[ Index ]

PHP Cross Reference of WordPress

title

Body

[close]

/wp-includes/ -> kses.php (source)

   1  <?php
   2  /**
   3   * kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes
   4   * Copyright (C) 2002, 2003, 2005  Ulf Harnhammar
   5   *
   6   * This program is free software and open source software; you can redistribute
   7   * it and/or modify it under the terms of the GNU General Public License as
   8   * published by the Free Software Foundation; either version 2 of the License,
   9   * or (at your option) any later version.
  10   *
  11   * This program is distributed in the hope that it will be useful, but WITHOUT
  12   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13   * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
  14   * more details.
  15   *
  16   * You should have received a copy of the GNU General Public License along
  17   * with this program; if not, write to the Free Software Foundation, Inc.,
  18   * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19   * http://www.gnu.org/licenses/gpl.html
  20   *
  21   * [kses strips evil scripts!]
  22   *
  23   * Added wp_ prefix to avoid conflicts with existing kses users
  24   *
  25   * @version 0.2.2
  26   * @copyright (C) 2002, 2003, 2005
  27   * @author Ulf Harnhammar <http://advogato.org/person/metaur/>
  28   *
  29   * @package External
  30   * @subpackage KSES
  31   */
  32  
  33  /**
  34   * Specifies the default allowable HTML tags.
  35   *
  36   * Using `CUSTOM_TAGS` is not recommended and should be considered deprecated. The
  37   * {@see 'wp_kses_allowed_html'} filter is more powerful and supplies context.
  38   *
  39   * @see wp_kses_allowed_html()
  40   * @since 1.2.0
  41   *
  42   * @var array[]|false Array of default allowable HTML tags, or false to use the defaults.
  43   */
  44  if ( ! defined( 'CUSTOM_TAGS' ) ) {
  45      define( 'CUSTOM_TAGS', false );
  46  }
  47  
  48  // Ensure that these variables are added to the global namespace
  49  // (e.g. if using namespaces / autoload in the current PHP environment).
  50  global $allowedposttags, $allowedtags, $allowedentitynames, $allowedxmlentitynames;
  51  
  52  if ( ! CUSTOM_TAGS ) {
  53      /**
  54       * KSES global for default allowable HTML tags.
  55       *
  56       * Can be overridden with the `CUSTOM_TAGS` constant.
  57       *
  58       * @var array[] $allowedposttags Array of default allowable HTML tags.
  59       * @since 2.0.0
  60       */
  61      $allowedposttags = array(
  62          'address'    => array(),
  63          'a'          => array(
  64              'href'     => true,
  65              'rel'      => true,
  66              'rev'      => true,
  67              'name'     => true,
  68              'target'   => true,
  69              'download' => array(
  70                  'valueless' => 'y',
  71              ),
  72          ),
  73          'abbr'       => array(),
  74          'acronym'    => array(),
  75          'area'       => array(
  76              'alt'    => true,
  77              'coords' => true,
  78              'href'   => true,
  79              'nohref' => true,
  80              'shape'  => true,
  81              'target' => true,
  82          ),
  83          'article'    => array(
  84              'align'    => true,
  85              'dir'      => true,
  86              'lang'     => true,
  87              'xml:lang' => true,
  88          ),
  89          'aside'      => array(
  90              'align'    => true,
  91              'dir'      => true,
  92              'lang'     => true,
  93              'xml:lang' => true,
  94          ),
  95          'audio'      => array(
  96              'autoplay' => true,
  97              'controls' => true,
  98              'loop'     => true,
  99              'muted'    => true,
 100              'preload'  => true,
 101              'src'      => true,
 102          ),
 103          'b'          => array(),
 104          'bdo'        => array(
 105              'dir' => true,
 106          ),
 107          'big'        => array(),
 108          'blockquote' => array(
 109              'cite'     => true,
 110              'lang'     => true,
 111              'xml:lang' => true,
 112          ),
 113          'br'         => array(),
 114          'button'     => array(
 115              'disabled' => true,
 116              'name'     => true,
 117              'type'     => true,
 118              'value'    => true,
 119          ),
 120          'caption'    => array(
 121              'align' => true,
 122          ),
 123          'cite'       => array(
 124              'dir'  => true,
 125              'lang' => true,
 126          ),
 127          'code'       => array(),
 128          'col'        => array(
 129              'align'   => true,
 130              'char'    => true,
 131              'charoff' => true,
 132              'span'    => true,
 133              'dir'     => true,
 134              'valign'  => true,
 135              'width'   => true,
 136          ),
 137          'colgroup'   => array(
 138              'align'   => true,
 139              'char'    => true,
 140              'charoff' => true,
 141              'span'    => true,
 142              'valign'  => true,
 143              'width'   => true,
 144          ),
 145          'del'        => array(
 146              'datetime' => true,
 147          ),
 148          'dd'         => array(),
 149          'dfn'        => array(),
 150          'details'    => array(
 151              'align'    => true,
 152              'dir'      => true,
 153              'lang'     => true,
 154              'open'     => true,
 155              'xml:lang' => true,
 156          ),
 157          'div'        => array(
 158              'align'    => true,
 159              'dir'      => true,
 160              'lang'     => true,
 161              'xml:lang' => true,
 162          ),
 163          'dl'         => array(),
 164          'dt'         => array(),
 165          'em'         => array(),
 166          'fieldset'   => array(),
 167          'figure'     => array(
 168              'align'    => true,
 169              'dir'      => true,
 170              'lang'     => true,
 171              'xml:lang' => true,
 172          ),
 173          'figcaption' => array(
 174              'align'    => true,
 175              'dir'      => true,
 176              'lang'     => true,
 177              'xml:lang' => true,
 178          ),
 179          'font'       => array(
 180              'color' => true,
 181              'face'  => true,
 182              'size'  => true,
 183          ),
 184          'footer'     => array(
 185              'align'    => true,
 186              'dir'      => true,
 187              'lang'     => true,
 188              'xml:lang' => true,
 189          ),
 190          'h1'         => array(
 191              'align' => true,
 192          ),
 193          'h2'         => array(
 194              'align' => true,
 195          ),
 196          'h3'         => array(
 197              'align' => true,
 198          ),
 199          'h4'         => array(
 200              'align' => true,
 201          ),
 202          'h5'         => array(
 203              'align' => true,
 204          ),
 205          'h6'         => array(
 206              'align' => true,
 207          ),
 208          'header'     => array(
 209              'align'    => true,
 210              'dir'      => true,
 211              'lang'     => true,
 212              'xml:lang' => true,
 213          ),
 214          'hgroup'     => array(
 215              'align'    => true,
 216              'dir'      => true,
 217              'lang'     => true,
 218              'xml:lang' => true,
 219          ),
 220          'hr'         => array(
 221              'align'   => true,
 222              'noshade' => true,
 223              'size'    => true,
 224              'width'   => true,
 225          ),
 226          'i'          => array(),
 227          'img'        => array(
 228              'alt'      => true,
 229              'align'    => true,
 230              'border'   => true,
 231              'height'   => true,
 232              'hspace'   => true,
 233              'loading'  => true,
 234              'longdesc' => true,
 235              'vspace'   => true,
 236              'src'      => true,
 237              'usemap'   => true,
 238              'width'    => true,
 239          ),
 240          'ins'        => array(
 241              'datetime' => true,
 242              'cite'     => true,
 243          ),
 244          'kbd'        => array(),
 245          'label'      => array(
 246              'for' => true,
 247          ),
 248          'legend'     => array(
 249              'align' => true,
 250          ),
 251          'li'         => array(
 252              'align' => true,
 253              'value' => true,
 254          ),
 255          'main'       => array(
 256              'align'    => true,
 257              'dir'      => true,
 258              'lang'     => true,
 259              'xml:lang' => true,
 260          ),
 261          'map'        => array(
 262              'name' => true,
 263          ),
 264          'mark'       => array(),
 265          'menu'       => array(
 266              'type' => true,
 267          ),
 268          'nav'        => array(
 269              'align'    => true,
 270              'dir'      => true,
 271              'lang'     => true,
 272              'xml:lang' => true,
 273          ),
 274          'p'          => array(
 275              'align'    => true,
 276              'dir'      => true,
 277              'lang'     => true,
 278              'xml:lang' => true,
 279          ),
 280          'pre'        => array(
 281              'width' => true,
 282          ),
 283          'q'          => array(
 284              'cite' => true,
 285          ),
 286          's'          => array(),
 287          'samp'       => array(),
 288          'span'       => array(
 289              'dir'      => true,
 290              'align'    => true,
 291              'lang'     => true,
 292              'xml:lang' => true,
 293          ),
 294          'section'    => array(
 295              'align'    => true,
 296              'dir'      => true,
 297              'lang'     => true,
 298              'xml:lang' => true,
 299          ),
 300          'small'      => array(),
 301          'strike'     => array(),
 302          'strong'     => array(),
 303          'sub'        => array(),
 304          'summary'    => array(
 305              'align'    => true,
 306              'dir'      => true,
 307              'lang'     => true,
 308              'xml:lang' => true,
 309          ),
 310          'sup'        => array(),
 311          'table'      => array(
 312              'align'       => true,
 313              'bgcolor'     => true,
 314              'border'      => true,
 315              'cellpadding' => true,
 316              'cellspacing' => true,
 317              'dir'         => true,
 318              'rules'       => true,
 319              'summary'     => true,
 320              'width'       => true,
 321          ),
 322          'tbody'      => array(
 323              'align'   => true,
 324              'char'    => true,
 325              'charoff' => true,
 326              'valign'  => true,
 327          ),
 328          'td'         => array(
 329              'abbr'    => true,
 330              'align'   => true,
 331              'axis'    => true,
 332              'bgcolor' => true,
 333              'char'    => true,
 334              'charoff' => true,
 335              'colspan' => true,
 336              'dir'     => true,
 337              'headers' => true,
 338              'height'  => true,
 339              'nowrap'  => true,
 340              'rowspan' => true,
 341              'scope'   => true,
 342              'valign'  => true,
 343              'width'   => true,
 344          ),
 345          'textarea'   => array(
 346              'cols'     => true,
 347              'rows'     => true,
 348              'disabled' => true,
 349              'name'     => true,
 350              'readonly' => true,
 351          ),
 352          'tfoot'      => array(
 353              'align'   => true,
 354              'char'    => true,
 355              'charoff' => true,
 356              'valign'  => true,
 357          ),
 358          'th'         => array(
 359              'abbr'    => true,
 360              'align'   => true,
 361              'axis'    => true,
 362              'bgcolor' => true,
 363              'char'    => true,
 364              'charoff' => true,
 365              'colspan' => true,
 366              'headers' => true,
 367              'height'  => true,
 368              'nowrap'  => true,
 369              'rowspan' => true,
 370              'scope'   => true,
 371              'valign'  => true,
 372              'width'   => true,
 373          ),
 374          'thead'      => array(
 375              'align'   => true,
 376              'char'    => true,
 377              'charoff' => true,
 378              'valign'  => true,
 379          ),
 380          'title'      => array(),
 381          'tr'         => array(
 382              'align'   => true,
 383              'bgcolor' => true,
 384              'char'    => true,
 385              'charoff' => true,
 386              'valign'  => true,
 387          ),
 388          'track'      => array(
 389              'default' => true,
 390              'kind'    => true,
 391              'label'   => true,
 392              'src'     => true,
 393              'srclang' => true,
 394          ),
 395          'tt'         => array(),
 396          'u'          => array(),
 397          'ul'         => array(
 398              'type' => true,
 399          ),
 400          'ol'         => array(
 401              'start'    => true,
 402              'type'     => true,
 403              'reversed' => true,
 404          ),
 405          'var'        => array(),
 406          'video'      => array(
 407              'autoplay'    => true,
 408              'controls'    => true,
 409              'height'      => true,
 410              'loop'        => true,
 411              'muted'       => true,
 412              'playsinline' => true,
 413              'poster'      => true,
 414              'preload'     => true,
 415              'src'         => true,
 416              'width'       => true,
 417          ),
 418      );
 419  
 420      /**
 421       * @var array[] $allowedtags Array of KSES allowed HTML elements.
