diff -r 34716fd837a4 -r be944660c56a wp/wp-includes/kses.php --- a/wp/wp-includes/kses.php Tue Dec 15 15:52:01 2020 +0100 +++ b/wp/wp-includes/kses.php Wed Sep 21 18:19:35 2022 +0200 @@ -39,7 +39,7 @@ * @see wp_kses_allowed_html() * @since 1.2.0 * - * @var array[]|bool Array of default allowable HTML tags, or false to use the defaults. + * @var array[]|false Array of default allowable HTML tags, or false to use the defaults. */ if ( ! defined( 'CUSTOM_TAGS' ) ) { define( 'CUSTOM_TAGS', false ); @@ -252,6 +252,12 @@ 'align' => true, 'value' => true, ), + 'main' => array( + 'align' => true, + 'dir' => true, + 'lang' => true, + 'xml:lang' => true, + ), 'map' => array( 'name' => true, ), @@ -1411,7 +1417,7 @@ * @since 4.2.3 * * @param string $element HTML element. - * @return array|bool List of attributes found in the element. Returns false on failure. + * @return array|false List of attributes found in the element. Returns false on failure. */ function wp_kses_attr_parse( $element ) { $valid = preg_match( '%^(<\s*)(/\s*)?([a-zA-Z0-9]+\s*)([^>]*)(>?)$%', $element, $matches ); @@ -1462,7 +1468,7 @@ * @since 4.2.3 * * @param string $attr Attribute list from HTML element to closing HTML element tag. - * @return array|bool List of attributes found in $attr. Returns false on failure. + * @return array|false List of attributes found in $attr. Returns false on failure. */ function wp_kses_hair_parse( $attr ) { if ( '' === $attr ) { @@ -1777,7 +1783,7 @@ * Converts and fixes HTML entities. * * This function normalizes HTML entities. It will convert `AT&T` to the correct - * `AT&T`, `:` to `:`, `&#XYZZY;` to `&#XYZZY;` and so on. + * `AT&T`, `:` to `:`, `&#XYZZY;` to `&#XYZZY;` and so on. * * When `$context` is set to 'xml', HTML entities are converted to their code points. For * example, `AT&T…&#XYZZY;` is converted to `AT&T…&#XYZZY;`. @@ -2171,6 +2177,8 @@ * @since 5.3.0 Added support for `grid`, `flex` and `column` layout properties. * Extend `background-*` support of individual properties. * @since 5.3.1 Added support for gradient backgrounds. + * @since 5.7.1 Added support for `object-position`. + * @since 5.8.0 Added support for `calc()` and `var()` values. * * @param string[] $attr Array of allowed CSS attributes. */ @@ -2284,6 +2292,7 @@ 'direction', 'float', 'list-style-type', + 'object-position', 'overflow', 'vertical-align', ) @@ -2379,7 +2388,13 @@ } if ( $found ) { - // Check for any CSS containing \ ( & } = or comments, except for url() usage checked above. + // Allow CSS calc(). + $css_test_string = preg_replace( '/calc\(((?:\([^()]*\)?|[^()])*)\)/', '', $css_test_string ); + // Allow CSS var(). + $css_test_string = preg_replace( '/\(?var\(--[a-zA-Z0-9_-]*\)/', '', $css_test_string ); + + // Check for any CSS containing \ ( & } = or comments, + // except for url(), calc(), or var() usage checked above. $allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ); /**