[ Index ]

PHP Cross Reference of WordPress

title

Body

[close]

/wp-includes/ -> kses.php (source)

   1  <?php
   2  /**
   3   * kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes
   4   * Copyright (C) 2002, 2003, 2005  Ulf Harnhammar
   5   *
   6   * This program is free software and open source software; you can redistribute
   7   * it and/or modify it under the terms of the GNU General Public License as
   8   * published by the Free Software Foundation; either version 2 of the License,
   9   * or (at your option) any later version.
  10   *
  11   * This program is distributed in the hope that it will be useful, but WITHOUT
  12   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13   * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
  14   * more details.
  15   *
  16   * You should have received a copy of the GNU General Public License along
  17   * with this program; if not, write to the Free Software Foundation, Inc.,
  18   * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19   * http://www.gnu.org/licenses/gpl.html
  20   *
  21   * [kses strips evil scripts!]
  22   *
  23   * Added wp_ prefix to avoid conflicts with existing kses users
  24   *
  25   * @version 0.2.2
  26   * @copyright (C) 2002, 2003, 2005
  27   * @author Ulf Harnhammar <http://advogato.org/person/metaur/>
  28   *
  29   * @package External
  30   * @subpackage KSES
  31   */
  32  
  33  /**
  34   * Specifies the default allowable HTML tags.
  35   *
  36   * Using `CUSTOM_TAGS` is not recommended and should be considered deprecated. The
  37   * {@see 'wp_kses_allowed_html'} filter is more powerful and supplies context.
  38   *
  39   * @see wp_kses_allowed_html()
  40   * @since 1.2.0
  41   *
  42   * @var array[]|false Array of default allowable HTML tags, or false to use the defaults.
  43   */
  44  if ( ! defined( 'CUSTOM_TAGS' ) ) {
  45      define( 'CUSTOM_TAGS', false );
  46  }
  47  
  48  // Ensure that these variables are added to the global namespace
  49  // (e.g. if using namespaces / autoload in the current PHP environment).
  50  global $allowedposttags, $allowedtags, $allowedentitynames, $allowedxmlentitynames;
  51  
  52  if ( ! CUSTOM_TAGS ) {
  53      /**
  54       * KSES global for default allowable HTML tags.
  55       *
  56       * Can be overridden with the `CUSTOM_TAGS` constant.
  57       *
  58       * @var array[] $allowedposttags Array of default allowable HTML tags.
  59       * @since 2.0.0
  60       */
  61      $allowedposttags = array(
  62          'address'    => array(),
  63          'a'          => array(
  64              'href'     => true,
  65              'rel'      => true,
  66              'rev'      => true,
  67              'name'     => true,
  68              'target'   => true,
  69              'download' => array(
  70                  'valueless' => 'y',
  71              ),
  72          ),
  73          'abbr'       => array(),
  74          'acronym'    => array(),
  75          'area'       => array(
  76              'alt'    => true,
  77              'coords' => true,
  78              'href'   => true,
  79              'nohref' => true,
  80              'shape'  => true,
  81              'target' => true,
  82          ),
  83          'article'    => array(
  84              'align'    => true,
  85              'dir'      => true,
  86              'lang'     => true,
  87              'xml:lang' => true,
  88          ),
  89          'aside'      => array(
  90              'align'    => true,
  91              'dir'      => true,
  92              'lang'     => true,
  93              'xml:lang' => true,
  94          ),
  95          'audio'      => array(
  96              'autoplay' => true,
  97              'controls' => true,
  98              'loop'     => true,
  99              'muted'    => true,
 100              'preload'  => true,
 101              'src'      => true,
 102          ),
 103          'b'          => array(),
 104          'bdo'        => array(
 105              'dir' => true,
 106          ),
 107          'big'        => array(),
 108          'blockquote' => array(
 109              'cite'     => true,
 110              'lang'     => true,
 111              'xml:lang' => true,
 112          ),
 113          'br'         => array(),
 114          'button'     => array(
 115              'disabled' => true,
 116              'name'     => true,
 117              'type'     => true,
 118              'value'    => true,
 119          ),
 120          'caption'    => array(
 121              'align' => true,
 122          ),
 123          'cite'       => array(
 124              'dir'  => true,
 125              'lang' => true,
 126          ),
 127          'code'       => array(),
 128          'col'        => array(
 129              'align'   => true,
 130              'char'    => true,
 131              'charoff' => true,
 132              'span'    => true,
 133              'dir'     => true,
 134              'valign'  => true,
 135              'width'   => true,
 136          ),
 137          'colgroup'   => array(
 138              'align'   => true,
 139              'char'    => true,
 140              'charoff' => true,
 141              'span'    => true,
 142              'valign'  => true,
 143              'width'   => true,
 144          ),
 145          'del'        => array(
 146              'datetime' => true,
 147          ),
 148          'dd'         => array(),
 149          'dfn'        => array(),
 150          'details'    => array(
 151              'align'    => true,
 152              'dir'      => true,
 153              'lang'     => true,
 154              'open'     => true,
 155              'xml:lang' => true,
 156          ),
 157          'div'        => array(
 158              'align'    => true,
 159              'dir'      => true,
 160              'lang'     => true,
 161              'xml:lang' => true,
 162          ),
 163          'dl'         => array(),
 164          'dt'         => array(),
 165          'em'         => array(),
 166          'fieldset'   => array(),
 167          'figure'     => array(
 168              'align'    => true,
 169              'dir'      => true,
 170              'lang'     => true,
 171              'xml:lang' => true,
 172          ),
 173          'figcaption' => array(
 174              'align'    => true,
 175              'dir'      => true,
 176              'lang'     => true,
 177              'xml:lang' => true,
 178          ),
 179          'font'       => array(
 180              'color' => true,
 181              'face'  => true,
 182              'size'  => true,
 183          ),
 184          'footer'     => array(
 185              'align'    => true,
 186              'dir'      => true,
 187              'lang'     => true,
 188              'xml:lang' => true,
 189          ),
 190          'h1'         => array(
 191              'align' => true,
 192          ),
 193          'h2'         => array(
 194              'align' => true,
 195          ),
 196          'h3'         => array(
 197              'align' => true,
 198          ),
 199          'h4'         => array(
 200              'align' => true,
 201          ),
 202          'h5'         => array(
 203              'align' => true,
 204          ),
 205          'h6'         => array(
 206              'align' => true,
 207          ),
 208          'header'     => array(
 209              'align'    => true,
 210              'dir'      => true,
 211              'lang'     => true,
 212              'xml:lang' => true,
 213          ),
 214          'hgroup'     => array(
 215              'align'    => true,
 216              'dir'      => true,
 217              'lang'     => true,
 218              'xml:lang' => true,
 219          ),
 220          'hr'         => array(
 221              'align'   => true,
 222              'noshade' => true,
 223              'size'    => true,
 224              'width'   => true,
 225          ),
 226          'i'          => array(),
 227          'img'        => array(
 228              'alt'      => true,
 229              'align'    => true,
 230              'border'   => true,
 231              'height'   => true,
 232              'hspace'   => true,
 233              'loading'  => true,
 234              'longdesc' => true,
 235              'vspace'   => true,
 236              'src'      => true,
 237              'usemap'   => true,
 238              'width'    => true,
 239          ),
 240          'ins'        => array(
 241              'datetime' => true,
 242              'cite'     => true,
 243          ),
 244          'kbd'        => array(),
 245          'label'      => array(
 246              'for' => true,
 247          ),
 248          'legend'     => array(
 249              'align' => true,
 250          ),
 251          'li'         => array(
 252              'align' => true,
 253              'value' => true,
 254          ),
 255          'main'       => array(
 256              'align'    => true,
 257              'dir'      => true,
 258              'lang'     => true,
 259              'xml:lang' => true,
 260          ),
 261          'map'        => array(
 262              'name' => true,
 263          ),
 264          'mark'       => array(),
 265          'menu'       => array(
 266              'type' => true,
 267          ),
 268          'nav'        => array(
 269              'align'    => true,
 270              'dir'      => true,
 271              'lang'     => true,
 272              'xml:lang' => true,
 273          ),
 274          'p'          => array(
 275              'align'    => true,
 276              'dir'      => true,
 277              'lang'     => true,
 278              'xml:lang' => true,
 279          ),
 280          'pre'        => array(
 281              'width' => true,
 282          ),
 283          'q'          => array(
 284              'cite' => true,
 285          ),
 286          's'          => array(),
 287          'samp'       => array(),
 288          'span'       => array(
 289              'dir'      => true,
 290              'align'    => true,
 291              'lang'     => true,
 292              'xml:lang' => true,
 293          ),
 294          'section'    => array(
 295              'align'    => true,
 296              'dir'      => true,
 297              'lang'     => true,
 298              'xml:lang' => true,
 299          ),
 300          'small'      => array(),
 301          'strike'     => array(),
 302          'strong'     => array(),
 303          'sub'        => array(),
 304          'summary'    => array(
 305              'align'    => true,
 306              'dir'      => true,
 307              'lang'     => true,
 308              'xml:lang' => true,
 309          ),
 310          'sup'        => array(),
 311          'table'      => array(
 312              'align'       => true,
 313              'bgcolor'     => true,
 314              'border'      => true,
 315              'cellpadding' => true,
 316              'cellspacing' => true,
 317              'dir'         => true,
 318              'rules'       => true,
 319              'summary'     => true,
 320              'width'       => true,
 321          ),
 322          'tbody'      => array(
 323              'align'   => true,
 324              'char'    => true,
 325              'charoff' => true,
 326              'valign'  => true,
 327          ),
 328          'td'         => array(
 329              'abbr'    => true,
 330              'align'   => true,
 331              'axis'    => true,
 332              'bgcolor' => true,
 333              'char'    => true,
 334              'charoff' => true,
 335              'colspan' => true,
 336              'dir'     => true,
 337              'headers' => true,
 338              'height'  => true,
 339              'nowrap'  => true,
 340              'rowspan' => true,
 341              'scope'   => true,
 342              'valign'  => true,
 343              'width'   => true,
 344          ),
 345          'textarea'   => array(
 346              'cols'     => true,
 347              'rows'     => true,
 348              'disabled' => true,
 349              'name'     => true,
 350              'readonly' => true,
 351          ),
 352          'tfoot'      => array(
 353              'align'   => true,
 354              'char'    => true,
 355              'charoff' => true,
 356              'valign'  => true,
 357          ),
 358          'th'         => array(
 359              'abbr'    => true,
 360              'align'   => true,
 361              'axis'    => true,
 362              'bgcolor' => true,
 363              'char'    => true,
 364              'charoff' => true,
 365              'colspan' => true,
 366              'headers' => true,
 367              'height'  => true,
 368              'nowrap'  => true,
 369              'rowspan' => true,
 370              'scope'   => true,
 371              'valign'  => true,
 372              'width'   => true,
 373          ),
 374          'thead'      => array(
 375              'align'   => true,
 376              'char'    => true,
 377              'charoff' => true,
 378              'valign'  => true,
 379          ),
 380          'title'      => array(),
 381          'tr'         => array(
 382              'align'   => true,
 383              'bgcolor' => true,
 384              'char'    => true,
 385              'charoff' => true,
 386              'valign'  => true,
 387          ),
 388          'track'      => array(
 389              'default' => true,
 390              'kind'    => true,
 391              'label'   => true,
 392              'src'     => true,
 393              'srclang' => true,
 394          ),
 395          'tt'         => array(),
 396          'u'          => array(),
 397          'ul'         => array(
 398              'type' => true,
 399          ),
 400          'ol'         => array(
 401              'start'    => true,
 402              'type'     => true,
 403              'reversed' => true,
 404          ),
 405          'var'        => array(),
 406          'video'      => array(
 407              'autoplay'    => true,
 408              'controls'    => true,
 409              'height'      => true,
 410              'loop'        => true,
 411              'muted'       => true,
 412              'playsinline' => true,
 413              'poster'      => true,
 414              'preload'     => true,
 415              'src'         => true,
 416              'width'       => true,
 417          ),
 418      );
 419  
 420      /**
 421       * @var array[] $allowedtags Array of KSES allowed HTML elements.