 422       * @since 1.0.0
 423       */
 424      $allowedtags = array(
 425          'a'          => array(
 426              'href'  => true,
 427              'title' => true,
 428          ),
 429          'abbr'       => array(
 430              'title' => true,
 431          ),
 432          'acronym'    => array(
 433              'title' => true,
 434          ),
 435          'b'          => array(),
 436          'blockquote' => array(
 437              'cite' => true,
 438          ),
 439          'cite'       => array(),
 440          'code'       => array(),
 441          'del'        => array(
 442              'datetime' => true,
 443          ),
 444          'em'         => array(),
 445          'i'          => array(),
 446          'q'          => array(
 447              'cite' => true,
 448          ),
 449          's'          => array(),
 450          'strike'     => array(),
 451          'strong'     => array(),
 452      );
 453  
 454      /**
 455       * @var string[] $allowedentitynames Array of KSES allowed HTML entitity names.
 456       * @since 1.0.0
 457       */
 458      $allowedentitynames = array(
 459          'nbsp',
 460          'iexcl',
 461          'cent',
 462          'pound',
 463          'curren',
 464          'yen',
 465          'brvbar',
 466          'sect',
 467          'uml',
 468          'copy',
 469          'ordf',
 470          'laquo',
 471          'not',
 472          'shy',
 473          'reg',
 474          'macr',
 475          'deg',
 476          'plusmn',
 477          'acute',
 478          'micro',
 479          'para',
 480          'middot',
 481          'cedil',
 482          'ordm',
 483          'raquo',
 484          'iquest',
 485          'Agrave',
 486          'Aacute',
 487          'Acirc',
 488          'Atilde',
 489          'Auml',
 490          'Aring',
 491          'AElig',
 492          'Ccedil',
 493          'Egrave',
 494          'Eacute',
 495          'Ecirc',
 496          'Euml',
 497          'Igrave',
 498          'Iacute',
 499          'Icirc',
 500          'Iuml',
 501          'ETH',
 502          'Ntilde',
 503          'Ograve',
 504          'Oacute',
 505          'Ocirc',
 506          'Otilde',
 507          'Ouml',
 508          'times',
 509          'Oslash',
 510          'Ugrave',
 511          'Uacute',
 512          'Ucirc',
 513          'Uuml',
 514          'Yacute',
 515          'THORN',
 516          'szlig',
 517          'agrave',
 518          'aacute',
 519          'acirc',
 520          'atilde',
 521          'auml',
 522          'aring',
 523          'aelig',
 524          'ccedil',
 525          'egrave',
 526          'eacute',
 527          'ecirc',
 528          'euml',
 529          'igrave',
 530          'iacute',
 531          'icirc',
 532          'iuml',
 533          'eth',
 534          'ntilde',
 535          'ograve',
 536          'oacute',
 537          'ocirc',
 538          'otilde',
 539          'ouml',
 540          'divide',
 541          'oslash',
 542          'ugrave',
 543          'uacute',
 544          'ucirc',
 545          'uuml',
 546          'yacute',
 547          'thorn',
 548          'yuml',
 549          'quot',
 550          'amp',
 551          'lt',
 552          'gt',
 553          'apos',
 554          'OElig',
 555          'oelig',
 556          'Scaron',
 557          'scaron',
 558          'Yuml',
 559          'circ',
 560          'tilde',
 561          'ensp',
 562          'emsp',
 563          'thinsp',
 564          'zwnj',
 565          'zwj',
 566          'lrm',
 567          'rlm',
 568          'ndash',
 569          'mdash',
 570          'lsquo',
 571          'rsquo',
 572          'sbquo',
 573          'ldquo',
 574          'rdquo',
 575          'bdquo',
 576          'dagger',
 577          'Dagger',
 578          'permil',
 579          'lsaquo',
 580          'rsaquo',
 581          'euro',
 582          'fnof',
 583          'Alpha',
 584          'Beta',
 585          'Gamma',
 586          'Delta',
 587          'Epsilon',
 588          'Zeta',
 589          'Eta',
 590          'Theta',
 591          'Iota',
 592          'Kappa',
 593          'Lambda',
 594          'Mu',
 595          'Nu',
 596          'Xi',
 597          'Omicron',
 598          'Pi',
 599          'Rho',
 600          'Sigma',
 601          'Tau',
 602          'Upsilon',
 603          'Phi',
 604          'Chi',
 605          'Psi',
 606          'Omega',
 607          'alpha',
 608          'beta',
 609          'gamma',
 610          'delta',
 611          'epsilon',
 612          'zeta',
 613          'eta',
 614          'theta',
 615          'iota',
 616          'kappa',
 617          'lambda',
 618          'mu',
 619          'nu',
 620          'xi',
 621          'omicron',
 622          'pi',
 623          'rho',
 624          'sigmaf',
 625          'sigma',
 626          'tau',
 627          'upsilon',
 628          'phi',
 629          'chi',
 630          'psi',
 631          'omega',
 632          'thetasym',
 633          'upsih',
 634          'piv',
 635          'bull',
 636          'hellip',
 637          'prime',
 638          'Prime',
 639          'oline',
 640          'frasl',
 641          'weierp',
 642          'image',
 643          'real',
 644          'trade',
 645          'alefsym',
 646          'larr',
 647          'uarr',
 648          'rarr',
 649          'darr',
 650          'harr',
 651          'crarr',
 652          'lArr',
 653          'uArr',
 654          'rArr',
 655          'dArr',
 656          'hArr',
 657          'forall',
 658          'part',
 659          'exist',
 660          'empty',
 661          'nabla',
 662          'isin',
 663          'notin',
 664          'ni',
 665          'prod',
 666          'sum',
 667          'minus',
 668          'lowast',
 669          'radic',
 670          'prop',
 671          'infin',
 672          'ang',
 673          'and',
 674          'or',
 675          'cap',
 676          'cup',
 677          'int',
 678          'sim',
 679          'cong',
 680          'asymp',
 681          'ne',
 682          'equiv',
 683          'le',
 684          'ge',
 685          'sub',
 686          'sup',
 687          'nsub',
 688          'sube',
 689          'supe',
 690          'oplus',
 691          'otimes',
 692          'perp',
 693          'sdot',
 694          'lceil',
 695          'rceil',
 696          'lfloor',
 697          'rfloor',
 698          'lang',
 699          'rang',
 700          'loz',
 701          'spades',
 702          'clubs',
 703          'hearts',
 704          'diams',
 705          'sup1',
 706          'sup2',
 707          'sup3',
 708          'frac14',
 709          'frac12',
 710          'frac34',
 711          'there4',
 712      );
 713  
 714      /**
 715       * @var string[] $allowedxmlentitynames Array of KSES allowed XML entitity names.
 716       * @since 5.5.0
 717       */
 718      $allowedxmlnamedentities = array(
 719          'amp',
 720          'lt',
 721          'gt',
 722          'apos',
 723          'quot',
 724      );
 725  
 726      $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags );
 727  } else {
 728      $allowedtags     = wp_kses_array_lc( $allowedtags );
 729      $allowedposttags = wp_kses_array_lc( $allowedposttags );
 730  }
 731  
 732  /**
 733   * Filters text content and strips out disallowed HTML.
 734   *
 735   * This function makes sure that only the allowed HTML element names, attribute
 736   * names, attribute values, and HTML entities will occur in the given text string.
 737   *
 738   * This function expects unslashed data.
 739   *
 740   * @see wp_kses_post() for specifically filtering post content and fields.
 741   * @see wp_allowed_protocols() for the default allowed protocols in link URLs.
 742   *
 743   * @since 1.0.0
 744   *
 745   * @param string         $string            Text content to filter.
