[ Index ]

PHP Cross Reference of BackPress

title

Body

[close]

/includes/ -> functions.kses.php (summary)

kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes Copyright (C) 2002, 2003, 2005  Ulf Harnhammar This program is free software and open source software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Author: Ulf Harnhammar <http://advogato.org/person/metaur/>
Copyright: (C) 2002, 2003, 2005
Version: 0.2.2
File Size: 1354 lines (39 kb)
Included or required:0 times
Referenced: 0 times
Includes or requires: 0 files

Defines 31 functions

  wp_kses()
  wp_kses_hook()
  wp_kses_version()
  wp_kses_split()
  _wp_kses_split_callback()
  wp_kses_split2()
  wp_kses_attr()
  wp_kses_hair()
  wp_kses_check_attr_val()
  wp_kses_bad_protocol()
  wp_kses_no_null()
  wp_kses_stripslashes()
  wp_kses_array_lc()
  wp_kses_js_entities()
  wp_kses_html_error()
  wp_kses_bad_protocol_once()
  wp_kses_bad_protocol_once2()
  wp_kses_normalize_entities()
  wp_kses_named_entities()
  wp_kses_normalize_entities2()
  wp_kses_normalize_entities3()
  valid_unicode()
  wp_kses_decode_entities()
  _wp_kses_decode_entities_chr()
  _wp_kses_decode_entities_chr_hexdec()
  wp_filter_kses()
  wp_kses_data()
  wp_filter_post_kses()
  wp_kses_post()
  wp_filter_nohtml_kses()
  safecss_filter_attr()

Functions
Functions that are not part of a class:

wp_kses($string, $allowed_html, $allowed_protocols = array ()   X-Ref
Filters content and keeps only allowable HTML elements.

This function makes sure that only the allowed HTML element names, attribute
names and attribute values plus only sane HTML entities will occur in
$string. You have to remove any slashes from PHP's magic quotes before you
call this function.

The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
covers all common link protocols, except for 'javascript' which should not
be allowed for untrusted users.

return: string Filtered content with only allowed HTML elements
param: string $string Content to filter through kses
param: array $allowed_html List of allowed HTML elements
param: array $allowed_protocols Optional. Allowed protocol in links.
since: 1.0.0

wp_kses_hook($string, $allowed_html, $allowed_protocols)   X-Ref
You add any kses hooks here.

There is currently only one kses WordPress hook and it is called here. All
parameters are passed to the hooks and expected to recieve a string.

return: string Filtered content through 'pre_kses' hook
param: string $string Content to filter through kses
param: array $allowed_html List of allowed HTML elements
param: array $allowed_protocols Allowed protocol in links
since: 1.0.0

wp_kses_version()   X-Ref
This function returns kses' version number.

return: string KSES Version Number
since: 1.0.0

wp_kses_split($string, $allowed_html, $allowed_protocols)   X-Ref
Searches for HTML tags, no matter how malformed.

It also matches stray ">" characters.

return: string Content with fixed HTML tags
param: string $string Content to filter
param: array $allowed_html Allowed HTML elements
param: array $allowed_protocols Allowed protocols to keep
since: 1.0.0

_wp_kses_split_callback( $match )   X-Ref
Callback for wp_kses_split.

since: 3.1.0

wp_kses_split2($string, $allowed_html, $allowed_protocols)   X-Ref
Callback for wp_kses_split for fixing malformed HTML tags.

This function does a lot of work. It rejects some very malformed things like
<:::>. It returns an empty string, if the element isn't allowed (look ma, no
strip_tags()!). Otherwise it splits the tag into an element and an attribute
list.

After the tag is split into an element and an attribute list, it is run
through another filter which will remove illegal attributes and once that is
completed, will be returned.

return: string Fixed HTML element
param: string $string Content to filter
param: array $allowed_html Allowed HTML elements
param: array $allowed_protocols Allowed protocols to keep
since: 1.0.0

wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols)   X-Ref
Removes all attributes, if none are allowed for this element.

If some are allowed it calls wp_kses_hair() to split them further, and then
it builds up new HTML code from the data that kses_hair() returns. It also
removes "<" and ">" characters, if there are any left. One more thing it does
is to check if the tag has a closing XHTML slash, and if it does, it puts one
in the returned code as well.

return: string Sanitized HTML element
param: string $element HTML element/tag
param: string $attr HTML attributes from HTML element to closing HTML element tag
param: array $allowed_html Allowed HTML elements
param: array $allowed_protocols Allowed protocols to keep
since: 1.0.0

wp_kses_hair($attr, $allowed_protocols)   X-Ref
Builds an attribute list from string containing attributes.

This function does a lot of work. It parses an attribute list into an array
with attribute data, and tries to do the right thing even if it gets weird
input. It will add quotes around attribute values that don't have any quotes
or apostrophes around them, to make it easier to produce HTML code that will
conform to W3C's HTML specification. It will also remove bad URL protocols
from attribute values.  It also reduces duplicate attributes by using the
attribute defined first (foo='bar' foo='baz' will result in foo='bar').

return: array List of attributes after parsing
param: string $attr Attribute list from HTML element to closing HTML element tag
param: array $allowed_protocols Allowed protocols to keep
since: 1.0.0

wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue)   X-Ref
Performs different checks for attribute values.

The currently implemented checks are "maxlen", "minlen", "maxval", "minval"
and "valueless" with even more checks to come soon.

return: bool Whether check passes
param: string $value Attribute value
param: string $vless Whether the value is valueless. Use 'y' or 'n'
param: string $checkname What $checkvalue is checking for.
param: mixed $checkvalue What constraint the value should pass
since: 1.0.0

wp_kses_bad_protocol($string, $allowed_protocols)   X-Ref
Sanitize string from bad protocols.