 422       * @since 1.0.0
 423       */
 424      $allowedtags = array(
 425          'a'          => array(
 426              'href'  => true,
 427              'title' => true,
 428          ),
 429          'abbr'       => array(
 430              'title' => true,
 431          ),
 432          'acronym'    => array(
 433              'title' => true,
 434          ),
 435          'b'          => array(),
 436          'blockquote' => array(
 437              'cite' => true,
 438          ),
 439          'cite'       => array(),
 440          'code'       => array(),
 441          'del'        => array(
 442              'datetime' => true,
 443          ),
 444          'em'         => array(),
 445          'i'          => array(),
 446          'q'          => array(
 447              'cite' => true,
 448          ),
 449          's'          => array(),
 450          'strike'     => array(),
 451          'strong'     => array(),
 452      );
 453  
 454      /**
 455       * @var string[] $allowedentitynames Array of KSES allowed HTML entitity names.
 456       * @since 1.0.0
 457       */
 458      $allowedentitynames = array(
 459          'nbsp',
 460          'iexcl',
 461          'cent',
 462          'pound',
 463          'curren',
 464          'yen',
 465          'brvbar',
 466          'sect',
 467          'uml',
 468          'copy',
 469          'ordf',
 470          'laquo',
 471          'not',
 472          'shy',
 473          'reg',
 474          'macr',
 475          'deg',
 476          'plusmn',
 477          'acute',
 478          'micro',
 479          'para',
 480          'middot',
 481          'cedil',
 482          'ordm',
 483          'raquo',
 484          'iquest',
 485          'Agrave',
 486          'Aacute',
 487          'Acirc',
 488          'Atilde',
 489          'Auml',
 490          'Aring',
 491          'AElig',
 492          'Ccedil',
 493          'Egrave',
 494          'Eacute',
 495          'Ecirc',
 496          'Euml',
 497          'Igrave',
 498          'Iacute',
 499          'Icirc',
 500          'Iuml',
 501          'ETH',
 502          'Ntilde',
 503          'Ograve',
 504          'Oacute',
 505          'Ocirc',
 506          'Otilde',
 507          'Ouml',
 508          'times',
 509          'Oslash',
 510          'Ugrave',
 511          'Uacute',
 512          'Ucirc',
 513          'Uuml',
 514          'Yacute',
 515          'THORN',
 516          'szlig',
 517          'agrave',
 518          'aacute',
 519          'acirc',
 520          'atilde',
 521          'auml',
 522          'aring',
 523          'aelig',
 524          'ccedil',
 525          'egrave',
 526          'eacute',
 527          'ecirc',
 528          'euml',
 529          'igrave',
 530          'iacute',
 531          'icirc',
 532          'iuml',
 533          'eth',
 534          'ntilde',
 535          'ograve',
 536          'oacute',
 537          'ocirc',
 538          'otilde',
 539          'ouml',
 540          'divide',
 541          'oslash',
 542          'ugrave',
 543          'uacute',
 544          'ucirc',
 545          'uuml',
 546          'yacute',
 547          'thorn',
 548          'yuml',
 549          'quot',
 550          'amp',
 551          'lt',
 552          'gt',
 553          'apos',
 554          'OElig',
 555          'oelig',
 556          'Scaron',
 557          'scaron',
 558          'Yuml',
 559          'circ',
 560          'tilde',
 561          'ensp',
 562          'emsp',
 563          'thinsp',
 564          'zwnj',
 565          'zwj',
 566          'lrm',
 567          'rlm',
 568          'ndash',
 569          'mdash',
 570          'lsquo',
 571          'rsquo',
 572          'sbquo',
 573          'ldquo',
 574          'rdquo',
 575          'bdquo',
 576          'dagger',
 577          'Dagger',
 578          'permil',
 579          'lsaquo',
 580          'rsaquo',
 581          'euro',
 582          'fnof',
 583          'Alpha',
 584          'Beta',
 585          'Gamma',
 586          'Delta',
 587          'Epsilon',
 588          'Zeta',
 589          'Eta',
 590          'Theta',
 591          'Iota',
 592          'Kappa',
 593          'Lambda',
 594          'Mu',
 595          'Nu',
 596          'Xi',
 597          'Omicron',
 598          'Pi',
 599          'Rho',
 600          'Sigma',
 601          'Tau',
 602          'Upsilon',
 603          'Phi',
 604          'Chi',
 605          'Psi',
 606          'Omega',
 607          'alpha',
 608          'beta',
 609          'gamma',
 610          'delta',
 611          'epsilon',
 612          'zeta',
 613          'eta',
 614          'theta',
 615          'iota',
 616          'kappa',
 617          'lambda',
 618          'mu',
 619          'nu',
 620          'xi',
 621          'omicron',
 622          'pi',
 623          'rho',
 624          'sigmaf',
 625          'sigma',
 626          'tau',
 627          'upsilon',
 628          'phi',
 629          'chi',
 630          'psi',
 631          'omega',
 632          'thetasym',
 633          'upsih',
 634          'piv',
 635          'bull',
 636          'hellip',
 637          'prime',
 638          'Prime',
 639          'oline',
 640          'frasl',
 641          'weierp',
 642          'image',
 643          'real',
 644          'trade',
 645          'alefsym',
 646          'larr',
 647          'uarr',
 648          'rarr',
 649          'darr',
 650          'harr',
 651          'crarr',
 652          'lArr',
 653          'uArr',
 654          'rArr',
 655          'dArr',
 656          'hArr',
 657          'forall',
 658          'part',
 659          'exist',
 660          'empty',
 661          'nabla',
 662          'isin',
 663          'notin',
 664          'ni',
 665          'prod',
 666          'sum',
 667          'minus',
 668          'lowast',
 669          'radic',
 670          'prop',
 671          'infin',
 672          'ang',
 673          'and',
 674          'or',
 675          'cap',
 676          'cup',
 677          'int',
 678          'sim',
 679          'cong',
 680          'asymp',
 681          'ne',
 682          'equiv',
 683          'le',
 684          'ge',
 685          'sub',
 686          'sup',
 687          'nsub',
 688          'sube',
 689          'supe',
 690          'oplus',
 691          'otimes',
 692          'perp',
 693          'sdot',
 694          'lceil',
 695          'rceil',
 696          'lfloor',
 697          'rfloor',
 698          'lang',
 699          'rang',
 700          'loz',
 701          'spades',
 702          'clubs',
 703          'hearts',
 704          'diams',
 705          'sup1',
 706          'sup2',
 707          'sup3',
 708          'frac14',
 709          'frac12',
 710          'frac34',
 711          'there4',
 712      );
 713  
 714      /**
 715       * @var string[] $allowedxmlentitynames Array of KSES allowed XML entitity names.
 716       * @since 5.5.0
 717       */
 718      $allowedxmlnamedentities = array(
 719          'amp',
 720          'lt',
 721          'gt',
 722          'apos',
 723          'quot',
 724      );
 725  
 726      $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags );
 727  } else {
 728      $allowedtags     = wp_kses_array_lc( $allowedtags );
 729      $allowedposttags = wp_kses_array_lc( $allowedposttags );
 730  }
 731  
 732  /**
 733   * Filters text content and strips out disallowed HTML.
 734   *
 735   * This function makes sure that only the allowed HTML element names, attribute
 736   * names, attribute values, and HTML entities will occur in the given text string.
 737   *
 738   * This function expects unslashed data.
 739   *
 740   * @see wp_kses_post() for specifically filtering post content and fields.
 741   * @see wp_allowed_protocols() for the default allowed protocols in link URLs.