 746   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 747   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 748   *                                          for the list of accepted context names.
 749   * @param string[]       $allowed_protocols Array of allowed URL protocols.
 750   * @return string Filtered content containing only the allowed HTML.
 751   */
 752  function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
 753      if ( empty( $allowed_protocols ) ) {
 754          $allowed_protocols = wp_allowed_protocols();
 755      }
 756  
 757      $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
 758      $string = wp_kses_normalize_entities( $string );
 759      $string = wp_kses_hook( $string, $allowed_html, $allowed_protocols );
 760  
 761      return wp_kses_split( $string, $allowed_html, $allowed_protocols );
 762  }
 763  
 764  /**
 765   * Filters one HTML attribute and ensures its value is allowed.
 766   *
 767   * This function can escape data in some situations where `wp_kses()` must strip the whole attribute.
 768   *
 769   * @since 4.2.3
 770   *
 771   * @param string $string  The 'whole' attribute, including name and value.
 772   * @param string $element The HTML element name to which the attribute belongs.
 773   * @return string Filtered attribute.
 774   */
 775  function wp_kses_one_attr( $string, $element ) {
 776      $uris              = wp_kses_uri_attributes();
 777      $allowed_html      = wp_kses_allowed_html( 'post' );
 778      $allowed_protocols = wp_allowed_protocols();
 779      $string            = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
 780  
 781      // Preserve leading and trailing whitespace.
 782      $matches = array();
 783      preg_match( '/^\s*/', $string, $matches );
 784      $lead = $matches[0];
 785      preg_match( '/\s*$/', $string, $matches );
 786      $trail = $matches[0];
 787      if ( empty( $trail ) ) {
 788          $string = substr( $string, strlen( $lead ) );
 789      } else {
 790          $string = substr( $string, strlen( $lead ), -strlen( $trail ) );
 791      }
 792  
 793      // Parse attribute name and value from input.
 794      $split = preg_split( '/\s*=\s*/', $string, 2 );
 795      $name  = $split[0];
 796      if ( count( $split ) == 2 ) {
 797          $value = $split[1];
 798  
 799          // Remove quotes surrounding $value.
 800          // Also guarantee correct quoting in $string for this one attribute.
 801          if ( '' === $value ) {
 802              $quote = '';
 803          } else {
 804              $quote = $value[0];
 805          }
 806          if ( '"' === $quote || "'" === $quote ) {
 807              if ( substr( $value, -1 ) != $quote ) {
 808                  return '';
 809              }
 810              $value = substr( $value, 1, -1 );
 811          } else {
 812              $quote = '"';
 813          }
 814  
 815          // Sanitize quotes, angle braces, and entities.
 816          $value = esc_attr( $value );
 817  
 818          // Sanitize URI values.
 819          if ( in_array( strtolower( $name ), $uris, true ) ) {
 820              $value = wp_kses_bad_protocol( $value, $allowed_protocols );
 821          }
 822  
 823          $string = "$name=$quote$value$quote";
 824          $vless  = 'n';
 825      } else {
 826          $value = '';
 827          $vless = 'y';
 828      }
 829  
 830      // Sanitize attribute by name.
 831      wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html );
 832  
 833      // Restore whitespace.
 834      return $lead . $string . $trail;
 835  }
 836  
 837  /**
 838   * Returns an array of allowed HTML tags and attributes for a given context.
 839   *
 840   * @since 3.5.0
 841   * @since 5.0.1 `form` removed as allowable HTML tag.
 842   *
 843   * @global array $allowedposttags
 844   * @global array $allowedtags
 845   * @global array $allowedentitynames
 846   *
 847   * @param string|array $context The context for which to retrieve tags. Allowed values are 'post',
 848   *                              'strip', 'data', 'entities', or the name of a field filter such as
 849   *                              'pre_user_description', or an array of allowed HTML elements and attributes.
 850   * @return array Array of allowed HTML tags and their allowed attributes.
 851   */
 852  function wp_kses_allowed_html( $context = '' ) {
 853      global $allowedposttags, $allowedtags, $allowedentitynames;
 854  
 855      if ( is_array( $context ) ) {
 856          // When `$context` is an array it's actually an array of allowed HTML elements and attributes.
 857          $html    = $context;
 858          $context = 'explicit';
 859  
 860          /**
 861           * Filters the HTML tags that are allowed for a given context.
 862           *
 863           * @since 3.5.0
 864           *
 865           * @param array[] $html    Allowed HTML tags.
 866           * @param string  $context Context name.
 867           */
 868          return apply_filters( 'wp_kses_allowed_html', $html, $context );
 869      }
 870  
 871      switch ( $context ) {
 872          case 'post':
 873              /** This filter is documented in wp-includes/kses.php */
 874              $tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
 875  
 876              // 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
 877              if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
 878                  $tags = $allowedposttags;
 879  
 880                  $tags['form'] = array(
 881                      'action'         => true,
 882                      'accept'         => true,
 883                      'accept-charset' => true,
 884                      'enctype'        => true,
 885                      'method'         => true,
 886                      'name'           => true,
 887                      'target'         => true,
 888                  );
 889  
 890                  /** This filter is documented in wp-includes/kses.php */
 891                  $tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
 892              }
 893  
 894              return $tags;
 895  
 896          case 'user_description':
 897          case 'pre_user_description':
 898              $tags             = $allowedtags;
 899              $tags['a']['rel'] = true;
 900              /** This filter is documented in wp-includes/kses.php */
 901              return apply_filters( 'wp_kses_allowed_html', $tags, $context );
 902  
 903          case 'strip':
 904              /** This filter is documented in wp-includes/kses.php */
 905              return apply_filters( 'wp_kses_allowed_html', array(), $context );
 906  
 907          case 'entities':
 908              /** This filter is documented in wp-includes/kses.php */
 909              return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context );
 910  
 911          case 'data':
 912          default:
 913              /** This filter is documented in wp-includes/kses.php */
 914              return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context );
 915      }
 916  }
 917  
 918  /**
 919   * You add any KSES hooks here.
 920   *
 921   * There is currently only one KSES WordPress hook, {@see 'pre_kses'}, and it is called here.
 922   * All parameters are passed to the hooks and expected to receive a string.
 923   *
 924   * @since 1.0.0
 925   *
 926   * @param string         $string            Content to filter through KSES.
 927   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 928   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 929   *                                          for the list of accepted context names.
 930   * @param string[]       $allowed_protocols Array of allowed URL protocols.
 931   * @return string Filtered content through {@see 'pre_kses'} hook.
 932   */
 933  function wp_kses_hook( $string, $allowed_html, $allowed_protocols ) {
 934      /**
 935       * Filters content to be run through KSES.
 936       *
 937       * @since 2.3.0
 938       *
 939       * @param string         $string            Content to filter through KSES.
 940       * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 941       *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 942       *                                          for the list of accepted context names.
 943       * @param string[]       $allowed_protocols Array of allowed URL protocols.
 944       */
 945      return apply_filters( 'pre_kses', $string, $allowed_html, $allowed_protocols );
 946  }
 947  
 948  /**
 949   * Returns the version number of KSES.
 950   *
 951   * @since 1.0.0
 952   *
 953   * @return string KSES version number.
 954   */
 955  function wp_kses_version() {
 956      return '0.2.2';
 957  }
 958  
 959  /**
 960   * Searches for HTML tags, no matter how malformed.
 961   *
 962   * It also matches stray `>` characters.
 963   *
 964   * @since 1.0.0
 965   *
 966   * @global array[]|string $pass_allowed_html      An array of allowed HTML elements and attributes,
 967   *                                                or a context name such as 'post'.
 968   * @global string[]       $pass_allowed_protocols Array of allowed URL protocols.
 969   *
 970   * @param string         $string            Content to filter.
 971   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 972   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 973   *                                          for the list of accepted context names.
 974   * @param string[]       $allowed_protocols Array of allowed URL protocols.
 975   * @return string Content with fixed HTML tags
 976   */
 977  function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
 978      global $pass_allowed_html, $pass_allowed_protocols;
 979  
 980      $pass_allowed_html      = $allowed_html;
 981      $pass_allowed_protocols = $allowed_protocols;
 982  
 983      return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
 984  }
 985  
 986  /**
 987   * Returns an array of HTML attribute names whose value contains a URL.
 988   *
 989   * This function returns a list of all HTML attributes that must contain
 990   * a URL according to the HTML specification.
 991   *
 992   * This list includes URI attributes both allowed and disallowed by KSES.
 993   *
 994   * @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes
 995   *
 996   * @since 5.0.1
 997   *
 998   * @return string[] HTML attribute names whose value contains a URL.
 999   */
1000  function wp_kses_uri_attributes() {
1001      $uri_attributes = array(
1002          'action',
1003          'archive',
1004          'background',
1005          'cite',
1006          'classid',
1007          'codebase',
1008          'data',
1009          'formaction',
1010          'href',
1011          'icon',
1012          'longdesc',
1013          'manifest',
1014          'poster',
1015          'profile',
1016          'src',
1017          'usemap',
1018          'xmlns',
1019      );
1020  
1021      /**
1022       * Filters the list of attributes that are required to contain a URL.
1023       *
1024       * Use this filter to add any `data-` attributes that are required to be
1025       * validated as a URL.
1026       *
1027       * @since 5.0.1
1028       *
1029       * @param string[] $uri_attributes HTML attribute names whose value contains a URL.
1030       */
1031      $uri_attributes = apply_filters( 'wp_kses_uri_attributes', $uri_attributes );
1032  
1033      return $uri_attributes;
1034  }
1035  
1036  /**
1037   * Callback for `wp_kses_split()`.
1038   *
1039   * @since 3.1.0
1040   * @access private
1041   * @ignore
1042   *
1043   * @global array[]|string $pass_allowed_html      An array of allowed HTML elements and attributes,
1044   *                                                or a context name such as 'post'.
