[ Index ]

PHP Cross Reference of WordPress

title

Body

[close]

/wp-includes/ -> kses.php (source)

   1  <?php
   2  /**
   3   * kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes
   4   * Copyright (C) 2002, 2003, 2005  Ulf Harnhammar
   5   *
   6   * This program is free software and open source software; you can redistribute
   7   * it and/or modify it under the terms of the GNU General Public License as
   8   * published by the Free Software Foundation; either version 2 of the License,
   9   * or (at your option) any later version.
  10   *
  11   * This program is distributed in the hope that it will be useful, but WITHOUT
  12   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13   * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
  14   * more details.
  15   *
  16   * You should have received a copy of the GNU General Public License along
  17   * with this program; if not, write to the Free Software Foundation, Inc.,
  18   * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19   * http://www.gnu.org/licenses/gpl.html
  20   *
  21   * [kses strips evil scripts!]
  22   *
  23   * Added wp_ prefix to avoid conflicts with existing kses users
  24   *
  25   * @version 0.2.2
  26   * @copyright (C) 2002, 2003, 2005
  27   * @author Ulf Harnhammar <http://advogato.org/person/metaur/>
  28   *
  29   * @package External
  30   * @subpackage KSES
  31   */
  32  
  33  /**
  34   * Specifies the default allowable HTML tags.
  35   *
  36   * Using `CUSTOM_TAGS` is not recommended and should be considered deprecated. The
  37   * {@see 'wp_kses_allowed_html'} filter is more powerful and supplies context.
  38   *
  39   * @see wp_kses_allowed_html()
  40   * @since 1.2.0
  41   *
  42   * @var array[]|bool Array of default allowable HTML tags, or false to use the defaults.
  43   */
  44  if ( ! defined( 'CUSTOM_TAGS' ) ) {
  45      define( 'CUSTOM_TAGS', false );
  46  }
  47  
  48  // Ensure that these variables are added to the global namespace
  49  // (e.g. if using namespaces / autoload in the current PHP environment).
  50  global $allowedposttags, $allowedtags, $allowedentitynames, $allowedxmlentitynames;
  51  
  52  if ( ! CUSTOM_TAGS ) {
  53      /**
  54       * KSES global for default allowable HTML tags.
  55       *
  56       * Can be overridden with the `CUSTOM_TAGS` constant.
  57       *
  58       * @var array[] $allowedposttags Array of default allowable HTML tags.
  59       * @since 2.0.0
  60       */
  61      $allowedposttags = array(
  62          'address'    => array(),
  63          'a'          => array(
  64              'href'     => true,
  65              'rel'      => true,
  66              'rev'      => true,
  67              'name'     => true,
  68              'target'   => true,
  69              'download' => array(
  70                  'valueless' => 'y',
  71              ),
  72          ),
  73          'abbr'       => array(),
  74          'acronym'    => array(),
  75          'area'       => array(
  76              'alt'    => true,
  77              'coords' => true,
  78              'href'   => true,
  79              'nohref' => true,
  80              'shape'  => true,
  81              'target' => true,
  82          ),
  83          'article'    => array(
  84              'align'    => true,
  85              'dir'      => true,
  86              'lang'     => true,
  87              'xml:lang' => true,
  88          ),
  89          'aside'      => array(
  90              'align'    => true,
  91              'dir'      => true,
  92              'lang'     => true,
  93              'xml:lang' => true,
  94          ),
  95          'audio'      => array(
  96              'autoplay' => true,
  97              'controls' => true,
  98              'loop'     => true,
  99              'muted'    => true,
 100              'preload'  => true,
 101              'src'      => true,
 102          ),
 103          'b'          => array(),
 104          'bdo'        => array(
 105              'dir' => true,
 106          ),
 107          'big'        => array(),
 108          'blockquote' => array(
 109              'cite'     => true,
 110              'lang'     => true,
 111              'xml:lang' => true,
 112          ),
 113          'br'         => array(),
 114          'button'     => array(
 115              'disabled' => true,
 116              'name'     => true,
 117              'type'     => true,
 118              'value'    => true,
 119          ),
 120          'caption'    => array(
 121              'align' => true,
 122          ),
 123          'cite'       => array(
 124              'dir'  => true,
 125              'lang' => true,
 126          ),
 127          'code'       => array(),
 128          'col'        => array(
 129              'align'   => true,
 130              'char'    => true,
 131              'charoff' => true,
 132              'span'    => true,
 133              'dir'     => true,
 134              'valign'  => true,
 135              'width'   => true,
 136          ),
 137          'colgroup'   => array(
 138              'align'   => true,
 139              'char'    => true,
 140              'charoff' => true,
 141              'span'    => true,
 142              'valign'  => true,
 143              'width'   => true,
 144          ),
 145          'del'        => array(
 146              'datetime' => true,
 147          ),
 148          'dd'         => array(),
 149          'dfn'        => array(),
 150          'details'    => array(
 151              'align'    => true,
 152              'dir'      => true,
 153              'lang'     => true,
 154              'open'     => true,