 742   *
 743   * @since 1.0.0
 744   *
 745   * @param string         $string            Text content to filter.
 746   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 747   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 748   *                                          for the list of accepted context names.
 749   * @param string[]       $allowed_protocols Array of allowed URL protocols.
 750   * @return string Filtered content containing only the allowed HTML.
 751   */
 752  function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
 753      if ( empty( $allowed_protocols ) ) {
 754          $allowed_protocols = wp_allowed_protocols();
 755      }
 756  
 757      $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
 758      $string = wp_kses_normalize_entities( $string );
 759      $string = wp_kses_hook( $string, $allowed_html, $allowed_protocols );
 760  
 761      return wp_kses_split( $string, $allowed_html, $allowed_protocols );
 762  }
 763  
 764  /**
 765   * Filters one HTML attribute and ensures its value is allowed.
 766   *
 767   * This function can escape data in some situations where `wp_kses()` must strip the whole attribute.
 768   *
 769   * @since 4.2.3
 770   *
 771   * @param string $string  The 'whole' attribute, including name and value.
 772   * @param string $element The HTML element name to which the attribute belongs.
 773   * @return string Filtered attribute.
 774   */
 775  function wp_kses_one_attr( $string, $element ) {
 776      $uris              = wp_kses_uri_attributes();
 777      $allowed_html      = wp_kses_allowed_html( 'post' );
 778      $allowed_protocols = wp_allowed_protocols();
 779      $string            = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
 780  
 781      // Preserve leading and trailing whitespace.
 782      $matches = array();
 783      preg_match( '/^\s*/', $string, $matches );
 784      $lead = $matches[0];
 785      preg_match( '/\s*$/', $string, $matches );
 786      $trail = $matches[0];
 787      if ( empty( $trail ) ) {
 788          $string = substr( $string, strlen( $lead ) );
 789      } else {
 790          $string = substr( $string, strlen( $lead ), -strlen( $trail ) );
 791      }
 792  
 793      // Parse attribute name and value from input.
 794      $split = preg_split( '/\s*=\s*/', $string, 2 );
 795      $name  = $split[0];
 796      if ( count( $split ) == 2 ) {
 797          $value = $split[1];
 798  
 799          // Remove quotes surrounding $value.
 800          // Also guarantee correct quoting in $string for this one attribute.
 801          if ( '' === $value ) {
 802              $quote = '';
 803          } else {
 804              $quote = $value[0];
 805          }
 806          if ( '"' === $quote || "'" === $quote ) {
 807              if ( substr( $value, -1 ) != $quote ) {
 808                  return '';
 809              }
 810              $value = substr( $value, 1, -1 );
 811          } else {
 812              $quote = '"';
 813          }
 814  
 815          // Sanitize quotes, angle braces, and entities.
 816          $value = esc_attr( $value );
 817  
 818          // Sanitize URI values.
 819          if ( in_array( strtolower( $name ), $uris, true ) ) {
 820              $value = wp_kses_bad_protocol( $value, $allowed_protocols );
 821          }
 822  
 823          $string = "$name=$quote$value$quote";
 824          $vless  = 'n';
 825      } else {
 826          $value = '';
 827          $vless = 'y';
 828      }
 829  
 830      // Sanitize attribute by name.
 831      wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html );
 832  
 833      // Restore whitespace.
 834      return $lead . $string . $trail;
 835  }
 836  
 837  /**
 838   * Returns an array of allowed HTML tags and attributes for a given context.
 839   *
 840   * @since 3.5.0
 841   * @since 5.0.1 `form` removed as allowable HTML tag.
 842   *
 843   * @global array $allowedposttags
 844   * @global array $allowedtags
 845   * @global array $allowedentitynames
 846   *
 847   * @param string|array $context The context for which to retrieve tags. Allowed values are 'post',
 848   *                              'strip', 'data', 'entities', or the name of a field filter such as
 849   *                              'pre_user_description'.
 850   * @return array Array of allowed HTML tags and their allowed attributes.
 851   */
 852  function wp_kses_allowed_html( $context = '' ) {
 853      global $allowedposttags, $allowedtags, $allowedentitynames;
 854  
 855      if ( is_array( $context ) ) {
 856          /**
 857           * Filters the HTML tags that are allowed for a given context.
 858           *
 859           * @since 3.5.0
 860           *
 861           * @param array[]|string $context      Context to judge allowed tags by.
 862           * @param string         $context_type Context name.
 863           */
 864          return apply_filters( 'wp_kses_allowed_html', $context, 'explicit' );
 865      }
 866  
 867      switch ( $context ) {
 868          case 'post':
 869              /** This filter is documented in wp-includes/kses.php */
 870              $tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
 871  
 872              // 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
 873              if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
 874                  $tags = $allowedposttags;
 875  
 876                  $tags['form'] = array(
 877                      'action'         => true,
 878                      'accept'         => true,
 879                      'accept-charset' => true,
 880                      'enctype'        => true,
 881                      'method'         => true,
 882                      'name'           => true,
 883                      'target'         => true,
 884                  );
 885  
 886                  /** This filter is documented in wp-includes/kses.php */
 887                  $tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
 888              }
 889  
 890              return $tags;
 891  
 892          case 'user_description':
 893          case 'pre_user_description':
 894              $tags             = $allowedtags;
 895              $tags['a']['rel'] = true;
 896              /** This filter is documented in wp-includes/kses.php */
 897              return apply_filters( 'wp_kses_allowed_html', $tags, $context );
 898  
 899          case 'strip':
 900              /** This filter is documented in wp-includes/kses.php */
 901              return apply_filters( 'wp_kses_allowed_html', array(), $context );
 902  
 903          case 'entities':
 904              /** This filter is documented in wp-includes/kses.php */
 905              return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context );
 906  
 907          case 'data':
 908          default:
 909              /** This filter is documented in wp-includes/kses.php */
 910              return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context );
 911      }
 912  }
 913  
 914  /**
 915   * You add any KSES hooks here.
 916   *
 917   * There is currently only one KSES WordPress hook, {@see 'pre_kses'}, and it is called here.
 918   * All parameters are passed to the hooks and expected to receive a string.
 919   *
 920   * @since 1.0.0
 921   *
 922   * @param string         $string            Content to filter through KSES.
 923   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 924   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 925   *                                          for the list of accepted context names.
 926   * @param string[]       $allowed_protocols Array of allowed URL protocols.
 927   * @return string Filtered content through {@see 'pre_kses'} hook.
 928   */
 929  function wp_kses_hook( $string, $allowed_html, $allowed_protocols ) {
 930      /**
 931       * Filters content to be run through KSES.
 932       *
 933       * @since 2.3.0
 934       *
 935       * @param string         $string            Content to filter through KSES.
 936       * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 937       *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 938       *                                          for the list of accepted context names.
 939       * @param string[]       $allowed_protocols Array of allowed URL protocols.
 940       */
 941      return apply_filters( 'pre_kses', $string, $allowed_html, $allowed_protocols );
 942  }
 943  
 944  /**
 945   * Returns the version number of KSES.
 946   *
 947   * @since 1.0.0
 948   *
 949   * @return string KSES version number.
 950   */
 951  function wp_kses_version() {
 952      return '0.2.2';
 953  }
 954  
 955  /**
 956   * Searches for HTML tags, no matter how malformed.
 957   *
 958   * It also matches stray `>` characters.
 959   *
 960   * @since 1.0.0
 961   *
 962   * @global array[]|string $pass_allowed_html      An array of allowed HTML elements and attributes,
 963   *                                                or a context name such as 'post'.
 964   * @global string[]       $pass_allowed_protocols Array of allowed URL protocols.
 965   *
 966   * @param string         $string            Content to filter.
 967   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 968   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 969   *                                          for the list of accepted context names.
 970   * @param string[]       $allowed_protocols Array of allowed URL protocols.
 971   * @return string Content with fixed HTML tags
 972   */
 973  function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
 974      global $pass_allowed_html, $pass_allowed_protocols;
 975  
 976      $pass_allowed_html      = $allowed_html;
 977      $pass_allowed_protocols = $allowed_protocols;
 978  
 979      return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
 980  }
 981  
 982  /**
 983   * Returns an array of HTML attribute names whose value contains a URL.
 984   *
 985   * This function returns a list of all HTML attributes that must contain
 986   * a URL according to the HTML specification.
 987   *
 988   * This list includes URI attributes both allowed and disallowed by KSES.
 989   *
 990   * @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes
 991   *
 992   * @since 5.0.1
 993   *
 994   * @return string[] HTML attribute names whose value contains a URL.
 995   */
 996  function wp_kses_uri_attributes() {
 997      $uri_attributes = array(
 998          'action',
 999          'archive',
1000          'background',
1001          'cite',
1002          'classid',
1003          'codebase',
1004          'data',
1005          'formaction',
1006          'href',
1007          'icon',
1008          'longdesc',
1009          'manifest',
1010          'poster',
1011          'profile',
1012          'src',
1013          'usemap',
1014          'xmlns',
1015      );
1016  
1017      /**
1018       * Filters the list of attributes that are required to contain a URL.
1019       *
1020       * Use this filter to add any `data-` attributes that are required to be
1021       * validated as a URL.
1022       *
1023       * @since 5.0.1
1024       *
1025       * @param string[] $uri_attributes HTML attribute names whose value contains a URL.
1026       */
1027      $uri_attributes = apply_filters( 'wp_kses_uri_attributes', $uri_attributes );
1028  
1029      return $uri_attributes;
1030  }
1031  
1032  /**
1033   * Callback for `wp_kses_split()`.
1034   *
1035   * @since 3.1.0
1036   * @access private
1037   * @ignore
1038   *
1039   * @global array[]|string $pass_allowed_html      An array of allowed HTML elements and attributes,
1040   *                                                or a context name such as 'post'.
1041   * @global string[]       $pass_allowed_protocols Array of allowed URL protocols.