1045   * @global string[]       $pass_allowed_protocols Array of allowed URL protocols.
1046   *
1047   * @param array $match preg_replace regexp matches
1048   * @return string
1049   */
1050  function _wp_kses_split_callback( $match ) {
1051      global $pass_allowed_html, $pass_allowed_protocols;
1052  
1053      return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
1054  }
1055  
1056  /**
1057   * Callback for `wp_kses_split()` for fixing malformed HTML tags.
1058   *
1059   * This function does a lot of work. It rejects some very malformed things like
1060   * `<:::>`. It returns an empty string, if the element isn't allowed (look ma, no
1061   * `strip_tags()`!). Otherwise it splits the tag into an element and an attribute
1062   * list.
1063   *
1064   * After the tag is split into an element and an attribute list, it is run
1065   * through another filter which will remove illegal attributes and once that is
1066   * completed, will be returned.
1067   *
1068   * @access private
1069   * @ignore
1070   * @since 1.0.0
1071   *
1072   * @param string         $string            Content to filter.
1073   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
1074   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
1075   *                                          for the list of accepted context names.
1076   * @param string[]       $allowed_protocols Array of allowed URL protocols.
1077   * @return string Fixed HTML element
1078   */
1079  function wp_kses_split2( $string, $allowed_html, $allowed_protocols ) {
1080      $string = wp_kses_stripslashes( $string );
1081  
1082      // It matched a ">" character.
1083      if ( '<' !== substr( $string, 0, 1 ) ) {
1084          return '&gt;';
1085      }
1086  
1087      // Allow HTML comments.
1088      if ( '<!--' === substr( $string, 0, 4 ) ) {
1089          $string = str_replace( array( '<!--', '-->' ), '', $string );
1090          while ( ( $newstring = wp_kses( $string, $allowed_html, $allowed_protocols ) ) != $string ) {
1091              $string = $newstring;
1092          }
1093          if ( '' === $string ) {
1094              return '';
1095          }
1096          // Prevent multiple dashes in comments.
1097          $string = preg_replace( '/--+/', '-', $string );
1098          // Prevent three dashes closing a comment.
1099          $string = preg_replace( '/-$/', '', $string );
1100          return "<!--{$string}-->";
1101      }
1102  
1103      // It's seriously malformed.
1104      if ( ! preg_match( '%^<\s*(/\s*)?([a-zA-Z0-9-]+)([^>]*)>?$%', $string, $matches ) ) {
1105          return '';
1106      }
1107  
1108      $slash    = trim( $matches[1] );
1109      $elem     = $matches[2];
1110      $attrlist = $matches[3];
1111  
1112      if ( ! is_array( $allowed_html ) ) {
1113          $allowed_html = wp_kses_allowed_html( $allowed_html );
1114      }
1115  
1116      // They are using a not allowed HTML element.
1117      if ( ! isset( $allowed_html[ strtolower( $elem ) ] ) ) {
1118          return '';
1119      }
1120  
1121      // No attributes are allowed for closing elements.
1122      if ( '' !== $slash ) {
1123          return "</$elem>";
1124      }
1125  
1126      return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols );
1127  }
1128  
1129  /**
1130   * Removes all attributes, if none are allowed for this element.
1131   *
1132   * If some are allowed it calls `wp_kses_hair()` to split them further, and then
1133   * it builds up new HTML code from the data that `kses_hair()` returns. It also
1134   * removes `<` and `>` characters, if there are any left. One more thing it does
1135   * is to check if the tag has a closing XHTML slash, and if it does, it puts one
1136   * in the returned code as well.
1137   *
1138   * @since 1.0.0
1139   *
1140   * @param string         $element           HTML element/tag.
1141   * @param string         $attr              HTML attributes from HTML element to closing HTML element tag.
1142   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
1143   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
1144   *                                          for the list of accepted context names.
1145   * @param string[]       $allowed_protocols Array of allowed URL protocols.
1146   * @return string Sanitized HTML element.
1147   */
1148  function wp_kses_attr( $element, $attr, $allowed_html, $allowed_protocols ) {
1149      if ( ! is_array( $allowed_html ) ) {
1150          $allowed_html = wp_kses_allowed_html( $allowed_html );
1151      }
1152  
1153      // Is there a closing XHTML slash at the end of the attributes?
1154      $xhtml_slash = '';
1155      if ( preg_match( '%\s*/\s*$%', $attr ) ) {
1156          $xhtml_slash = ' /';
1157      }
1158  
1159      // Are any attributes allowed at all for this element?
1160      $element_low = strtolower( $element );
1161      if ( empty( $allowed_html[ $element_low ] ) || true === $allowed_html[ $element_low ] ) {
1162          return "<$element$xhtml_slash>";
1163      }
1164  
1165      // Split it.
1166      $attrarr = wp_kses_hair( $attr, $allowed_protocols );
1167  
1168      // Go through $attrarr, and save the allowed attributes for this element
1169      // in $attr2.
1170      $attr2 = '';
1171      foreach ( $attrarr as $arreach ) {
1172          if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) {
1173              $attr2 .= ' ' . $arreach['whole'];
1174          }
1175      }
1176  
1177      // Remove any "<" or ">" characters.
1178      $attr2 = preg_replace( '/[<>]/', '', $attr2 );
1179  
1180      return "<$element$attr2$xhtml_slash>";
1181  }
1182  
1183  /**
1184   * Determines whether an attribute is allowed.
1185   *
1186   * @since 4.2.3
1187   * @since 5.0.0 Add support for `data-*` wildcard attributes.
1188   *
1189   * @param string $name         The attribute name. Passed by reference. Returns empty string when not allowed.
1190   * @param string $value        The attribute value. Passed by reference. Returns a filtered value.
1191   * @param string $whole        The `name=value` input. Passed by reference. Returns filtered input.
1192   * @param string $vless        Whether the attribute is valueless. Use 'y' or 'n'.
1193   * @param string $element      The name of the element to which this attribute belongs.
1194   * @param array  $allowed_html The full list of allowed elements and attributes.
1195   * @return bool Whether or not the attribute is allowed.
1196   */
1197  function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) {
1198      $name_low    = strtolower( $name );
1199      $element_low = strtolower( $element );
1200  
1201      if ( ! isset( $allowed_html[ $element_low ] ) ) {
1202          $name  = '';
1203          $value = '';
1204          $whole = '';
1205          return false;
1206      }
1207  
1208      $allowed_attr = $allowed_html[ $element_low ];
1209  
1210      if ( ! isset( $allowed_attr[ $name_low ] ) || '' === $allowed_attr[ $name_low ] ) {
1211          /*
1212           * Allow `data-*` attributes.
1213           *
1214           * When specifying `$allowed_html`, the attribute name should be set as
1215           * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
1216           * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
1217           *
1218           * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
1219           * double hyphens `--` are not accepted by WordPress.
1220           */
1221          if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] ) && preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match ) ) {
1222              /*
1223               * Add the whole attribute name to the allowed attributes and set any restrictions
1224               * for the `data-*` attribute values for the current element.
1225               */
1226              $allowed_attr[ $match[0] ] = $allowed_attr['data-*'];
1227          } else {
1228              $name  = '';
1229              $value = '';
1230              $whole = '';
1231              return false;
1232          }
1233      }
1234  
1235      if ( 'style' === $name_low ) {
1236          $new_value = safecss_filter_attr( $value );
1237  
1238          if ( empty( $new_value ) ) {
1239              $name  = '';
1240              $value = '';
1241              $whole = '';
1242              return false;
1243          }
1244  
1245          $whole = str_replace( $value, $new_value, $whole );
1246          $value = $new_value;
1247      }
1248  
1249      if ( is_array( $allowed_attr[ $name_low ] ) ) {
1250          // There are some checks.
1251          foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) {
1252              if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) {
1253                  $name  = '';
1254                  $value = '';
1255                  $whole = '';
1256                  return false;
1257              }
1258          }
1259      }
1260  
1261      return true;
1262  }
1263  
1264  /**
1265   * Builds an attribute list from string containing attributes.
1266   *
1267   * This function does a lot of work. It parses an attribute list into an array
1268   * with attribute data, and tries to do the right thing even if it gets weird
1269   * input. It will add quotes around attribute values that don't have any quotes
1270   * or apostrophes around them, to make it easier to produce HTML code that will
1271   * conform to W3C's HTML specification. It will also remove bad URL protocols
1272   * from attribute values. It also reduces duplicate attributes by using the
1273   * attribute defined first (`foo='bar' foo='baz'` will result in `foo='bar'`).
1274   *
1275   * @since 1.0.0
1276   *
1277   * @param string   $attr              Attribute list from HTML element to closing HTML element tag.
1278   * @param string[] $allowed_protocols Array of allowed URL protocols.
1279   * @return array[] Array of attribute information after parsing.
1280   */
1281  function wp_kses_hair( $attr, $allowed_protocols ) {
1282      $attrarr  = array();
1283      $mode     = 0;
1284      $attrname = '';
1285      $uris     = wp_kses_uri_attributes();
1286  
1287      // Loop through the whole attribute list.
1288  
1289      while ( strlen( $attr ) != 0 ) {
1290          $working = 0; // Was the last operation successful?
1291  
1292          switch ( $mode ) {
1293              case 0:
1294                  if ( preg_match( '/^([_a-zA-Z][-_a-zA-Z0-9:.]*)/', $attr, $match ) ) {
1295                      $attrname = $match[1];
1296                      $working  = 1;
1297                      $mode     = 1;
1298                      $attr     = preg_replace( '/^[_a-zA-Z][-_a-zA-Z0-9:.]*/', '', $attr );
1299                  }
1300  
1301                  break;
1302  
1303              case 1:
1304                  if ( preg_match( '/^\s*=\s*/', $attr ) ) { // Equals sign.
1305                      $working = 1;
1306                      $mode    = 2;
1307                      $attr    = preg_replace( '/^\s*=\s*/', '', $attr );
1308                      break;
1309                  }
1310  
1311                  if ( preg_match( '/^\s+/', $attr ) ) { // Valueless.
