[ Index ]

PHP Cross Reference of BackPress

title

Body

[close]

/includes/ -> functions.kses.php (summary)

kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes Copyright (C) 2002, 2003, 2005  Ulf Harnhammar This program is free software and open source software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Author: Ulf Harnhammar <http://advogato.org/person/metaur/>
Copyright: (C) 2002, 2003, 2005
Version: 0.2.2
File Size: 1353 lines (39 kb)
Included or required:0 times
Referenced: 0 times
Includes or requires: 0 files

Defines 31 functions

  wp_kses()
  wp_kses_hook()
  wp_kses_version()
  wp_kses_split()
  _wp_kses_split_callback()
  wp_kses_split2()
  wp_kses_attr()
  wp_kses_hair()
  wp_kses_check_attr_val()
  wp_kses_bad_protocol()
  wp_kses_no_null()
  wp_kses_stripslashes()
  wp_kses_array_lc()
  wp_kses_js_entities()
  wp_kses_html_error()
  wp_kses_bad_protocol_once()
  wp_kses_bad_protocol_once2()
  wp_kses_normalize_entities()
  wp_kses_named_entities()
  wp_kses_normalize_entities2()
  wp_kses_normalize_entities3()
  valid_unicode()
  wp_kses_decode_entities()
  _wp_kses_decode_entities_chr()
  _wp_kses_decode_entities_chr_hexdec()
  wp_filter_kses()
  wp_kses_data()
  wp_filter_post_kses()
  wp_kses_post()
  wp_filter_nohtml_kses()
  safecss_filter_attr()

Functions
Functions that are not part of a class:

wp_kses($string, $allowed_html, $allowed_protocols = array ()   X-Ref
Filters content and keeps only allowable HTML elements.

This function makes sure that only the allowed HTML element names, attribute
names and attribute values plus only sane HTML entities will occur in
$string. You have to remove any slashes from PHP's magic quotes before you
call this function.

The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
covers all common link protocols, except for 'javascript' which should not
be allowed for untrusted users.

since: 1.0.0
param: string $string Content to filter through kses
param: array $allowed_html List of allowed HTML elements
param: array $allowed_protocols Optional. Allowed protocol in links.
return: string Filtered content with only allowed HTML elements

wp_kses_hook($string, $allowed_html, $allowed_protocols)   X-Ref
You add any kses hooks here.

There is currently only one kses WordPress hook and it is called here. All
parameters are passed to the hooks and expected to recieve a string.

since: 1.0.0
param: string $string Content to filter through kses
param: array $allowed_html List of allowed HTML elements
param: array $allowed_protocols Allowed protocol in links
return: string Filtered content through 'pre_kses' hook

wp_kses_version()   X-Ref
This function returns kses' version number.

since: 1.0.0
return: string KSES Version Number

wp_kses_split($string, $allowed_html, $allowed_protocols)   X-Ref
Searches for HTML tags, no matter how malformed.

It also matches stray ">" characters.

since: 1.0.0
param: string $string Content to filter
param: array $allowed_html Allowed HTML elements
param: array $allowed_protocols Allowed protocols to keep
return: string Content with fixed HTML tags

_wp_kses_split_callback( $match )   X-Ref
Callback for wp_kses_split.

since: 3.1.0

wp_kses_split2($string, $allowed_html, $allowed_protocols)   X-Ref
Callback for wp_kses_split for fixing malformed HTML tags.

This function does a lot of work. It rejects some very malformed things like
<:::>. It returns an empty string, if the element isn't allowed (look ma, no
strip_tags()!). Otherwise it splits the tag into an element and an attribute
list.

After the tag is split into an element and an attribute list, it is run
through another filter which will remove illegal attributes and once that is
completed, will be returned.

since: 1.0.0
param: string $string Content to filter
param: array $allowed_html Allowed HTML elements
param: array $allowed_protocols Allowed protocols to keep
return: string Fixed HTML element

wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols)   X-Ref
Removes all attributes, if none are allowed for this element.

If some are allowed it calls wp_kses_hair() to split them further, and then
it builds up new HTML code from the data that kses_hair() returns. It also
removes "<" and ">" characters, if there are any left. One more thing it does
is to check if the tag has a closing XHTML slash, and if it does, it puts one
in the returned code as well.

since: 1.0.0
param: string $element HTML element/tag
param: string $attr HTML attributes from HTML element to closing HTML element tag
param: array $allowed_html Allowed HTML elements
param: array $allowed_protocols Allowed protocols to keep
return: string Sanitized HTML element

wp_kses_hair($attr, $allowed_protocols)   X-Ref
Builds an attribute list from string containing attributes.

This function does a lot of work. It parses an attribute list into an array
with attribute data, and tries to do the right thing even if it gets weird
input. It will add quotes around attribute values that don't have any quotes
or apostrophes around them, to make it easier to produce HTML code that will
conform to W3C's HTML specification. It will also remove bad URL protocols
from attribute values.  It also reduces duplicate attributes by using the
attribute defined first (foo='bar' foo='baz' will result in foo='bar').

since: 1.0.0
param: string $attr Attribute list from HTML element to closing HTML element tag
param: array $allowed_protocols Allowed protocols to keep
return: array List of attributes after parsing

wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue)   X-Ref
Performs different checks for attribute values.

The currently implemented checks are "maxlen", "minlen", "maxval", "minval"
and "valueless" with even more checks to come soon.

since: 1.0.0
param: string $value Attribute value
param: string $vless Whether the value is valueless. Use 'y' or 'n'
param: string $checkname What $checkvalue is checking for.
param: mixed $checkvalue What constraint the value should pass
return: bool Whether check passes

wp_kses_bad_protocol($string, $allowed_protocols)   X-Ref
Sanitize string from bad protocols.