1042   *
1043   * @param array $match preg_replace regexp matches
1044   * @return string
1045   */
1046  function _wp_kses_split_callback( $match ) {
1047      global $pass_allowed_html, $pass_allowed_protocols;
1048  
1049      return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
1050  }
1051  
1052  /**
1053   * Callback for `wp_kses_split()` for fixing malformed HTML tags.
1054   *
1055   * This function does a lot of work. It rejects some very malformed things like
1056   * `<:::>`. It returns an empty string, if the element isn't allowed (look ma, no
1057   * `strip_tags()`!). Otherwise it splits the tag into an element and an attribute
1058   * list.
1059   *
1060   * After the tag is split into an element and an attribute list, it is run
1061   * through another filter which will remove illegal attributes and once that is
1062   * completed, will be returned.
1063   *
1064   * @access private
1065   * @ignore
1066   * @since 1.0.0
1067   *
1068   * @param string         $string            Content to filter.
1069   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
1070   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
1071   *                                          for the list of accepted context names.
1072   * @param string[]       $allowed_protocols Array of allowed URL protocols.
1073   * @return string Fixed HTML element
1074   */
1075  function wp_kses_split2( $string, $allowed_html, $allowed_protocols ) {
1076      $string = wp_kses_stripslashes( $string );
1077  
1078      // It matched a ">" character.
1079      if ( '<' !== substr( $string, 0, 1 ) ) {
1080          return '&gt;';
1081      }
1082  
1083      // Allow HTML comments.
1084      if ( '<!--' === substr( $string, 0, 4 ) ) {
1085          $string = str_replace( array( '<!--', '-->' ), '', $string );
1086          while ( ( $newstring = wp_kses( $string, $allowed_html, $allowed_protocols ) ) != $string ) {
1087              $string = $newstring;
1088          }
1089          if ( '' === $string ) {
1090              return '';
1091          }
1092          // Prevent multiple dashes in comments.
1093          $string = preg_replace( '/--+/', '-', $string );
1094          // Prevent three dashes closing a comment.
1095          $string = preg_replace( '/-$/', '', $string );
1096          return "<!--{$string}-->";
1097      }
1098  
1099      // It's seriously malformed.
1100      if ( ! preg_match( '%^<\s*(/\s*)?([a-zA-Z0-9-]+)([^>]*)>?$%', $string, $matches ) ) {
1101          return '';
1102      }
1103  
1104      $slash    = trim( $matches[1] );
1105      $elem     = $matches[2];
1106      $attrlist = $matches[3];
1107  
1108      if ( ! is_array( $allowed_html ) ) {
1109          $allowed_html = wp_kses_allowed_html( $allowed_html );
1110      }
1111  
1112      // They are using a not allowed HTML element.
1113      if ( ! isset( $allowed_html[ strtolower( $elem ) ] ) ) {
1114          return '';
1115      }
1116  
1117      // No attributes are allowed for closing elements.
1118      if ( '' !== $slash ) {
1119          return "</$elem>";
1120      }
1121  
1122      return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols );
1123  }
1124  
1125  /**
1126   * Removes all attributes, if none are allowed for this element.
1127   *
1128   * If some are allowed it calls `wp_kses_hair()` to split them further, and then
1129   * it builds up new HTML code from the data that `kses_hair()` returns. It also
1130   * removes `<` and `>` characters, if there are any left. One more thing it does
1131   * is to check if the tag has a closing XHTML slash, and if it does, it puts one
1132   * in the returned code as well.
1133   *
1134   * @since 1.0.0
1135   *
1136   * @param string         $element           HTML element/tag.
1137   * @param string         $attr              HTML attributes from HTML element to closing HTML element tag.
1138   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
1139   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
1140   *                                          for the list of accepted context names.
1141   * @param string[]       $allowed_protocols Array of allowed URL protocols.
1142   * @return string Sanitized HTML element.
1143   */
1144  function wp_kses_attr( $element, $attr, $allowed_html, $allowed_protocols ) {
1145      if ( ! is_array( $allowed_html ) ) {
1146          $allowed_html = wp_kses_allowed_html( $allowed_html );
1147      }
1148  
1149      // Is there a closing XHTML slash at the end of the attributes?
1150      $xhtml_slash = '';
1151      if ( preg_match( '%\s*/\s*$%', $attr ) ) {
1152          $xhtml_slash = ' /';
1153      }
1154  
1155      // Are any attributes allowed at all for this element?
1156      $element_low = strtolower( $element );
1157      if ( empty( $allowed_html[ $element_low ] ) || true === $allowed_html[ $element_low ] ) {
1158          return "<$element$xhtml_slash>";
1159      }
1160  
1161      // Split it.
1162      $attrarr = wp_kses_hair( $attr, $allowed_protocols );
1163  
1164      // Go through $attrarr, and save the allowed attributes for this element
1165      // in $attr2.
1166      $attr2 = '';
1167      foreach ( $attrarr as $arreach ) {
1168          if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) {
1169              $attr2 .= ' ' . $arreach['whole'];
1170          }
1171      }
1172  
1173      // Remove any "<" or ">" characters.
1174      $attr2 = preg_replace( '/[<>]/', '', $attr2 );
1175  
1176      return "<$element$attr2$xhtml_slash>";
1177  }
1178  
1179  /**
1180   * Determines whether an attribute is allowed.
1181   *
1182   * @since 4.2.3
1183   * @since 5.0.0 Add support for `data-*` wildcard attributes.
1184   *
1185   * @param string $name         The attribute name. Passed by reference. Returns empty string when not allowed.
1186   * @param string $value        The attribute value. Passed by reference. Returns a filtered value.
1187   * @param string $whole        The `name=value` input. Passed by reference. Returns filtered input.
1188   * @param string $vless        Whether the attribute is valueless. Use 'y' or 'n'.
1189   * @param string $element      The name of the element to which this attribute belongs.
1190   * @param array  $allowed_html The full list of allowed elements and attributes.
1191   * @return bool Whether or not the attribute is allowed.
1192   */
1193  function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) {
1194      $name_low    = strtolower( $name );
1195      $element_low = strtolower( $element );
1196  
1197      if ( ! isset( $allowed_html[ $element_low ] ) ) {
1198          $name  = '';
1199          $value = '';
1200          $whole = '';
1201          return false;
1202      }
1203  
1204      $allowed_attr = $allowed_html[ $element_low ];
1205  
1206      if ( ! isset( $allowed_attr[ $name_low ] ) || '' === $allowed_attr[ $name_low ] ) {
1207          /*
1208           * Allow `data-*` attributes.
1209           *
1210           * When specifying `$allowed_html`, the attribute name should be set as
1211           * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
1212           * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
1213           *
1214           * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
1215           * double hyphens `--` are not accepted by WordPress.
1216           */
1217          if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] ) && preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match ) ) {
1218              /*
1219               * Add the whole attribute name to the allowed attributes and set any restrictions
1220               * for the `data-*` attribute values for the current element.
1221               */
1222              $allowed_attr[ $match[0] ] = $allowed_attr['data-*'];
1223          } else {
1224              $name  = '';
1225              $value = '';
1226              $whole = '';
1227              return false;
1228          }
1229      }
1230  
1231      if ( 'style' === $name_low ) {
1232          $new_value = safecss_filter_attr( $value );
1233  
1234          if ( empty( $new_value ) ) {
1235              $name  = '';
1236              $value = '';
1237              $whole = '';
1238              return false;
1239          }
1240  
1241          $whole = str_replace( $value, $new_value, $whole );
1242          $value = $new_value;
1243      }
1244  
1245      if ( is_array( $allowed_attr[ $name_low ] ) ) {
1246          // There are some checks.
1247          foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) {
1248              if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) {
1249                  $name  = '';
1250                  $value = '';
1251                  $whole = '';
1252                  return false;
1253              }
1254          }
1255      }
1256  
1257      return true;
1258  }
1259  
1260  /**
1261   * Builds an attribute list from string containing attributes.
1262   *
1263   * This function does a lot of work. It parses an attribute list into an array
1264   * with attribute data, and tries to do the right thing even if it gets weird
1265   * input. It will add quotes around attribute values that don't have any quotes
1266   * or apostrophes around them, to make it easier to produce HTML code that will
1267   * conform to W3C's HTML specification. It will also remove bad URL protocols
1268   * from attribute values. It also reduces duplicate attributes by using the
1269   * attribute defined first (`foo='bar' foo='baz'` will result in `foo='bar'`).
1270   *
1271   * @since 1.0.0
1272   *
1273   * @param string   $attr              Attribute list from HTML element to closing HTML element tag.
1274   * @param string[] $allowed_protocols Array of allowed URL protocols.
1275   * @return array[] Array of attribute information after parsing.
1276   */
1277  function wp_kses_hair( $attr, $allowed_protocols ) {
1278      $attrarr  = array();
1279      $mode     = 0;
1280      $attrname = '';
1281      $uris     = wp_kses_uri_attributes();
1282  
1283      // Loop through the whole attribute list.
1284  
1285      while ( strlen( $attr ) != 0 ) {
1286          $working = 0; // Was the last operation successful?
1287  
1288          switch ( $mode ) {
1289              case 0:
1290                  if ( preg_match( '/^([_a-zA-Z][-_a-zA-Z0-9:.]*)/', $attr, $match ) ) {
1291                      $attrname = $match[1];
1292                      $working  = 1;
1293                      $mode     = 1;
1294                      $attr     = preg_replace( '/^[_a-zA-Z][-_a-zA-Z0-9:.]*/', '', $attr );
1295                  }
1296  
1297                  break;
1298  
1299              case 1:
1300                  if ( preg_match( '/^\s*=\s*/', $attr ) ) { // Equals sign.
1301                      $working = 1;
1302                      $mode    = 2;
1303                      $attr    = preg_replace( '/^\s*=\s*/', '', $attr );
1304                      break;
1305                  }
1306  
1307                  if ( preg_match( '/^\s+/', $attr ) ) { // Valueless.