1312                      $working = 1;
1313                      $mode    = 0;
1314                      if ( false === array_key_exists( $attrname, $attrarr ) ) {
1315                          $attrarr[ $attrname ] = array(
1316                              'name'  => $attrname,
1317                              'value' => '',
1318                              'whole' => $attrname,
1319                              'vless' => 'y',
1320                          );
1321                      }
1322                      $attr = preg_replace( '/^\s+/', '', $attr );
1323                  }
1324  
1325                  break;
1326  
1327              case 2:
1328                  if ( preg_match( '%^"([^"]*)"(\s+|/?$)%', $attr, $match ) ) {
1329                      // "value"
1330                      $thisval = $match[1];
1331                      if ( in_array( strtolower( $attrname ), $uris, true ) ) {
1332                          $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols );
1333                      }
1334  
1335                      if ( false === array_key_exists( $attrname, $attrarr ) ) {
1336                          $attrarr[ $attrname ] = array(
1337                              'name'  => $attrname,
1338                              'value' => $thisval,
1339                              'whole' => "$attrname=\"$thisval\"",
1340                              'vless' => 'n',
1341                          );
1342                      }
1343                      $working = 1;
1344                      $mode    = 0;
1345                      $attr    = preg_replace( '/^"[^"]*"(\s+|$)/', '', $attr );
1346                      break;
1347                  }
1348  
1349                  if ( preg_match( "%^'([^']*)'(\s+|/?$)%", $attr, $match ) ) {
1350                      // 'value'
1351                      $thisval = $match[1];
1352                      if ( in_array( strtolower( $attrname ), $uris, true ) ) {
1353                          $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols );
1354                      }
1355  
1356                      if ( false === array_key_exists( $attrname, $attrarr ) ) {
1357                          $attrarr[ $attrname ] = array(
1358                              'name'  => $attrname,
1359                              'value' => $thisval,
1360                              'whole' => "$attrname='$thisval'",
1361                              'vless' => 'n',
1362                          );
1363                      }
1364                      $working = 1;
1365                      $mode    = 0;
1366                      $attr    = preg_replace( "/^'[^']*'(\s+|$)/", '', $attr );
1367                      break;
1368                  }
1369  
1370                  if ( preg_match( "%^([^\s\"']+)(\s+|/?$)%", $attr, $match ) ) {
1371                      // value
1372                      $thisval = $match[1];
1373                      if ( in_array( strtolower( $attrname ), $uris, true ) ) {
1374                          $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols );
1375                      }
1376  
1377                      if ( false === array_key_exists( $attrname, $attrarr ) ) {
1378                          $attrarr[ $attrname ] = array(
1379                              'name'  => $attrname,
1380                              'value' => $thisval,
1381                              'whole' => "$attrname=\"$thisval\"",
1382                              'vless' => 'n',
1383                          );
1384                      }
1385                      // We add quotes to conform to W3C's HTML spec.
1386                      $working = 1;
1387                      $mode    = 0;
1388                      $attr    = preg_replace( "%^[^\s\"']+(\s+|$)%", '', $attr );
1389                  }
1390  
1391                  break;
1392          } // End switch.
1393  
1394          if ( 0 == $working ) { // Not well-formed, remove and try again.
1395              $attr = wp_kses_html_error( $attr );
1396              $mode = 0;
1397          }
1398      } // End while.
1399  
1400      if ( 1 == $mode && false === array_key_exists( $attrname, $attrarr ) ) {
1401          // Special case, for when the attribute list ends with a valueless
1402          // attribute like "selected".
1403          $attrarr[ $attrname ] = array(
1404              'name'  => $attrname,
1405              'value' => '',
1406              'whole' => $attrname,
1407              'vless' => 'y',
1408          );
1409      }
1410  
1411      return $attrarr;
1412  }
1413  
1414  /**
1415   * Finds all attributes of an HTML element.
1416   *
1417   * Does not modify input.  May return "evil" output.
1418   *
1419   * Based on `wp_kses_split2()` and `wp_kses_attr()`.
1420   *
1421   * @since 4.2.3
1422   *
1423   * @param string $element HTML element.
1424   * @return array|false List of attributes found in the element. Returns false on failure.
1425   */
1426  function wp_kses_attr_parse( $element ) {
1427      $valid = preg_match( '%^(<\s*)(/\s*)?([a-zA-Z0-9]+\s*)([^>]*)(>?)$%', $element, $matches );
1428      if ( 1 !== $valid ) {
1429          return false;
1430      }
1431  
1432      $begin  = $matches[1];
1433      $slash  = $matches[2];
1434      $elname = $matches[3];
1435      $attr   = $matches[4];
1436      $end    = $matches[5];
1437  
1438      if ( '' !== $slash ) {
1439          // Closing elements do not get parsed.
1440          return false;
1441      }
1442  
1443      // Is there a closing XHTML slash at the end of the attributes?
1444      if ( 1 === preg_match( '%\s*/\s*$%', $attr, $matches ) ) {
1445          $xhtml_slash = $matches[0];
1446          $attr        = substr( $attr, 0, -strlen( $xhtml_slash ) );
1447      } else {
1448          $xhtml_slash = '';
1449      }
1450  
1451      // Split it.
1452      $attrarr = wp_kses_hair_parse( $attr );
1453      if ( false === $attrarr ) {
1454          return false;
1455      }
1456  
1457      // Make sure all input is returned by adding front and back matter.
1458      array_unshift( $attrarr, $begin . $slash . $elname );
1459      array_push( $attrarr, $xhtml_slash . $end );
1460  
1461      return $attrarr;
1462  }
1463  
1464  /**
1465   * Builds an attribute list from string containing attributes.
1466   *
1467   * Does not modify input.  May return "evil" output.
1468   * In case of unexpected input, returns false instead of stripping things.
1469   *
1470   * Based on `wp_kses_hair()` but does not return a multi-dimensional array.
1471   *
1472   * @since 4.2.3
1473   *
1474   * @param string $attr Attribute list from HTML element to closing HTML element tag.
1475   * @return array|false List of attributes found in $attr. Returns false on failure.
1476   */
1477  function wp_kses_hair_parse( $attr ) {
1478      if ( '' === $attr ) {
1479          return array();
1480      }
1481  
1482      // phpcs:disable Squiz.Strings.ConcatenationSpacing.PaddingFound -- don't remove regex indentation
1483      $regex =
1484          '(?:'
1485          .     '[_a-zA-Z][-_a-zA-Z0-9:.]*' // Attribute name.
1486          . '|'
1487          .     '\[\[?[^\[\]]+\]\]?'        // Shortcode in the name position implies unfiltered_html.
1488          . ')'
1489          . '(?:'               // Attribute value.
1490          .     '\s*=\s*'       // All values begin with '='.
1491          .     '(?:'
1492          .         '"[^"]*"'   // Double-quoted.
1493          .     '|'
1494          .         "'[^']*'"   // Single-quoted.
1495          .     '|'
1496          .         '[^\s"\']+' // Non-quoted.
1497          .         '(?:\s|$)'  // Must have a space.
1498          .     ')'
1499          . '|'
1500          .     '(?:\s|$)'      // If attribute has no value, space is required.
1501          . ')'
1502          . '\s*';              // Trailing space is optional except as mentioned above.
1503      // phpcs:enable
1504  
1505      // Although it is possible to reduce this procedure to a single regexp,
1506      // we must run that regexp twice to get exactly the expected result.
1507  
1508      $validation = "%^($regex)+$%";
1509      $extraction = "%$regex%";
1510  
1511      if ( 1 === preg_match( $validation, $attr ) ) {
1512          preg_match_all( $extraction, $attr, $attrarr );
1513          return $attrarr[0];
1514      } else {
1515          return false;
1516      }
1517  }
1518  
1519  /**
1520   * Performs different checks for attribute values.
1521   *
1522   * The currently implemented checks are "maxlen", "minlen", "maxval", "minval",
1523   * and "valueless".
1524   *
1525   * @since 1.0.0
1526   *
1527   * @param string $value      Attribute value.
1528   * @param string $vless      Whether the attribute is valueless. Use 'y' or 'n'.
1529   * @param string $checkname  What $checkvalue is checking for.
1530   * @param mixed  $checkvalue What constraint the value should pass.
1531   * @return bool Whether check passes.
1532   */
1533  function wp_kses_check_attr_val( $value, $vless, $checkname, $checkvalue ) {
1534      $ok = true;
1535  
1536      switch ( strtolower( $checkname ) ) {
1537          case 'maxlen':
1538              /*
1539               * The maxlen check makes sure that the attribute value has a length not
1540               * greater than the given value. This can be used to avoid Buffer Overflows
1541               * in WWW clients and various Internet servers.
1542               */
1543  
1544              if ( strlen( $value ) > $checkvalue ) {
1545                  $ok = false;
1546              }
1547              break;
1548  
1549          case 'minlen':
1550              /*
1551               * The minlen check makes sure that the attribute value has a length not
1552               * smaller than the given value.
1553               */
1554  
1555              if ( strlen( $value ) < $checkvalue ) {
1556                  $ok = false;
1557              }
1558              break;
1559  
1560          case 'maxval':
1561              /*
1562               * The maxval check does two things: it checks that the attribute value is
1563               * an integer from 0 and up, without an excessive amount of zeroes or
1564               * whitespace (to avoid Buffer Overflows). It also checks that the attribute
1565               * value is not greater than the given value.
1566               * This check can be used to avoid Denial of Service attacks.
1567               */
1568  
1569              if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) {
1570                  $ok = false;
1571              }
1572              if ( $value > $checkvalue ) {
1573                  $ok = false;
1574              }
1575              break;
1576  
1577          case 'minval':
1578              /*
1579               * The minval check makes sure that the attribute value is a positive integer,
1580               * and that it is not smaller than the given value.
