp_kses_attr_parse( $element ) {
$valid = preg_match( '%^(<\s*)(/\s*)?([a-zA-Z0-9]+\s*)([^>]*)(>?)$%', $element, $matches );
@@ -1462,7 +1468,7 @@
* @since 4.2.3
*
* @param string $attr Attribute list from HTML element to closing HTML element tag.
- * @return array|bool List of attributes found in $attr. Returns false on failure.
+ * @return array|false List of attributes found in $attr. Returns false on failure.
*/
function wp_kses_hair_parse( $attr ) {
if ( '' === $attr ) {
@@ -1777,7 +1783,7 @@
* Converts and fixes HTML entities.
*
* This function normalizes HTML entities. It will convert `AT&T` to the correct
- * `AT&T`, `:` to `:`, `&#XYZZY;` to `&#XYZZY;` and so on.
+ * `AT&T`, `:` to `:`, `&#XYZZY;` to `&#XYZZY;` and so on.
*
* When `$context` is set to 'xml', HTML entities are converted to their code points. For
* example, `AT&T…&#XYZZY;` is converted to `AT&T…&#XYZZY;`.
@@ -2171,6 +2177,8 @@
* @since 5.3.0 Added support for `grid`, `flex` and `column` layout properties.
* Extend `background-*` support of individual properties.
* @since 5.3.1 Added support for gradient backgrounds.
+ * @since 5.7.1 Added support for `object-position`.
+ * @since 5.8.0 Added support for `calc()` and `var()` values.
*
* @param string[] $attr Array of allowed CSS attributes.
*/
@@ -2284,6 +2292,7 @@
'direction',
'float',
'list-style-type',
+ 'object-position',
'overflow',
'vertical-align',
)
@@ -2379,7 +2388,13 @@
}
if ( $found ) {
- // Check for any CSS containing \ ( & } = or comments, except for url() usage checked above.
+ // Allow CSS calc().
+ $css_test_string = preg_replace( '/calc\(((?:\([^()]*\)?|[^()])*)\)/', '', $css_test_string );
+ // Allow CSS var().
+ $css_test_string = preg_replace( '/\(?var\(--[a-zA-Z0-9_-]*\)/', '', $css_test_string );
+
+ // Check for any CSS containing \ ( & } = or comments,
+ // except for url(), calc(), or var() usage checked above.
$allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
/**