1308                      $working = 1;
1309                      $mode    = 0;
1310                      if ( false === array_key_exists( $attrname, $attrarr ) ) {
1311                          $attrarr[ $attrname ] = array(
1312                              'name'  => $attrname,
1313                              'value' => '',
1314                              'whole' => $attrname,
1315                              'vless' => 'y',
1316                          );
1317                      }
1318                      $attr = preg_replace( '/^\s+/', '', $attr );
1319                  }
1320  
1321                  break;
1322  
1323              case 2:
1324                  if ( preg_match( '%^"([^"]*)"(\s+|/?$)%', $attr, $match ) ) {
1325                      // "value"
1326                      $thisval = $match[1];
1327                      if ( in_array( strtolower( $attrname ), $uris, true ) ) {
1328                          $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols );
1329                      }
1330  
1331                      if ( false === array_key_exists( $attrname, $attrarr ) ) {
1332                          $attrarr[ $attrname ] = array(
1333                              'name'  => $attrname,
1334                              'value' => $thisval,
1335                              'whole' => "$attrname=\"$thisval\"",
1336                              'vless' => 'n',
1337                          );
1338                      }
1339                      $working = 1;
1340                      $mode    = 0;
1341                      $attr    = preg_replace( '/^"[^"]*"(\s+|$)/', '', $attr );
1342                      break;
1343                  }
1344  
1345                  if ( preg_match( "%^'([^']*)'(\s+|/?$)%", $attr, $match ) ) {
1346                      // 'value'
1347                      $thisval = $match[1];
1348                      if ( in_array( strtolower( $attrname ), $uris, true ) ) {
1349                          $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols );
1350                      }
1351  
1352                      if ( false === array_key_exists( $attrname, $attrarr ) ) {
1353                          $attrarr[ $attrname ] = array(
1354                              'name'  => $attrname,
1355                              'value' => $thisval,
1356                              'whole' => "$attrname='$thisval'",
1357                              'vless' => 'n',
1358                          );
1359                      }
1360                      $working = 1;
1361                      $mode    = 0;
1362                      $attr    = preg_replace( "/^'[^']*'(\s+|$)/", '', $attr );
1363                      break;
1364                  }
1365  
1366                  if ( preg_match( "%^([^\s\"']+)(\s+|/?$)%", $attr, $match ) ) {
1367                      // value
1368                      $thisval = $match[1];
1369                      if ( in_array( strtolower( $attrname ), $uris, true ) ) {
1370                          $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols );
1371                      }
1372  
1373                      if ( false === array_key_exists( $attrname, $attrarr ) ) {
1374                          $attrarr[ $attrname ] = array(
1375                              'name'  => $attrname,
1376                              'value' => $thisval,
1377                              'whole' => "$attrname=\"$thisval\"",
1378                              'vless' => 'n',
1379                          );
1380                      }
1381                      // We add quotes to conform to W3C's HTML spec.
1382                      $working = 1;
1383                      $mode    = 0;
1384                      $attr    = preg_replace( "%^[^\s\"']+(\s+|$)%", '', $attr );
1385                  }
1386  
1387                  break;
1388          } // End switch.
1389  
1390          if ( 0 == $working ) { // Not well-formed, remove and try again.
1391              $attr = wp_kses_html_error( $attr );
1392              $mode = 0;
1393          }
1394      } // End while.
1395  
1396      if ( 1 == $mode && false === array_key_exists( $attrname, $attrarr ) ) {
1397          // Special case, for when the attribute list ends with a valueless
1398          // attribute like "selected".
1399          $attrarr[ $attrname ] = array(
1400              'name'  => $attrname,
1401              'value' => '',
1402              'whole' => $attrname,
1403              'vless' => 'y',
1404          );
1405      }
1406  
1407      return $attrarr;
1408  }
1409  
1410  /**
1411   * Finds all attributes of an HTML element.
1412   *
1413   * Does not modify input.  May return "evil" output.
1414   *
1415   * Based on `wp_kses_split2()` and `wp_kses_attr()`.
1416   *
1417   * @since 4.2.3
1418   *
1419   * @param string $element HTML element.
1420   * @return array|false List of attributes found in the element. Returns false on failure.
1421   */
1422  function wp_kses_attr_parse( $element ) {
1423      $valid = preg_match( '%^(<\s*)(/\s*)?([a-zA-Z0-9]+\s*)([^>]*)(>?)$%', $element, $matches );
1424      if ( 1 !== $valid ) {
1425          return false;
1426      }
1427  
1428      $begin  = $matches[1];
1429      $slash  = $matches[2];
1430      $elname = $matches[3];
1431      $attr   = $matches[4];
1432      $end    = $matches[5];
1433  
1434      if ( '' !== $slash ) {
1435          // Closing elements do not get parsed.
1436          return false;
1437      }
1438  
1439      // Is there a closing XHTML slash at the end of the attributes?
1440      if ( 1 === preg_match( '%\s*/\s*$%', $attr, $matches ) ) {
1441          $xhtml_slash = $matches[0];
1442          $attr        = substr( $attr, 0, -strlen( $xhtml_slash ) );
1443      } else {
1444          $xhtml_slash = '';
1445      }
1446  
1447      // Split it.
1448      $attrarr = wp_kses_hair_parse( $attr );
1449      if ( false === $attrarr ) {
1450          return false;
1451      }
1452  
1453      // Make sure all input is returned by adding front and back matter.
1454      array_unshift( $attrarr, $begin . $slash . $elname );
1455      array_push( $attrarr, $xhtml_slash . $end );
1456  
1457      return $attrarr;
1458  }
1459  
1460  /**
1461   * Builds an attribute list from string containing attributes.
1462   *
1463   * Does not modify input.  May return "evil" output.
1464   * In case of unexpected input, returns false instead of stripping things.
1465   *
1466   * Based on `wp_kses_hair()` but does not return a multi-dimensional array.
1467   *
1468   * @since 4.2.3
1469   *
1470   * @param string $attr Attribute list from HTML element to closing HTML element tag.
1471   * @return array|false List of attributes found in $attr. Returns false on failure.
1472   */
1473  function wp_kses_hair_parse( $attr ) {
1474      if ( '' === $attr ) {
1475          return array();
1476      }
1477  
1478      // phpcs:disable Squiz.Strings.ConcatenationSpacing.PaddingFound -- don't remove regex indentation
1479      $regex =
1480          '(?:'
1481          .     '[_a-zA-Z][-_a-zA-Z0-9:.]*' // Attribute name.
1482          . '|'
1483          .     '\[\[?[^\[\]]+\]\]?'        // Shortcode in the name position implies unfiltered_html.
1484          . ')'
1485          . '(?:'               // Attribute value.
1486          .     '\s*=\s*'       // All values begin with '='.
1487          .     '(?:'
1488          .         '"[^"]*"'   // Double-quoted.
1489          .     '|'
1490          .         "'[^']*'"   // Single-quoted.
1491          .     '|'
1492          .         '[^\s"\']+' // Non-quoted.
1493          .         '(?:\s|$)'  // Must have a space.
1494          .     ')'
1495          . '|'
1496          .     '(?:\s|$)'      // If attribute has no value, space is required.
1497          . ')'
1498          . '\s*';              // Trailing space is optional except as mentioned above.
1499      // phpcs:enable
1500  
1501      // Although it is possible to reduce this procedure to a single regexp,
1502      // we must run that regexp twice to get exactly the expected result.
1503  
1504      $validation = "%^($regex)+$%";
1505      $extraction = "%$regex%";
1506  
1507      if ( 1 === preg_match( $validation, $attr ) ) {
1508          preg_match_all( $extraction, $attr, $attrarr );
1509          return $attrarr[0];
1510      } else {
1511          return false;
1512      }
1513  }
1514  
1515  /**
1516   * Performs different checks for attribute values.
1517   *
1518   * The currently implemented checks are "maxlen", "minlen", "maxval", "minval",
1519   * and "valueless".
1520   *
1521   * @since 1.0.0
1522   *
1523   * @param string $value      Attribute value.
1524   * @param string $vless      Whether the attribute is valueless. Use 'y' or 'n'.
1525   * @param string $checkname  What $checkvalue is checking for.
1526   * @param mixed  $checkvalue What constraint the value should pass.
1527   * @return bool Whether check passes.
1528   */
1529  function wp_kses_check_attr_val( $value, $vless, $checkname, $checkvalue ) {
1530      $ok = true;
1531  
1532      switch ( strtolower( $checkname ) ) {
1533          case 'maxlen':
1534              /*
1535               * The maxlen check makes sure that the attribute value has a length not
1536               * greater than the given value. This can be used to avoid Buffer Overflows
1537               * in WWW clients and various Internet servers.
1538               */
1539  
1540              if ( strlen( $value ) > $checkvalue ) {
1541                  $ok = false;
1542              }
1543              break;
1544  
1545          case 'minlen':
1546              /*
1547               * The minlen check makes sure that the attribute value has a length not
1548               * smaller than the given value.
1549               */
1550  
1551              if ( strlen( $value ) < $checkvalue ) {
1552                  $ok = false;
1553              }
1554              break;
1555  
1556          case 'maxval':
1557              /*
1558               * The maxval check does two things: it checks that the attribute value is
1559               * an integer from 0 and up, without an excessive amount of zeroes or
1560               * whitespace (to avoid Buffer Overflows). It also checks that the attribute
1561               * value is not greater than the given value.
1562               * This check can be used to avoid Denial of Service attacks.
1563               */
1564  
1565              if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) {
1566                  $ok = false;
1567              }
1568              if ( $value > $checkvalue ) {
1569                  $ok = false;
1570              }
1571              break;
1572  
1573          case 'minval':
1574              /*
1575               * The minval check makes sure that the attribute value is a positive integer,
1576               * and that it is not smaller than the given value.