This function removes all non-allowed protocols from the beginning of
$string. It ignores whitespace and the case of the letters, and it does
understand HTML entities. It does its work in a while loop, so it won't be
fooled by a string like "javascript:javascript:alert(57)".

since: 1.0.0
param: string $string Content to filter bad protocols from
param: array $allowed_protocols Allowed protocols to keep
return: string Filtered content

wp_kses_no_null($string)   X-Ref
Removes any NULL characters in $string.

since: 1.0.0
param: string $string
return: string

wp_kses_stripslashes($string)   X-Ref
Strips slashes from in front of quotes.

This function changes the character sequence  \"  to just  ". It leaves all
other slashes alone. It's really weird, but the quoting from
preg_replace(//e) seems to require this.

since: 1.0.0
param: string $string String to strip slashes
return: string Fixed strings with quoted slashes

wp_kses_array_lc($inarray)   X-Ref
Goes through an array and changes the keys to all lower case.

since: 1.0.0
param: array $inarray Unfiltered array
return: array Fixed array with all lowercase keys

wp_kses_js_entities($string)   X-Ref
Removes the HTML JavaScript entities found in early versions of Netscape 4.

since: 1.0.0
param: string $string
return: string

wp_kses_html_error($string)   X-Ref
Handles parsing errors in wp_kses_hair().

The general plan is to remove everything to and including some whitespace,
but it deals with quotes and apostrophes as well.

since: 1.0.0
param: string $string
return: string

wp_kses_bad_protocol_once($string, $allowed_protocols)   X-Ref
Sanitizes content from bad protocols and other characters.

This function searches for URL protocols at the beginning of $string, while
handling whitespace and HTML entities.

since: 1.0.0
param: string $string Content to check for bad protocols
param: string $allowed_protocols Allowed protocols
return: string Sanitized content

wp_kses_bad_protocol_once2( $string, $allowed_protocols )   X-Ref
Callback for wp_kses_bad_protocol_once() regular expression.

This function processes URL protocols, checks to see if they're in the
white-list or not, and returns different data depending on the answer.

since: 1.0.0
param: string $string URI scheme to check against the whitelist
param: string $allowed_protocols Allowed protocols
return: string Sanitized content

wp_kses_normalize_entities($string)   X-Ref
Converts and fixes HTML entities.

This function normalizes HTML entities. It will convert "AT&T" to the correct
"AT&amp;T", "&#00058;" to "&#58;", "&#XYZZY;" to "&amp;#XYZZY;" and so on.

since: 1.0.0
param: string $string Content to normalize entities
return: string Content with normalized entities

wp_kses_named_entities($matches)   X-Ref
Callback for wp_kses_normalize_entities() regular expression.

This function only accepts valid named entity references, which are finite,
case-sensitive, and highly scrutinized by HTML and XML validators.

since: 3.0.0
param: array $matches preg_replace_callback() matches array
return: string Correctly encoded entity

wp_kses_normalize_entities2($matches)   X-Ref
Callback for wp_kses_normalize_entities() regular expression.

This function helps wp_kses_normalize_entities() to only accept 16 bit values
and nothing more for &#number; entities.

since: 1.0.0
param: array $matches preg_replace_callback() matches array
return: string Correctly encoded entity

wp_kses_normalize_entities3($matches)   X-Ref
Callback for wp_kses_normalize_entities() for regular expression.

This function helps wp_kses_normalize_entities() to only accept valid Unicode
numeric entities in hex form.

param: array $matches preg_replace_callback() matches array
return: string Correctly encoded entity

valid_unicode($i)   X-Ref
Helper function to determine if a Unicode value is valid.

param: int $i Unicode value
return: bool true if the value was a valid Unicode number

wp_kses_decode_entities($string)   X-Ref
Convert all entities to their character counterparts.

This function decodes numeric HTML entities (&#65; and &#x41;). It doesn't do
anything with other entities like &auml;, but we don't need them in the URL
protocol whitelisting system anyway.

since: 1.0.0
param: string $string Content to change entities
return: string Content after decoded entities

_wp_kses_decode_entities_chr( $match )   X-Ref
Regex callback for wp_kses_decode_entities()

param: array $match preg match
return: string

_wp_kses_decode_entities_chr_hexdec( $match )   X-Ref
Regex callback for wp_kses_decode_entities()

param: array $match preg match
return: string

wp_filter_kses($data)   X-Ref
Sanitize content with allowed HTML Kses rules.

since: 1.0.0
param: string $data Content to filter, expected to be escaped with slashes
return: string Filtered content

wp_kses_data($data)   X-Ref
Sanitize content with allowed HTML Kses rules.

since: 2.9.0
param: string $data Content to filter, expected to not be escaped
return: string Filtered content

wp_filter_post_kses($data)   X-Ref
Sanitize content for allowed HTML tags for post content.

Post content refers to the page contents of the 'post' type and not $_POST
data from forms.

since: 2.0.0
param: string $data Post content to filter, expected to be escaped with slashes
return: string Filtered post content with allowed HTML tags and attributes intact.

wp_kses_post($data)   X-Ref
Sanitize content for allowed HTML tags for post content.

Post content refers to the page contents of the 'post' type and not $_POST
data from forms.

since: 2.9.0
param: string $data Post content to filter
return: string Filtered post content with allowed HTML tags and attributes intact.

wp_filter_nohtml_kses($data)   X-Ref
Strips all of the HTML in the content.

since: 2.1.0
param: string $data Content to strip all HTML from
return: string Filtered content without any HTML

safecss_filter_attr( $css, $deprecated = '' )   X-Ref
Inline CSS filter

since: 2.8.1



Generated: Wed Dec 19 01:01:51 2018 Cross-referenced by PHPXref 0.7.1