1581               */
1582  
1583              if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) {
1584                  $ok = false;
1585              }
1586              if ( $value < $checkvalue ) {
1587                  $ok = false;
1588              }
1589              break;
1590  
1591          case 'valueless':
1592              /*
1593               * The valueless check makes sure if the attribute has a value
1594               * (like `<a href="blah">`) or not (`<option selected>`). If the given value
1595               * is a "y" or a "Y", the attribute must not have a value.
1596               * If the given value is an "n" or an "N", the attribute must have a value.
1597               */
1598  
1599              if ( strtolower( $checkvalue ) != $vless ) {
1600                  $ok = false;
1601              }
1602              break;
1603      } // End switch.
1604  
1605      return $ok;
1606  }
1607  
1608  /**
1609   * Sanitizes a string and removed disallowed URL protocols.
1610   *
1611   * This function removes all non-allowed protocols from the beginning of the
1612   * string. It ignores whitespace and the case of the letters, and it does
1613   * understand HTML entities. It does its work recursively, so it won't be
1614   * fooled by a string like `javascript:javascript:alert(57)`.
1615   *
1616   * @since 1.0.0
1617   *
1618   * @param string   $string            Content to filter bad protocols from.
1619   * @param string[] $allowed_protocols Array of allowed URL protocols.
1620   * @return string Filtered content.
1621   */
1622  function wp_kses_bad_protocol( $string, $allowed_protocols ) {
1623      $string     = wp_kses_no_null( $string );
1624      $iterations = 0;
1625  
1626      do {
1627          $original_string = $string;
1628          $string          = wp_kses_bad_protocol_once( $string, $allowed_protocols );
1629      } while ( $original_string != $string && ++$iterations < 6 );
1630  
1631      if ( $original_string != $string ) {
1632          return '';
1633      }
1634  
1635      return $string;
1636  }
1637  
1638  /**
1639   * Removes any invalid control characters in a text string.
1640   *
1641   * Also removes any instance of the `\0` string.
1642   *
1643   * @since 1.0.0
1644   *
1645   * @param string $string  Content to filter null characters from.
1646   * @param array  $options Set 'slash_zero' => 'keep' when '\0' is allowed. Default is 'remove'.
1647   * @return string Filtered content.
1648   */
1649  function wp_kses_no_null( $string, $options = null ) {
1650      if ( ! isset( $options['slash_zero'] ) ) {
1651          $options = array( 'slash_zero' => 'remove' );
1652      }
1653  
1654      $string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string );
1655      if ( 'remove' === $options['slash_zero'] ) {
1656          $string = preg_replace( '/\\\\+0+/', '', $string );
1657      }
1658  
1659      return $string;
1660  }
1661  
1662  /**
1663   * Strips slashes from in front of quotes.
1664   *
1665   * This function changes the character sequence `\"` to just `"`. It leaves all other
1666   * slashes alone. The quoting from `preg_replace(//e)` requires this.
1667   *
1668   * @since 1.0.0
1669   *
1670   * @param string $string String to strip slashes from.
1671   * @return string Fixed string with quoted slashes.
1672   */
1673  function wp_kses_stripslashes( $string ) {
1674      return preg_replace( '%\\\\"%', '"', $string );
1675  }
1676  
1677  /**
1678   * Converts the keys of an array to lowercase.
1679   *
1680   * @since 1.0.0
1681   *
1682   * @param array $inarray Unfiltered array.
1683   * @return array Fixed array with all lowercase keys.
1684   */
1685  function wp_kses_array_lc( $inarray ) {
1686      $outarray = array();
1687  
1688      foreach ( (array) $inarray as $inkey => $inval ) {
1689          $outkey              = strtolower( $inkey );
1690          $outarray[ $outkey ] = array();
1691  
1692          foreach ( (array) $inval as $inkey2 => $inval2 ) {
1693              $outkey2                         = strtolower( $inkey2 );
1694              $outarray[ $outkey ][ $outkey2 ] = $inval2;
1695          }
1696      }
1697  
1698      return $outarray;
1699  }
1700  
1701  /**
1702   * Handles parsing errors in `wp_kses_hair()`.
1703   *
1704   * The general plan is to remove everything to and including some whitespace,
1705   * but it deals with quotes and apostrophes as well.
1706   *
1707   * @since 1.0.0
1708   *
1709   * @param string $string
1710   * @return string
1711   */
1712  function wp_kses_html_error( $string ) {
1713      return preg_replace( '/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string );
1714  }
1715  
1716  /**
1717   * Sanitizes content from bad protocols and other characters.
1718   *
1719   * This function searches for URL protocols at the beginning of the string, while
1720   * handling whitespace and HTML entities.
1721   *
1722   * @since 1.0.0
1723   *
1724   * @param string   $string            Content to check for bad protocols.
1725   * @param string[] $allowed_protocols Array of allowed URL protocols.
1726   * @param int      $count             Depth of call recursion to this function.
1727   * @return string Sanitized content.
1728   */
1729  function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
1730      $string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
1731      $string2 = preg_split( '/:|&#0*58;|&#x0*3a;|&colon;/i', $string, 2 );
1732      if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
1733          $string   = trim( $string2[1] );
1734          $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );
1735          if ( 'feed:' === $protocol ) {
1736              if ( $count > 2 ) {
1737                  return '';
1738              }
1739              $string = wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count );
1740              if ( empty( $string ) ) {
1741                  return $string;
1742              }
1743          }
1744          $string = $protocol . $string;
1745      }
1746  
1747      return $string;
1748  }
1749  
1750  /**
1751   * Callback for `wp_kses_bad_protocol_once()` regular expression.
1752   *
1753   * This function processes URL protocols, checks to see if they're in the
1754   * list of allowed protocols or not, and returns different data depending
1755   * on the answer.
1756   *
1757   * @access private
1758   * @ignore
1759   * @since 1.0.0
1760   *
1761   * @param string   $string            URI scheme to check against the list of allowed protocols.
1762   * @param string[] $allowed_protocols Array of allowed URL protocols.
1763   * @return string Sanitized content.
1764   */
1765  function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {
1766      $string2 = wp_kses_decode_entities( $string );
1767      $string2 = preg_replace( '/\s/', '', $string2 );
1768      $string2 = wp_kses_no_null( $string2 );
1769      $string2 = strtolower( $string2 );
1770  
1771      $allowed = false;
1772      foreach ( (array) $allowed_protocols as $one_protocol ) {
1773          if ( strtolower( $one_protocol ) == $string2 ) {
1774              $allowed = true;
1775              break;
1776          }
1777      }
1778  
1779      if ( $allowed ) {
1780          return "$string2:";
1781      } else {
1782          return '';
1783      }
1784  }
1785  
1786  /**
1787   * Converts and fixes HTML entities.
1788   *
1789   * This function normalizes HTML entities. It will convert `AT&T` to the correct
1790   * `AT&amp;T`, `&#00058;` to `&#058;`, `&#XYZZY;` to `&amp;#XYZZY;` and so on.
1791   *
1792   * When `$context` is set to 'xml', HTML entities are converted to their code points.  For
1793   * example, `AT&T&hellip;&#XYZZY;` is converted to `AT&amp;T…&amp;#XYZZY;`.
1794   *
1795   * @since 1.0.0
1796   * @since 5.5.0 Added `$context` parameter.
1797   *
1798   * @param string $string  Content to normalize entities.
1799   * @param string $context Context for normalization. Can be either 'html' or 'xml'.
1800   *                        Default 'html'.
1801   * @return string Content with normalized entities.
1802   */
1803  function wp_kses_normalize_entities( $string, $context = 'html' ) {
1804      // Disarm all entities by converting & to &amp;
1805      $string = str_replace( '&', '&amp;', $string );
1806  
1807      // Change back the allowed entities in our list of allowed entities.
1808      if ( 'xml' === $context ) {
1809          $string = preg_replace_callback( '/&amp;([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_xml_named_entities', $string );
1810      } else {
1811          $string = preg_replace_callback( '/&amp;([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string );
1812      }
1813      $string = preg_replace_callback( '/&amp;#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string );
1814      $string = preg_replace_callback( '/&amp;#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string );
1815  
1816      return $string;
1817  }
1818  
1819  /**
1820   * Callback for `wp_kses_normalize_entities()` regular expression.
1821   *
1822   * This function only accepts valid named entity references, which are finite,
1823   * case-sensitive, and highly scrutinized by HTML and XML validators.
1824   *
1825   * @since 3.0.0
1826   *
1827   * @global array $allowedentitynames
1828   *
1829   * @param array $matches preg_replace_callback() matches array.
1830   * @return string Correctly encoded entity.
1831   */
1832  function wp_kses_named_entities( $matches ) {
1833      global $allowedentitynames;
1834  
1835      if ( empty( $matches[1] ) ) {
1836          return '';
1837      }
1838  
1839      $i = $matches[1];
1840      return ( ! in_array( $i, $allowedentitynames, true ) ) ? "&amp;$i;" : "&$i;";
1841  }
1842  
1843  /**
1844   * Callback for `wp_kses_normalize_entities()` regular expression.
1845   *
1846   * This function only accepts valid named entity references, which are finite,
1847   * case-sensitive, and highly scrutinized by XML validators.  HTML named entity
1848   * references are converted to their code points.
1849   *
1850   * @since 5.5.0
1851   *
1852   * @global array $allowedentitynames
1853   * @global array $allowedxmlnamedentities
1854   *
1855   * @param array $matches preg_replace_callback() matches array.
1856   * @return string Correctly encoded entity.