1577               */
1578  
1579              if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) {
1580                  $ok = false;
1581              }
1582              if ( $value < $checkvalue ) {
1583                  $ok = false;
1584              }
1585              break;
1586  
1587          case 'valueless':
1588              /*
1589               * The valueless check makes sure if the attribute has a value
1590               * (like `<a href="blah">`) or not (`<option selected>`). If the given value
1591               * is a "y" or a "Y", the attribute must not have a value.
1592               * If the given value is an "n" or an "N", the attribute must have a value.
1593               */
1594  
1595              if ( strtolower( $checkvalue ) != $vless ) {
1596                  $ok = false;
1597              }
1598              break;
1599      } // End switch.
1600  
1601      return $ok;
1602  }
1603  
1604  /**
1605   * Sanitizes a string and removed disallowed URL protocols.
1606   *
1607   * This function removes all non-allowed protocols from the beginning of the
1608   * string. It ignores whitespace and the case of the letters, and it does
1609   * understand HTML entities. It does its work recursively, so it won't be
1610   * fooled by a string like `javascript:javascript:alert(57)`.
1611   *
1612   * @since 1.0.0
1613   *
1614   * @param string   $string            Content to filter bad protocols from.
1615   * @param string[] $allowed_protocols Array of allowed URL protocols.
1616   * @return string Filtered content.
1617   */
1618  function wp_kses_bad_protocol( $string, $allowed_protocols ) {
1619      $string     = wp_kses_no_null( $string );
1620      $iterations = 0;
1621  
1622      do {
1623          $original_string = $string;
1624          $string          = wp_kses_bad_protocol_once( $string, $allowed_protocols );
1625      } while ( $original_string != $string && ++$iterations < 6 );
1626  
1627      if ( $original_string != $string ) {
1628          return '';
1629      }
1630  
1631      return $string;
1632  }
1633  
1634  /**
1635   * Removes any invalid control characters in a text string.
1636   *
1637   * Also removes any instance of the `\0` string.
1638   *
1639   * @since 1.0.0
1640   *
1641   * @param string $string  Content to filter null characters from.
1642   * @param array  $options Set 'slash_zero' => 'keep' when '\0' is allowed. Default is 'remove'.
1643   * @return string Filtered content.
1644   */
1645  function wp_kses_no_null( $string, $options = null ) {
1646      if ( ! isset( $options['slash_zero'] ) ) {
1647          $options = array( 'slash_zero' => 'remove' );
1648      }
1649  
1650      $string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string );
1651      if ( 'remove' === $options['slash_zero'] ) {
1652          $string = preg_replace( '/\\\\+0+/', '', $string );
1653      }
1654  
1655      return $string;
1656  }
1657  
1658  /**
1659   * Strips slashes from in front of quotes.
1660   *
1661   * This function changes the character sequence `\"` to just `"`. It leaves all other
1662   * slashes alone. The quoting from `preg_replace(//e)` requires this.
1663   *
1664   * @since 1.0.0
1665   *
1666   * @param string $string String to strip slashes from.
1667   * @return string Fixed string with quoted slashes.
1668   */
1669  function wp_kses_stripslashes( $string ) {
1670      return preg_replace( '%\\\\"%', '"', $string );
1671  }
1672  
1673  /**
1674   * Converts the keys of an array to lowercase.
1675   *
1676   * @since 1.0.0
1677   *
1678   * @param array $inarray Unfiltered array.
1679   * @return array Fixed array with all lowercase keys.
1680   */
1681  function wp_kses_array_lc( $inarray ) {
1682      $outarray = array();
1683  
1684      foreach ( (array) $inarray as $inkey => $inval ) {
1685          $outkey              = strtolower( $inkey );
1686          $outarray[ $outkey ] = array();
1687  
1688          foreach ( (array) $inval as $inkey2 => $inval2 ) {
1689              $outkey2                         = strtolower( $inkey2 );
1690              $outarray[ $outkey ][ $outkey2 ] = $inval2;
1691          }
1692      }
1693  
1694      return $outarray;
1695  }
1696  
1697  /**
1698   * Handles parsing errors in `wp_kses_hair()`.
1699   *
1700   * The general plan is to remove everything to and including some whitespace,
1701   * but it deals with quotes and apostrophes as well.
1702   *
1703   * @since 1.0.0
1704   *
1705   * @param string $string
1706   * @return string
1707   */
1708  function wp_kses_html_error( $string ) {
1709      return preg_replace( '/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string );
1710  }
1711  
1712  /**
1713   * Sanitizes content from bad protocols and other characters.
1714   *
1715   * This function searches for URL protocols at the beginning of the string, while
1716   * handling whitespace and HTML entities.
1717   *
1718   * @since 1.0.0
1719   *
1720   * @param string   $string            Content to check for bad protocols.
1721   * @param string[] $allowed_protocols Array of allowed URL protocols.
1722   * @param int      $count             Depth of call recursion to this function.
1723   * @return string Sanitized content.
1724   */
1725  function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
1726      $string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
1727      $string2 = preg_split( '/:|&#0*58;|&#x0*3a;|&colon;/i', $string, 2 );
1728      if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
1729          $string   = trim( $string2[1] );
1730          $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );
1731          if ( 'feed:' === $protocol ) {
1732              if ( $count > 2 ) {
1733                  return '';
1734              }
1735              $string = wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count );
1736              if ( empty( $string ) ) {
1737                  return $string;
1738              }
1739          }
1740          $string = $protocol . $string;
1741      }
1742  
1743      return $string;
1744  }
1745  
1746  /**
1747   * Callback for `wp_kses_bad_protocol_once()` regular expression.
1748   *
1749   * This function processes URL protocols, checks to see if they're in the
1750   * list of allowed protocols or not, and returns different data depending
1751   * on the answer.
1752   *
1753   * @access private
1754   * @ignore
1755   * @since 1.0.0
1756   *
1757   * @param string   $string            URI scheme to check against the list of allowed protocols.
1758   * @param string[] $allowed_protocols Array of allowed URL protocols.
1759   * @return string Sanitized content.
1760   */
1761  function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {
1762      $string2 = wp_kses_decode_entities( $string );
1763      $string2 = preg_replace( '/\s/', '', $string2 );
1764      $string2 = wp_kses_no_null( $string2 );
1765      $string2 = strtolower( $string2 );
1766  
1767      $allowed = false;
1768      foreach ( (array) $allowed_protocols as $one_protocol ) {
1769          if ( strtolower( $one_protocol ) == $string2 ) {
1770              $allowed = true;
1771              break;
1772          }
1773      }
1774  
1775      if ( $allowed ) {
1776          return "$string2:";
1777      } else {
1778          return '';
1779      }
1780  }
1781  
1782  /**
1783   * Converts and fixes HTML entities.
1784   *
1785   * This function normalizes HTML entities. It will convert `AT&T` to the correct
1786   * `AT&amp;T`, `&#00058;` to `&#058;`, `&#XYZZY;` to `&amp;#XYZZY;` and so on.
1787   *
1788   * When `$context` is set to 'xml', HTML entities are converted to their code points.  For
1789   * example, `AT&T&hellip;&#XYZZY;` is converted to `AT&amp;T…&amp;#XYZZY;`.
1790   *
1791   * @since 1.0.0
1792   * @since 5.5.0 Added `$context` parameter.
1793   *
1794   * @param string $string  Content to normalize entities.
1795   * @param string $context Context for normalization. Can be either 'html' or 'xml'.
1796   *                        Default 'html'.
1797   * @return string Content with normalized entities.
1798   */
1799  function wp_kses_normalize_entities( $string, $context = 'html' ) {
1800      // Disarm all entities by converting & to &amp;
1801      $string = str_replace( '&', '&amp;', $string );
1802  
1803      // Change back the allowed entities in our list of allowed entities.
1804      if ( 'xml' === $context ) {
1805          $string = preg_replace_callback( '/&amp;([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_xml_named_entities', $string );
1806      } else {
1807          $string = preg_replace_callback( '/&amp;([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string );
1808      }
1809      $string = preg_replace_callback( '/&amp;#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string );
1810      $string = preg_replace_callback( '/&amp;#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string );
1811  
1812      return $string;
1813  }
1814  
1815  /**
1816   * Callback for `wp_kses_normalize_entities()` regular expression.
1817   *
1818   * This function only accepts valid named entity references, which are finite,
1819   * case-sensitive, and highly scrutinized by HTML and XML validators.
1820   *
1821   * @since 3.0.0
1822   *
1823   * @global array $allowedentitynames
1824   *
1825   * @param array $matches preg_replace_callback() matches array.
1826   * @return string Correctly encoded entity.
1827   */
1828  function wp_kses_named_entities( $matches ) {
1829      global $allowedentitynames;
1830  
1831      if ( empty( $matches[1] ) ) {
1832          return '';
1833      }
1834  
1835      $i = $matches[1];
1836      return ( ! in_array( $i, $allowedentitynames, true ) ) ? "&amp;$i;" : "&$i;";
1837  }
1838  
1839  /**
1840   * Callback for `wp_kses_normalize_entities()` regular expression.
1841   *
1842   * This function only accepts valid named entity references, which are finite,
1843   * case-sensitive, and highly scrutinized by XML validators.  HTML named entity
1844   * references are converted to their code points.
1845   *
1846   * @since 5.5.0
1847   *
1848   * @global array $allowedentitynames
1849   * @global array $allowedxmlnamedentities
1850   *
1851   * @param array $matches preg_replace_callback() matches array.
1852   * @return string Correctly encoded entity.
1853   */
1854  function wp_kses_xml_named_entities( $matches ) {
1855      global $allowedentitynames, $allowedxmlnamedentities;
1856  
1857      if ( empty( $matches[1] ) ) {
1858          return '';
1859      }
1860  
1861      $i = $matches[1];
1862  
1863      if ( in_array( $i, $allowedxmlnamedentities, true ) ) {
1864          return "&$i;";
1865      } elseif ( in_array( $i, $allowedentitynames, true ) ) {
1866          return html_entity_decode( "&$i;", ENT_HTML5 );
1867      }
1868  
1869      return "&amp;$i;";
1870  }
1871  
1872  /**
1873   * Callback for `wp_kses_normalize_entities()` regular expression.