This function removes all non-allowed protocols from the beginning of
$string. It ignores whitespace and the case of the letters, and it does
understand HTML entities. It does its work in a while loop, so it won't be
fooled by a string like "javascript:javascript:alert(57)".

return: string Filtered content
param: string $string Content to filter bad protocols from
param: array $allowed_protocols Allowed protocols to keep
since: 1.0.0

wp_kses_no_null($string)   X-Ref
Removes any NULL characters in $string.

return: string
param: string $string
since: 1.0.0

wp_kses_stripslashes($string)   X-Ref
Strips slashes from in front of quotes.

This function changes the character sequence  \"  to just  ". It leaves all
other slashes alone. It's really weird, but the quoting from
preg_replace(//e) seems to require this.

return: string Fixed strings with quoted slashes
param: string $string String to strip slashes
since: 1.0.0

wp_kses_array_lc($inarray)   X-Ref
Goes through an array and changes the keys to all lower case.

return: array Fixed array with all lowercase keys
param: array $inarray Unfiltered array
since: 1.0.0

wp_kses_js_entities($string)   X-Ref
Removes the HTML JavaScript entities found in early versions of Netscape 4.

return: string
param: string $string
since: 1.0.0

wp_kses_html_error($string)   X-Ref
Handles parsing errors in wp_kses_hair().

The general plan is to remove everything to and including some whitespace,
but it deals with quotes and apostrophes as well.

return: string
param: string $string
since: 1.0.0

wp_kses_bad_protocol_once($string, $allowed_protocols)   X-Ref
Sanitizes content from bad protocols and other characters.

This function searches for URL protocols at the beginning of $string, while
handling whitespace and HTML entities.

return: string Sanitized content
param: string $string Content to check for bad protocols
param: string $allowed_protocols Allowed protocols
since: 1.0.0

wp_kses_bad_protocol_once2( $string, $allowed_protocols )   X-Ref
Callback for wp_kses_bad_protocol_once() regular expression.

This function processes URL protocols, checks to see if they're in the
white-list or not, and returns different data depending on the answer.

return: string Sanitized content
param: string $string URI scheme to check against the whitelist
param: string $allowed_protocols Allowed protocols
since: 1.0.0

wp_kses_normalize_entities($string)   X-Ref
Converts and fixes HTML entities.

This function normalizes HTML entities. It will convert "AT&T" to the correct
"AT&amp;T", "&#00058;" to "&#58;", "&#XYZZY;" to "&amp;#XYZZY;" and so on.

return: string Content with normalized entities
param: string $string Content to normalize entities
since: 1.0.0

wp_kses_named_entities($matches)   X-Ref
Callback for wp_kses_normalize_entities() regular expression.

This function only accepts valid named entity references, which are finite,
case-sensitive, and highly scrutinized by HTML and XML validators.

return: string Correctly encoded entity
param: array $matches preg_replace_callback() matches array
since: 3.0.0

wp_kses_normalize_entities2($matches)   X-Ref
Callback for wp_kses_normalize_entities() regular expression.

This function helps wp_kses_normalize_entities() to only accept 16 bit values
and nothing more for &#number; entities.

return: string Correctly encoded entity
param: array $matches preg_replace_callback() matches array
since: 1.0.0

wp_kses_normalize_entities3($matches)   X-Ref
Callback for wp_kses_normalize_entities() for regular expression.

This function helps wp_kses_normalize_entities() to only accept valid Unicode
numeric entities in hex form.

return: string Correctly encoded entity
param: array $matches preg_replace_callback() matches array

valid_unicode($i)   X-Ref
Helper function to determine if a Unicode value is valid.

return: bool true if the value was a valid Unicode number
param: int $i Unicode value

wp_kses_decode_entities($string)   X-Ref
Convert all entities to their character counterparts.

This function decodes numeric HTML entities (&#65; and &#x41;). It doesn't do
anything with other entities like &auml;, but we don't need them in the URL
protocol whitelisting system anyway.

return: string Content after decoded entities
param: string $string Content to change entities
since: 1.0.0

_wp_kses_decode_entities_chr( $match )   X-Ref
Regex callback for wp_kses_decode_entities()

return: string
param: array $match preg match

_wp_kses_decode_entities_chr_hexdec( $match )   X-Ref
Regex callback for wp_kses_decode_entities()

return: string
param: array $match preg match

wp_filter_kses($data)   X-Ref
Sanitize content with allowed HTML Kses rules.

return: string Filtered content
param: string $data Content to filter, expected to be escaped with slashes
since: 1.0.0

wp_kses_data($data)   X-Ref
Sanitize content with allowed HTML Kses rules.

return: string Filtered content
param: string $data Content to filter, expected to not be escaped
since: 2.9.0

wp_filter_post_kses($data)   X-Ref
Sanitize content for allowed HTML tags for post content.

Post content refers to the page contents of the 'post' type and not $_POST
data from forms.

return: string Filtered post content with allowed HTML tags and attributes intact.
param: string $data Post content to filter, expected to be escaped with slashes
since: 2.0.0

wp_kses_post($data)   X-Ref
Sanitize content for allowed HTML tags for post content.

Post content refers to the page contents of the 'post' type and not $_POST
data from forms.

return: string Filtered post content with allowed HTML tags and attributes intact.
param: string $data Post content to filter
since: 2.9.0

wp_filter_nohtml_kses($data)   X-Ref
Strips all of the HTML in the content.

return: string Filtered content without any HTML
param: string $data Content to strip all HTML from
since: 2.1.0

safecss_filter_attr( $css, $deprecated = '' )   X-Ref
Inline CSS filter

since: 2.8.1



Generated: Sat Nov 23 01:00:54 2024 Cross-referenced by PHPXref 0.7.1