1857   */
1858  function wp_kses_xml_named_entities( $matches ) {
1859      global $allowedentitynames, $allowedxmlnamedentities;
1860  
1861      if ( empty( $matches[1] ) ) {
1862          return '';
1863      }
1864  
1865      $i = $matches[1];
1866  
1867      if ( in_array( $i, $allowedxmlnamedentities, true ) ) {
1868          return "&$i;";
1869      } elseif ( in_array( $i, $allowedentitynames, true ) ) {
1870          return html_entity_decode( "&$i;", ENT_HTML5 );
1871      }
1872  
1873      return "&amp;$i;";
1874  }
1875  
1876  /**
1877   * Callback for `wp_kses_normalize_entities()` regular expression.
1878   *
1879   * This function helps `wp_kses_normalize_entities()` to only accept 16-bit
1880   * values and nothing more for `&#number;` entities.
1881   *
1882   * @access private
1883   * @ignore
1884   * @since 1.0.0
1885   *
1886   * @param array $matches `preg_replace_callback()` matches array.
1887   * @return string Correctly encoded entity.
1888   */
1889  function wp_kses_normalize_entities2( $matches ) {
1890      if ( empty( $matches[1] ) ) {
1891          return '';
1892      }
1893  
1894      $i = $matches[1];
1895      if ( valid_unicode( $i ) ) {
1896          $i = str_pad( ltrim( $i, '0' ), 3, '0', STR_PAD_LEFT );
1897          $i = "&#$i;";
1898      } else {
1899          $i = "&amp;#$i;";
1900      }
1901  
1902      return $i;
1903  }
1904  
1905  /**
1906   * Callback for `wp_kses_normalize_entities()` for regular expression.
1907   *
1908   * This function helps `wp_kses_normalize_entities()` to only accept valid Unicode
1909   * numeric entities in hex form.
1910   *
1911   * @since 2.7.0
1912   * @access private
1913   * @ignore
1914   *
1915   * @param array $matches `preg_replace_callback()` matches array.
1916   * @return string Correctly encoded entity.
1917   */
1918  function wp_kses_normalize_entities3( $matches ) {
1919      if ( empty( $matches[1] ) ) {
1920          return '';
1921      }
1922  
1923      $hexchars = $matches[1];
1924      return ( ! valid_unicode( hexdec( $hexchars ) ) ) ? "&amp;#x$hexchars;" : '&#x' . ltrim( $hexchars, '0' ) . ';';
1925  }
1926  
1927  /**
1928   * Determines if a Unicode codepoint is valid.
1929   *
1930   * @since 2.7.0
1931   *
1932   * @param int $i Unicode codepoint.
1933   * @return bool Whether or not the codepoint is a valid Unicode codepoint.
1934   */
1935  function valid_unicode( $i ) {
1936      return ( 0x9 == $i || 0xa == $i || 0xd == $i ||
1937              ( 0x20 <= $i && $i <= 0xd7ff ) ||
1938              ( 0xe000 <= $i && $i <= 0xfffd ) ||
1939              ( 0x10000 <= $i && $i <= 0x10ffff ) );
1940  }
1941  
1942  /**
1943   * Converts all numeric HTML entities to their named counterparts.
1944   *
1945   * This function decodes numeric HTML entities (`&#65;` and `&#x41;`).
1946   * It doesn't do anything with named entities like `&auml;`, but we don't
1947   * need them in the allowed URL protocols system anyway.
1948   *
1949   * @since 1.0.0
1950   *
1951   * @param string $string Content to change entities.
1952   * @return string Content after decoded entities.
1953   */
1954  function wp_kses_decode_entities( $string ) {
1955      $string = preg_replace_callback( '/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string );
1956      $string = preg_replace_callback( '/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string );
1957  
1958      return $string;
1959  }
1960  
1961  /**
1962   * Regex callback for `wp_kses_decode_entities()`.
1963   *
1964   * @since 2.9.0
1965   * @access private
1966   * @ignore
1967   *
1968   * @param array $match preg match
1969   * @return string
1970   */
1971  function _wp_kses_decode_entities_chr( $match ) {
1972      return chr( $match[1] );
1973  }
1974  
1975  /**
1976   * Regex callback for `wp_kses_decode_entities()`.
1977   *
1978   * @since 2.9.0
1979   * @access private
1980   * @ignore
1981   *
1982   * @param array $match preg match
1983   * @return string
1984   */
1985  function _wp_kses_decode_entities_chr_hexdec( $match ) {
1986      return chr( hexdec( $match[1] ) );
1987  }
1988  
1989  /**
1990   * Sanitize content with allowed HTML KSES rules.
1991   *
1992   * This function expects slashed data.
1993   *
1994   * @since 1.0.0
1995   *
1996   * @param string $data Content to filter, expected to be escaped with slashes.
1997   * @return string Filtered content.
1998   */
1999  function wp_filter_kses( $data ) {
2000      return addslashes( wp_kses( stripslashes( $data ), current_filter() ) );
2001  }
2002  
2003  /**
2004   * Sanitize content with allowed HTML KSES rules.
2005   *
2006   * This function expects unslashed data.
2007   *
2008   * @since 2.9.0
2009   *
2010   * @param string $data Content to filter, expected to not be escaped.
2011   * @return string Filtered content.
2012   */
2013  function wp_kses_data( $data ) {
2014      return wp_kses( $data, current_filter() );
2015  }
2016  
2017  /**
2018   * Sanitizes content for allowed HTML tags for post content.
2019   *
2020   * Post content refers to the page contents of the 'post' type and not `$_POST`
2021   * data from forms.
2022   *
2023   * This function expects slashed data.
2024   *
2025   * @since 2.0.0
2026   *
2027   * @param string $data Post content to filter, expected to be escaped with slashes.
2028   * @return string Filtered post content with allowed HTML tags and attributes intact.
2029   */
2030  function wp_filter_post_kses( $data ) {
2031      return addslashes( wp_kses( stripslashes( $data ), 'post' ) );
2032  }
2033  
2034  /**
2035   * Sanitizes content for allowed HTML tags for post content.
2036   *
2037   * Post content refers to the page contents of the 'post' type and not `$_POST`
2038   * data from forms.
2039   *
2040   * This function expects unslashed data.
2041   *
2042   * @since 2.9.0
2043   *
2044   * @param string $data Post content to filter.
2045   * @return string Filtered post content with allowed HTML tags and attributes intact.
2046   */
2047  function wp_kses_post( $data ) {
2048      return wp_kses( $data, 'post' );
2049  }
2050  
2051  /**
2052   * Navigates through an array, object, or scalar, and sanitizes content for
2053   * allowed HTML tags for post content.
2054   *
2055   * @since 4.4.2
2056   *
2057   * @see map_deep()
2058   *
2059   * @param mixed $data The array, object, or scalar value to inspect.
2060   * @return mixed The filtered content.
2061   */
2062  function wp_kses_post_deep( $data ) {
2063      return map_deep( $data, 'wp_kses_post' );
2064  }
2065  
2066  /**
2067   * Strips all HTML from a text string.
2068   *
2069   * This function expects slashed data.
2070   *
2071   * @since 2.1.0
2072   *
2073   * @param string $data Content to strip all HTML from.
2074   * @return string Filtered content without any HTML.
2075   */
2076  function wp_filter_nohtml_kses( $data ) {
2077      return addslashes( wp_kses( stripslashes( $data ), 'strip' ) );
2078  }
2079  
2080  /**
2081   * Adds all KSES input form content filters.
2082   *
2083   * All hooks have default priority. The `wp_filter_kses()` function is added to
2084   * the 'pre_comment_content' and 'title_save_pre' hooks.
2085   *
2086   * The `wp_filter_post_kses()` function is added to the 'content_save_pre',
2087   * 'excerpt_save_pre', and 'content_filtered_save_pre' hooks.
2088   *
2089   * @since 2.0.0
2090   */
2091  function kses_init_filters() {
2092      // Normal filtering.
2093      add_filter( 'title_save_pre', 'wp_filter_kses' );
2094  
2095      // Comment filtering.
2096      if ( current_user_can( 'unfiltered_html' ) ) {
2097          add_filter( 'pre_comment_content', 'wp_filter_post_kses' );
2098      } else {
2099          add_filter( 'pre_comment_content', 'wp_filter_kses' );
2100      }
2101  
2102      // Post filtering.
2103      add_filter( 'content_save_pre', 'wp_filter_post_kses' );
2104      add_filter( 'excerpt_save_pre', 'wp_filter_post_kses' );
2105      add_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' );
2106  }
2107  
2108  /**
2109   * Removes all KSES input form content filters.
2110   *
2111   * A quick procedural method to removing all of the filters that KSES uses for
2112   * content in WordPress Loop.
2113   *
2114   * Does not remove the `kses_init()` function from {@see 'init'} hook (priority is
2115   * default). Also does not remove `kses_init()` function from {@see 'set_current_user'}
2116   * hook (priority is also default).
2117   *
2118   * @since 2.0.6
2119   */
2120  function kses_remove_filters() {
2121      // Normal filtering.
2122      remove_filter( 'title_save_pre', 'wp_filter_kses' );
2123  
2124      // Comment filtering.
2125      remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
2126      remove_filter( 'pre_comment_content', 'wp_filter_kses' );
2127  
2128      // Post filtering.
2129      remove_filter( 'content_save_pre', 'wp_filter_post_kses' );
2130      remove_filter( 'excerpt_save_pre', 'wp_filter_post_kses' );
2131      remove_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' );
2132  }
2133  
2134  /**
2135   * Sets up most of the KSES filters for input form content.
2136   *
2137   * First removes all of the KSES filters in case the current user does not need
2138   * to have KSES filter the content. If the user does not have `unfiltered_html`
2139   * capability, then KSES filters are added.
2140   *
2141   * @since 2.0.0
2142   */
2143  function kses_init() {
2144      kses_remove_filters();
2145  
2146      if ( ! current_user_can( 'unfiltered_html' ) ) {
2147          kses_init_filters();
2148      }
2149  }
2150  
2151  /**
2152   * Filters an inline style attribute and removes disallowed rules.
2153   *
2154   * @since 2.8.1
2155   * @since 4.4.0 Added support for `min-height`, `max-height`, `min-width`, and `max-width`.