 155              'xml:lang' => true,
 156          ),
 157          'div'        => array(
 158              'align'    => true,
 159              'dir'      => true,
 160              'lang'     => true,
 161              'xml:lang' => true,
 162          ),
 163          'dl'         => array(),
 164          'dt'         => array(),
 165          'em'         => array(),
 166          'fieldset'   => array(),
 167          'figure'     => array(
 168              'align'    => true,
 169              'dir'      => true,
 170              'lang'     => true,
 171              'xml:lang' => true,
 172          ),
 173          'figcaption' => array(
 174              'align'    => true,
 175              'dir'      => true,
 176              'lang'     => true,
 177              'xml:lang' => true,
 178          ),
 179          'font'       => array(
 180              'color' => true,
 181              'face'  => true,
 182              'size'  => true,
 183          ),
 184          'footer'     => array(
 185              'align'    => true,
 186              'dir'      => true,
 187              'lang'     => true,
 188              'xml:lang' => true,
 189          ),
 190          'h1'         => array(
 191              'align' => true,
 192          ),
 193          'h2'         => array(
 194              'align' => true,
 195          ),
 196          'h3'         => array(
 197              'align' => true,
 198          ),
 199          'h4'         => array(
 200              'align' => true,
 201          ),
 202          'h5'         => array(
 203              'align' => true,
 204          ),
 205          'h6'         => array(
 206              'align' => true,
 207          ),
 208          'header'     => array(
 209              'align'    => true,
 210              'dir'      => true,
 211              'lang'     => true,
 212              'xml:lang' => true,
 213          ),
 214          'hgroup'     => array(
 215              'align'    => true,
 216              'dir'      => true,
 217              'lang'     => true,
 218              'xml:lang' => true,
 219          ),
 220          'hr'         => array(
 221              'align'   => true,
 222              'noshade' => true,
 223              'size'    => true,
 224              'width'   => true,
 225          ),
 226          'i'          => array(),
 227          'img'        => array(
 228              'alt'      => true,
 229              'align'    => true,
 230              'border'   => true,
 231              'height'   => true,
 232              'hspace'   => true,
 233              'loading'  => true,
 234              'longdesc' => true,
 235              'vspace'   => true,
 236              'src'      => true,
 237              'usemap'   => true,
 238              'width'    => true,
 239          ),
 240          'ins'        => array(
 241              'datetime' => true,
 242              'cite'     => true,
 243          ),
 244          'kbd'        => array(),
 245          'label'      => array(
 246              'for' => true,
 247          ),
 248          'legend'     => array(
 249              'align' => true,
 250          ),
 251          'li'         => array(
 252              'align' => true,
 253              'value' => true,
 254          ),
 255          'map'        => array(
 256              'name' => true,
 257          ),
 258          'mark'       => array(),
 259          'menu'       => array(
 260              'type' => true,
 261          ),
 262          'nav'        => array(
 263              'align'    => true,
 264              'dir'      => true,
 265              'lang'     => true,
 266              'xml:lang' => true,
 267          ),
 268          'p'          => array(
 269              'align'    => true,
 270              'dir'      => true,
 271              'lang'     => true,
 272              'xml:lang' => true,
 273          ),
 274          'pre'        => array(
 275              'width' => true,
 276          ),
 277          'q'          => array(
 278              'cite' => true,
 279          ),
 280          's'          => array(),
 281          'samp'       => array(),
 282          'span'       => array(
 283              'dir'      => true,
 284              'align'    => true,
 285              'lang'     => true,
 286              'xml:lang' => true,
 287          ),
 288          'section'    => array(
 289              'align'    => true,
 290              'dir'      => true,
 291              'lang'     => true,
 292              'xml:lang' => true,
 293          ),
 294          'small'      => array(),
 295          'strike'     => array(),
 296          'strong'     => array(),
 297          'sub'        => array(),
 298          'summary'    => array(
 299              'align'    => true,
 300              'dir'      => true,
 301              'lang'     => true,
 302              'xml:lang' => true,
 303          ),
 304          'sup'        => array(),
 305          'table'      => array(
 306              'align'       => true,
 307              'bgcolor'     => true,
 308              'border'      => true,
 309              'cellpadding' => true,
 310              'cellspacing' => true,
 311              'dir'         => true,
 312              'rules'       => true,
 313              'summary'     => true,
 314              'width'       => true,
 315          ),
 316          'tbody'      => array(
 317              'align'   => true,
 318              'char'    => true,
 319              'charoff' => true,
 320              'valign'  => true,
 321          ),
 322          'td'         => array(
 323              'abbr'    => true,
 324              'align'   => true,