1874   *
1875   * This function helps `wp_kses_normalize_entities()` to only accept 16-bit
1876   * values and nothing more for `&#number;` entities.
1877   *
1878   * @access private
1879   * @ignore
1880   * @since 1.0.0
1881   *
1882   * @param array $matches `preg_replace_callback()` matches array.
1883   * @return string Correctly encoded entity.
1884   */
1885  function wp_kses_normalize_entities2( $matches ) {
1886      if ( empty( $matches[1] ) ) {
1887          return '';
1888      }
1889  
1890      $i = $matches[1];
1891      if ( valid_unicode( $i ) ) {
1892          $i = str_pad( ltrim( $i, '0' ), 3, '0', STR_PAD_LEFT );
1893          $i = "&#$i;";
1894      } else {
1895          $i = "&amp;#$i;";
1896      }
1897  
1898      return $i;
1899  }
1900  
1901  /**
1902   * Callback for `wp_kses_normalize_entities()` for regular expression.
1903   *
1904   * This function helps `wp_kses_normalize_entities()` to only accept valid Unicode
1905   * numeric entities in hex form.
1906   *
1907   * @since 2.7.0
1908   * @access private
1909   * @ignore
1910   *
1911   * @param array $matches `preg_replace_callback()` matches array.
1912   * @return string Correctly encoded entity.
1913   */
1914  function wp_kses_normalize_entities3( $matches ) {
1915      if ( empty( $matches[1] ) ) {
1916          return '';
1917      }
1918  
1919      $hexchars = $matches[1];
1920      return ( ! valid_unicode( hexdec( $hexchars ) ) ) ? "&amp;#x$hexchars;" : '&#x' . ltrim( $hexchars, '0' ) . ';';
1921  }
1922  
1923  /**
1924   * Determines if a Unicode codepoint is valid.
1925   *
1926   * @since 2.7.0
1927   *
1928   * @param int $i Unicode codepoint.
1929   * @return bool Whether or not the codepoint is a valid Unicode codepoint.
1930   */
1931  function valid_unicode( $i ) {
1932      return ( 0x9 == $i || 0xa == $i || 0xd == $i ||
1933              ( 0x20 <= $i && $i <= 0xd7ff ) ||
1934              ( 0xe000 <= $i && $i <= 0xfffd ) ||
1935              ( 0x10000 <= $i && $i <= 0x10ffff ) );
1936  }
1937  
1938  /**
1939   * Converts all numeric HTML entities to their named counterparts.
1940   *
1941   * This function decodes numeric HTML entities (`&#65;` and `&#x41;`).
1942   * It doesn't do anything with named entities like `&auml;`, but we don't
1943   * need them in the allowed URL protocols system anyway.
1944   *
1945   * @since 1.0.0
1946   *
1947   * @param string $string Content to change entities.
1948   * @return string Content after decoded entities.
1949   */
1950  function wp_kses_decode_entities( $string ) {
1951      $string = preg_replace_callback( '/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string );
1952      $string = preg_replace_callback( '/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string );
1953  
1954      return $string;
1955  }
1956  
1957  /**
1958   * Regex callback for `wp_kses_decode_entities()`.
1959   *
1960   * @since 2.9.0
1961   * @access private
1962   * @ignore
1963   *
1964   * @param array $match preg match
1965   * @return string
1966   */
1967  function _wp_kses_decode_entities_chr( $match ) {
1968      return chr( $match[1] );
1969  }
1970  
1971  /**
1972   * Regex callback for `wp_kses_decode_entities()`.
1973   *
1974   * @since 2.9.0
1975   * @access private
1976   * @ignore
1977   *
1978   * @param array $match preg match
1979   * @return string
1980   */
1981  function _wp_kses_decode_entities_chr_hexdec( $match ) {
1982      return chr( hexdec( $match[1] ) );
1983  }
1984  
1985  /**
1986   * Sanitize content with allowed HTML KSES rules.
1987   *
1988   * This function expects slashed data.
1989   *
1990   * @since 1.0.0
1991   *
1992   * @param string $data Content to filter, expected to be escaped with slashes.
1993   * @return string Filtered content.
1994   */
1995  function wp_filter_kses( $data ) {
1996      return addslashes( wp_kses( stripslashes( $data ), current_filter() ) );
1997  }
1998  
1999  /**
2000   * Sanitize content with allowed HTML KSES rules.
2001   *
2002   * This function expects unslashed data.
2003   *
2004   * @since 2.9.0
2005   *
2006   * @param string $data Content to filter, expected to not be escaped.
2007   * @return string Filtered content.
2008   */
2009  function wp_kses_data( $data ) {
2010      return wp_kses( $data, current_filter() );
2011  }
2012  
2013  /**
2014   * Sanitizes content for allowed HTML tags for post content.
2015   *
2016   * Post content refers to the page contents of the 'post' type and not `$_POST`
2017   * data from forms.
2018   *
2019   * This function expects slashed data.
2020   *
2021   * @since 2.0.0
2022   *
2023   * @param string $data Post content to filter, expected to be escaped with slashes.
2024   * @return string Filtered post content with allowed HTML tags and attributes intact.
2025   */
2026  function wp_filter_post_kses( $data ) {
2027      return addslashes( wp_kses( stripslashes( $data ), 'post' ) );
2028  }
2029  
2030  /**
2031   * Sanitizes content for allowed HTML tags for post content.
2032   *
2033   * Post content refers to the page contents of the 'post' type and not `$_POST`
2034   * data from forms.
2035   *
2036   * This function expects unslashed data.
2037   *
2038   * @since 2.9.0
2039   *
2040   * @param string $data Post content to filter.
2041   * @return string Filtered post content with allowed HTML tags and attributes intact.
2042   */
2043  function wp_kses_post( $data ) {
2044      return wp_kses( $data, 'post' );
2045  }
2046  
2047  /**
2048   * Navigates through an array, object, or scalar, and sanitizes content for
2049   * allowed HTML tags for post content.
2050   *
2051   * @since 4.4.2
2052   *
2053   * @see map_deep()
2054   *
2055   * @param mixed $data The array, object, or scalar value to inspect.
2056   * @return mixed The filtered content.
2057   */
2058  function wp_kses_post_deep( $data ) {
2059      return map_deep( $data, 'wp_kses_post' );
2060  }
2061  
2062  /**
2063   * Strips all HTML from a text string.
2064   *
2065   * This function expects slashed data.
2066   *
2067   * @since 2.1.0
2068   *
2069   * @param string $data Content to strip all HTML from.
2070   * @return string Filtered content without any HTML.
2071   */
2072  function wp_filter_nohtml_kses( $data ) {
2073      return addslashes( wp_kses( stripslashes( $data ), 'strip' ) );
2074  }
2075  
2076  /**
2077   * Adds all KSES input form content filters.
2078   *
2079   * All hooks have default priority. The `wp_filter_kses()` function is added to
2080   * the 'pre_comment_content' and 'title_save_pre' hooks.
2081   *
2082   * The `wp_filter_post_kses()` function is added to the 'content_save_pre',
2083   * 'excerpt_save_pre', and 'content_filtered_save_pre' hooks.
2084   *
2085   * @since 2.0.0
2086   */
2087  function kses_init_filters() {
2088      // Normal filtering.
2089      add_filter( 'title_save_pre', 'wp_filter_kses' );
2090  
2091      // Comment filtering.
2092      if ( current_user_can( 'unfiltered_html' ) ) {
2093          add_filter( 'pre_comment_content', 'wp_filter_post_kses' );
2094      } else {
2095          add_filter( 'pre_comment_content', 'wp_filter_kses' );
2096      }
2097  
2098      // Post filtering.
2099      add_filter( 'content_save_pre', 'wp_filter_post_kses' );
2100      add_filter( 'excerpt_save_pre', 'wp_filter_post_kses' );
2101      add_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' );
2102  }
2103  
2104  /**
2105   * Removes all KSES input form content filters.
2106   *
2107   * A quick procedural method to removing all of the filters that KSES uses for
2108   * content in WordPress Loop.
2109   *
2110   * Does not remove the `kses_init()` function from {@see 'init'} hook (priority is
2111   * default). Also does not remove `kses_init()` function from {@see 'set_current_user'}
2112   * hook (priority is also default).
2113   *
2114   * @since 2.0.6
2115   */
2116  function kses_remove_filters() {
2117      // Normal filtering.
2118      remove_filter( 'title_save_pre', 'wp_filter_kses' );
2119  
2120      // Comment filtering.
2121      remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
2122      remove_filter( 'pre_comment_content', 'wp_filter_kses' );
2123  
2124      // Post filtering.
2125      remove_filter( 'content_save_pre', 'wp_filter_post_kses' );
2126      remove_filter( 'excerpt_save_pre', 'wp_filter_post_kses' );
2127      remove_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' );
2128  }
2129  
2130  /**
2131   * Sets up most of the KSES filters for input form content.
2132   *
2133   * First removes all of the KSES filters in case the current user does not need
2134   * to have KSES filter the content. If the user does not have `unfiltered_html`
2135   * capability, then KSES filters are added.
2136   *
2137   * @since 2.0.0
2138   */
2139  function kses_init() {
2140      kses_remove_filters();
2141  
2142      if ( ! current_user_can( 'unfiltered_html' ) ) {
2143          kses_init_filters();
2144      }
2145  }
2146  
2147  /**
2148   * Filters an inline style attribute and removes disallowed rules.
2149   *
2150   * @since 2.8.1
2151   *
2152   * @param string $css        A string of CSS rules.
2153   * @param string $deprecated Not used.