2156   * @since 4.6.0 Added support for `list-style-type`.
2157   * @since 5.0.0 Added support for `background-image`.
2158   * @since 5.1.0 Added support for `text-transform`.
2159   * @since 5.2.0 Added support for `background-position` and `grid-template-columns`.
2160   * @since 5.3.0 Added support for `grid`, `flex` and `column` layout properties.
2161   *              Extend `background-*` support of individual properties.
2162   * @since 5.3.1 Added support for gradient backgrounds.
2163   * @since 5.7.1 Added support for `object-position`.
2164   * @since 5.8.0 Added support for `calc()` and `var()` values.
2165   *
2166   * @param string $css        A string of CSS rules.
2167   * @param string $deprecated Not used.
2168   * @return string Filtered string of CSS rules.
2169   */
2170  function safecss_filter_attr( $css, $deprecated = '' ) {
2171      if ( ! empty( $deprecated ) ) {
2172          _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented.
2173      }
2174  
2175      $css = wp_kses_no_null( $css );
2176      $css = str_replace( array( "\n", "\r", "\t" ), '', $css );
2177  
2178      $allowed_protocols = wp_allowed_protocols();
2179  
2180      $css_array = explode( ';', trim( $css ) );
2181  
2182      /**
2183       * Filters the list of allowed CSS attributes.
2184       *
2185       * @since 2.8.1
2186       *
2187       * @param string[] $attr Array of allowed CSS attributes.
2188       */
2189      $allowed_attr = apply_filters(
2190          'safe_style_css',
2191          array(
2192              'background',
2193              'background-color',
2194              'background-image',
2195              'background-position',
2196              'background-size',
2197              'background-attachment',
2198              'background-blend-mode',
2199  
2200              'border',
2201              'border-radius',
2202              'border-width',
2203              'border-color',
2204              'border-style',
2205              'border-right',
2206              'border-right-color',
2207              'border-right-style',
2208              'border-right-width',
2209              'border-bottom',
2210              'border-bottom-color',
2211              'border-bottom-style',
2212              'border-bottom-width',
2213              'border-left',
2214              'border-left-color',
2215              'border-left-style',
2216              'border-left-width',
2217              'border-top',
2218              'border-top-color',
2219              'border-top-style',
2220              'border-top-width',
2221  
2222              'border-spacing',
2223              'border-collapse',
2224              'caption-side',
2225  
2226              'columns',
2227              'column-count',
2228              'column-fill',
2229              'column-gap',
2230              'column-rule',
2231              'column-span',
2232              'column-width',
2233  
2234              'color',
2235              'font',
2236              'font-family',
2237              'font-size',
2238              'font-style',
2239              'font-variant',
2240              'font-weight',
2241              'letter-spacing',
2242              'line-height',
2243              'text-align',
2244              'text-decoration',
2245              'text-indent',
2246              'text-transform',
2247  
2248              'height',
2249              'min-height',
2250              'max-height',
2251  
2252              'width',
2253              'min-width',
2254              'max-width',
2255  
2256              'margin',
2257              'margin-right',
2258              'margin-bottom',
2259              'margin-left',
2260              'margin-top',
2261  
2262              'padding',
2263              'padding-right',
2264              'padding-bottom',
2265              'padding-left',
2266              'padding-top',
2267  
2268              'flex',
2269              'flex-basis',
2270              'flex-direction',
2271              'flex-flow',
2272              'flex-grow',
2273              'flex-shrink',
2274  
2275              'grid-template-columns',
2276              'grid-auto-columns',
2277              'grid-column-start',
2278              'grid-column-end',
2279              'grid-column-gap',
2280              'grid-template-rows',
2281              'grid-auto-rows',
2282              'grid-row-start',
2283              'grid-row-end',
2284              'grid-row-gap',
2285              'grid-gap',
2286  
2287              'justify-content',
2288              'justify-items',
2289              'justify-self',
2290              'align-content',
2291              'align-items',
2292              'align-self',
2293  
2294              'clear',
2295              'cursor',
2296              'direction',
2297              'float',
2298              'list-style-type',
2299              'object-position',
2300              'overflow',
2301              'vertical-align',
2302          )
2303      );
2304  
2305      /*
2306       * CSS attributes that accept URL data types.
2307       *
2308       * This is in accordance to the CSS spec and unrelated to
2309       * the sub-set of supported attributes above.
2310       *
2311       * See: https://developer.mozilla.org/en-US/docs/Web/CSS/url
2312       */
2313      $css_url_data_types = array(
2314          'background',
2315          'background-image',
2316  
2317          'cursor',
2318  
2319          'list-style',
2320          'list-style-image',
2321      );
2322  
2323      /*
2324       * CSS attributes that accept gradient data types.
2325       *
2326       */
2327      $css_gradient_data_types = array(
2328          'background',
2329          'background-image',
2330      );
2331  
2332      if ( empty( $allowed_attr ) ) {
2333          return $css;
2334      }
2335  
2336      $css = '';
2337      foreach ( $css_array as $css_item ) {
2338          if ( '' === $css_item ) {
2339              continue;
2340          }
2341  
2342          $css_item        = trim( $css_item );
2343          $css_test_string = $css_item;
2344          $found           = false;
2345          $url_attr        = false;
2346          $gradient_attr   = false;
2347  
2348          if ( strpos( $css_item, ':' ) === false ) {
2349              $found = true;
2350          } else {
2351              $parts        = explode( ':', $css_item, 2 );
2352              $css_selector = trim( $parts[0] );
2353  
2354              if ( in_array( $css_selector, $allowed_attr, true ) ) {
2355                  $found         = true;
2356                  $url_attr      = in_array( $css_selector, $css_url_data_types, true );
2357                  $gradient_attr = in_array( $css_selector, $css_gradient_data_types, true );
2358              }
2359          }
2360  
2361          if ( $found && $url_attr ) {
2362              // Simplified: matches the sequence `url(*)`.
2363              preg_match_all( '/url\([^)]+\)/', $parts[1], $url_matches );
2364  
2365              foreach ( $url_matches[0] as $url_match ) {
2366                  // Clean up the URL from each of the matches above.
2367                  preg_match( '/^url\(\s*([\'\"]?)(.*)(\g1)\s*\)$/', $url_match, $url_pieces );
2368  
2369                  if ( empty( $url_pieces[2] ) ) {
2370                      $found = false;
2371                      break;
2372                  }
2373  
2374                  $url = trim( $url_pieces[2] );
2375  
2376                  if ( empty( $url ) || wp_kses_bad_protocol( $url, $allowed_protocols ) !== $url ) {
2377                      $found = false;
2378                      break;
2379                  } else {
2380                      // Remove the whole `url(*)` bit that was matched above from the CSS.
2381                      $css_test_string = str_replace( $url_match, '', $css_test_string );
2382                  }
2383              }
2384          }
2385  
2386          if ( $found && $gradient_attr ) {
2387              $css_value = trim( $parts[1] );
2388              if ( preg_match( '/^(repeating-)?(linear|radial|conic)-gradient\(([^()]|rgb[a]?\([^()]*\))*\)$/', $css_value ) ) {
2389                  // Remove the whole `gradient` bit that was matched above from the CSS.
2390                  $css_test_string = str_replace( $css_value, '', $css_test_string );
2391              }
2392          }
2393  
2394          if ( $found ) {
2395              // Allow CSS calc().
2396              $css_test_string = preg_replace( '/calc\(((?:\([^()]*\)?|[^()])*)\)/', '', $css_test_string );
2397              // Allow CSS var().
2398              $css_test_string = preg_replace( '/\(?var\(--[a-zA-Z0-9_-]*\)/', '', $css_test_string );
2399  
2400              // Check for any CSS containing \ ( & } = or comments,
2401              // except for url(), calc(), or var() usage checked above.
2402              $allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
2403  
2404              /**
2405               * Filters the check for unsafe CSS in `safecss_filter_attr`.
2406               *
2407               * Enables developers to determine whether a section of CSS should be allowed or discarded.
2408               * By default, the value will be false if the part contains \ ( & } = or comments.
2409               * Return true to allow the CSS part to be included in the output.
2410               *
2411               * @since 5.5.0
2412               *
2413               * @param bool   $allow_css       Whether the CSS in the test string is considered safe.
2414               * @param string $css_test_string The CSS string to test.
2415               */
2416              $allow_css = apply_filters( 'safecss_filter_attr_allow_css', $allow_css, $css_test_string );
2417  
2418              // Only add the CSS part if it passes the regex check.
2419              if ( $allow_css ) {
2420                  if ( '' !== $css ) {
2421                      $css .= ';';
2422                  }
2423  
2424                  $css .= $css_item;
2425              }
2426          }
2427      }
2428  
2429      return $css;
2430  }
2431  
2432  /**
2433   * Helper function to add global attributes to a tag in the allowed HTML list.
2434   *
2435   * @since 3.5.0
2436   * @since 5.0.0 Add support for `data-*` wildcard attributes.
2437   * @access private
2438   * @ignore
2439   *
2440   * @param array $value An array of attributes.
2441   * @return array The array of attributes with global attributes added.
2442   */
2443  function _wp_add_global_attributes( $value ) {
2444      $global_attributes = array(
2445          'aria-describedby' => true,
2446          'aria-details'     => true,
2447          'aria-label'       => true,
2448          'aria-labelledby'  => true,
2449          'aria-hidden'      => true,
2450          'class'            => true,
2451          'id'               => true,
2452          'style'            => true,
2453          'title'            => true,
2454          'role'             => true,
2455          'data-*'           => true,
2456      );
2457  
2458      if ( true === $value ) {
2459          $value = array();
2460      }
2461  
2462      if ( is_array( $value ) ) {
2463          return array_merge( $value, $global_attributes );
2464      }
2465  
2466      return $value;
2467  }


Generated: Sun Oct 17 01:00:03 2021 Cross-referenced by PHPXref 0.7.1