2154   * @return string Filtered string of CSS rules.
2155   */
2156  function safecss_filter_attr( $css, $deprecated = '' ) {
2157      if ( ! empty( $deprecated ) ) {
2158          _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented.
2159      }
2160  
2161      $css = wp_kses_no_null( $css );
2162      $css = str_replace( array( "\n", "\r", "\t" ), '', $css );
2163  
2164      $allowed_protocols = wp_allowed_protocols();
2165  
2166      $css_array = explode( ';', trim( $css ) );
2167  
2168      /**
2169       * Filters list of allowed CSS attributes.
2170       *
2171       * @since 2.8.1
2172       * @since 4.4.0 Added support for `min-height`, `max-height`, `min-width`, and `max-width`.
2173       * @since 4.6.0 Added support for `list-style-type`.
2174       * @since 5.0.0 Added support for `background-image`.
2175       * @since 5.1.0 Added support for `text-transform`.
2176       * @since 5.2.0 Added support for `background-position` and `grid-template-columns`.
2177       * @since 5.3.0 Added support for `grid`, `flex` and `column` layout properties.
2178       *              Extend `background-*` support of individual properties.
2179       * @since 5.3.1 Added support for gradient backgrounds.
2180       * @since 5.7.1 Added support for `object-position`.
2181       * @since 5.8.0 Added support for `calc()` and `var()` values.
2182       *
2183       * @param string[] $attr Array of allowed CSS attributes.
2184       */
2185      $allowed_attr = apply_filters(
2186          'safe_style_css',
2187          array(
2188              'background',
2189              'background-color',
2190              'background-image',
2191              'background-position',
2192              'background-size',
2193              'background-attachment',
2194              'background-blend-mode',
2195  
2196              'border',
2197              'border-radius',
2198              'border-width',
2199              'border-color',
2200              'border-style',
2201              'border-right',
2202              'border-right-color',
2203              'border-right-style',
2204              'border-right-width',
2205              'border-bottom',
2206              'border-bottom-color',
2207              'border-bottom-style',
2208              'border-bottom-width',
2209              'border-left',
2210              'border-left-color',
2211              'border-left-style',
2212              'border-left-width',
2213              'border-top',
2214              'border-top-color',
2215              'border-top-style',
2216              'border-top-width',
2217  
2218              'border-spacing',
2219              'border-collapse',
2220              'caption-side',
2221  
2222              'columns',
2223              'column-count',
2224              'column-fill',
2225              'column-gap',
2226              'column-rule',
2227              'column-span',
2228              'column-width',
2229  
2230              'color',
2231              'font',
2232              'font-family',
2233              'font-size',
2234              'font-style',
2235              'font-variant',
2236              'font-weight',
2237              'letter-spacing',
2238              'line-height',
2239              'text-align',
2240              'text-decoration',
2241              'text-indent',
2242              'text-transform',
2243  
2244              'height',
2245              'min-height',
2246              'max-height',
2247  
2248              'width',
2249              'min-width',
2250              'max-width',
2251  
2252              'margin',
2253              'margin-right',
2254              'margin-bottom',
2255              'margin-left',
2256              'margin-top',
2257  
2258              'padding',
2259              'padding-right',
2260              'padding-bottom',
2261              'padding-left',
2262              'padding-top',
2263  
2264              'flex',
2265              'flex-basis',
2266              'flex-direction',
2267              'flex-flow',
2268              'flex-grow',
2269              'flex-shrink',
2270  
2271              'grid-template-columns',
2272              'grid-auto-columns',
2273              'grid-column-start',
2274              'grid-column-end',
2275              'grid-column-gap',
2276              'grid-template-rows',
2277              'grid-auto-rows',
2278              'grid-row-start',
2279              'grid-row-end',
2280              'grid-row-gap',
2281              'grid-gap',
2282  
2283              'justify-content',
2284              'justify-items',
2285              'justify-self',
2286              'align-content',
2287              'align-items',
2288              'align-self',
2289  
2290              'clear',
2291              'cursor',
2292              'direction',
2293              'float',
2294              'list-style-type',
2295              'object-position',
2296              'overflow',
2297              'vertical-align',
2298          )
2299      );
2300  
2301      /*
2302       * CSS attributes that accept URL data types.
2303       *
2304       * This is in accordance to the CSS spec and unrelated to
2305       * the sub-set of supported attributes above.
2306       *
2307       * See: https://developer.mozilla.org/en-US/docs/Web/CSS/url
2308       */
2309      $css_url_data_types = array(
2310          'background',
2311          'background-image',
2312  
2313          'cursor',
2314  
2315          'list-style',
2316          'list-style-image',
2317      );
2318  
2319      /*
2320       * CSS attributes that accept gradient data types.
2321       *
2322       */
2323      $css_gradient_data_types = array(
2324          'background',
2325          'background-image',
2326      );
2327  
2328      if ( empty( $allowed_attr ) ) {
2329          return $css;
2330      }
2331  
2332      $css = '';
2333      foreach ( $css_array as $css_item ) {
2334          if ( '' === $css_item ) {
2335              continue;
2336          }
2337  
2338          $css_item        = trim( $css_item );
2339          $css_test_string = $css_item;
2340          $found           = false;
2341          $url_attr        = false;
2342          $gradient_attr   = false;
2343  
2344          if ( strpos( $css_item, ':' ) === false ) {
2345              $found = true;
2346          } else {
2347              $parts        = explode( ':', $css_item, 2 );
2348              $css_selector = trim( $parts[0] );
2349  
2350              if ( in_array( $css_selector, $allowed_attr, true ) ) {
2351                  $found         = true;
2352                  $url_attr      = in_array( $css_selector, $css_url_data_types, true );
2353                  $gradient_attr = in_array( $css_selector, $css_gradient_data_types, true );
2354              }
2355          }
2356  
2357          if ( $found && $url_attr ) {
2358              // Simplified: matches the sequence `url(*)`.
2359              preg_match_all( '/url\([^)]+\)/', $parts[1], $url_matches );
2360  
2361              foreach ( $url_matches[0] as $url_match ) {
2362                  // Clean up the URL from each of the matches above.
2363                  preg_match( '/^url\(\s*([\'\"]?)(.*)(\g1)\s*\)$/', $url_match, $url_pieces );
2364  
2365                  if ( empty( $url_pieces[2] ) ) {
2366                      $found = false;
2367                      break;
2368                  }
2369  
2370                  $url = trim( $url_pieces[2] );
2371  
2372                  if ( empty( $url ) || wp_kses_bad_protocol( $url, $allowed_protocols ) !== $url ) {
2373                      $found = false;
2374                      break;
2375                  } else {
2376                      // Remove the whole `url(*)` bit that was matched above from the CSS.
2377                      $css_test_string = str_replace( $url_match, '', $css_test_string );
2378                  }
2379              }
2380          }
2381  
2382          if ( $found && $gradient_attr ) {
2383              $css_value = trim( $parts[1] );
2384              if ( preg_match( '/^(repeating-)?(linear|radial|conic)-gradient\(([^()]|rgb[a]?\([^()]*\))*\)$/', $css_value ) ) {
2385                  // Remove the whole `gradient` bit that was matched above from the CSS.
2386                  $css_test_string = str_replace( $css_value, '', $css_test_string );
2387              }
2388          }
2389  
2390          if ( $found ) {
2391              // Allow CSS calc().
2392              $css_test_string = preg_replace( '/calc\(((?:\([^()]*\)?|[^()])*)\)/', '', $css_test_string );
2393              // Allow CSS var().
2394              $css_test_string = preg_replace( '/\(?var\(--[a-zA-Z0-9_-]*\)/', '', $css_test_string );
2395  
2396              // Check for any CSS containing \ ( & } = or comments,
2397              // except for url(), calc(), or var() usage checked above.
2398              $allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
2399  
2400              /**
2401               * Filters the check for unsafe CSS in `safecss_filter_attr`.
2402               *
2403               * Enables developers to determine whether a section of CSS should be allowed or discarded.
2404               * By default, the value will be false if the part contains \ ( & } = or comments.
2405               * Return true to allow the CSS part to be included in the output.
2406               *
2407               * @since 5.5.0
2408               *
2409               * @param bool   $allow_css       Whether the CSS in the test string is considered safe.
2410               * @param string $css_test_string The CSS string to test.
2411               */
2412              $allow_css = apply_filters( 'safecss_filter_attr_allow_css', $allow_css, $css_test_string );
2413  
2414               // Only add the CSS part if it passes the regex check.
2415              if ( $allow_css ) {
2416                  if ( '' !== $css ) {
2417                      $css .= ';';
2418                  }
2419  
2420                  $css .= $css_item;
2421              }
2422          }
2423      }
2424  
2425      return $css;
2426  }
2427  
2428  /**
2429   * Helper function to add global attributes to a tag in the allowed HTML list.
2430   *
2431   * @since 3.5.0
2432   * @since 5.0.0 Add support for `data-*` wildcard attributes.
2433   * @access private
2434   * @ignore
2435   *
2436   * @param array $value An array of attributes.
2437   * @return array The array of attributes with global attributes added.
2438   */
2439  function _wp_add_global_attributes( $value ) {
2440      $global_attributes = array(
2441          'aria-describedby' => true,
2442          'aria-details'     => true,
2443          'aria-label'       => true,
2444          'aria-labelledby'  => true,
2445          'aria-hidden'      => true,
2446          'class'            => true,
2447          'id'               => true,
2448          'style'            => true,
2449          'title'            => true,
2450          'role'             => true,
2451          'data-*'           => true,
2452      );
2453  
2454      if ( true === $value ) {
2455          $value = array();
2456      }
2457  
2458      if ( is_array( $value ) ) {
2459          return array_merge( $value, $global_attributes );
2460      }
2461  
2462      return $value;
2463  }


Generated: Sun Aug 1 01:00:05 2021 Cross-referenced by PHPXref 0.7.1