 325              'axis'    => true,
 326              'bgcolor' => true,
 327              'char'    => true,
 328              'charoff' => true,
 329              'colspan' => true,
 330              'dir'     => true,
 331              'headers' => true,
 332              'height'  => true,
 333              'nowrap'  => true,
 334              'rowspan' => true,
 335              'scope'   => true,
 336              'valign'  => true,
 337              'width'   => true,
 338          ),
 339          'textarea'   => array(
 340              'cols'     => true,
 341              'rows'     => true,
 342              'disabled' => true,
 343              'name'     => true,
 344              'readonly' => true,
 345          ),
 346          'tfoot'      => array(
 347              'align'   => true,
 348              'char'    => true,
 349              'charoff' => true,
 350              'valign'  => true,
 351          ),
 352          'th'         => array(
 353              'abbr'    => true,
 354              'align'   => true,
 355              'axis'    => true,
 356              'bgcolor' => true,
 357              'char'    => true,
 358              'charoff' => true,
 359              'colspan' => true,
 360              'headers' => true,
 361              'height'  => true,
 362              'nowrap'  => true,
 363              'rowspan' => true,
 364              'scope'   => true,
 365              'valign'  => true,
 366              'width'   => true,
 367          ),
 368          'thead'      => array(
 369              'align'   => true,
 370              'char'    => true,
 371              'charoff' => true,
 372              'valign'  => true,
 373          ),
 374          'title'      => array(),
 375          'tr'         => array(
 376              'align'   => true,
 377              'bgcolor' => true,
 378              'char'    => true,
 379              'charoff' => true,
 380              'valign'  => true,
 381          ),
 382          'track'      => array(
 383              'default' => true,
 384              'kind'    => true,
 385              'label'   => true,
 386              'src'     => true,
 387              'srclang' => true,
 388          ),
 389          'tt'         => array(),
 390          'u'          => array(),
 391          'ul'         => array(
 392              'type' => true,
 393          ),
 394          'ol'         => array(
 395              'start'    => true,
 396              'type'     => true,
 397              'reversed' => true,
 398          ),
 399          'var'        => array(),
 400          'video'      => array(
 401              'autoplay'    => true,
 402              'controls'    => true,
 403              'height'      => true,
 404              'loop'        => true,
 405              'muted'       => true,
 406              'playsinline' => true,
 407              'poster'      => true,
 408              'preload'     => true,
 409              'src'         => true,
 410              'width'       => true,
 411          ),
 412      );
 413  
 414      /**
 415       * @var array[] $allowedtags Array of KSES allowed HTML elements.
 416       * @since 1.0.0
 417       */
 418      $allowedtags = array(
 419          'a'          => array(
 420              'href'  => true,
 421              'title' => true,
 422          ),
 423          'abbr'       => array(
 424              'title' => true,
 425          ),
 426          'acronym'    => array(
 427              'title' => true,
 428          ),
 429          'b'          => array(),
 430          'blockquote' => array(
 431              'cite' => true,
 432          ),
 433          'cite'       => array(),
 434          'code'       => array(),
 435          'del'        => array(
 436              'datetime' => true,
 437          ),
 438          'em'         => array(),
 439          'i'          => array(),
 440          'q'          => array(
 441              'cite' => true,
 442          ),
 443          's'          => array(),
 444          'strike'     => array(),
 445          'strong'     => array(),
 446      );
 447  
 448      /**
 449       * @var string[] $allowedentitynames Array of KSES allowed HTML entitity names.
 450       * @since 1.0.0
 451       */
 452      $allowedentitynames = array(
 453          'nbsp',
 454          'iexcl',
 455          'cent',
 456          'pound',
 457          'curren',
 458          'yen',
 459          'brvbar',
 460          'sect',
 461          'uml',
 462          'copy',
 463          'ordf',
 464          'laquo',
 465          'not',
 466          'shy',
 467          'reg',
 468          'macr',
 469          'deg',
 470          'plusmn',
 471          'acute',
 472          'micro',
 473          'para',
 474          'middot',
 475          'cedil',
 476          'ordm',
 477          'raquo',
 478          'iquest',
 479          'Agrave',
 480          'Aacute',
 481          'Acirc',
 482          'Atilde',
 483          'Auml',
 484          'Aring',
 485          'AElig',
 486          'Ccedil',
 487          'Egrave',
 488          'Eacute',
 489          'Ecirc',
 490          'Euml',
 491          'Igrave',
 492          'Iacute',
 493          'Icirc',
 494          'Iuml',
 495          'ETH',
 496          'Ntilde',
 497          'Ograve',
 498          'Oacute',
 499          'Ocirc',
 500          'Otilde',
 501          'Ouml',
 502          'times',
 503          'Oslash',
 504          'Ugrave',
 505          'Uacute',
 506          'Ucirc',
 507          'Uuml',
 508          'Yacute',
 509          'THORN',
 510          'szlig',
 511          'agrave',
 512          'aacute',
 513          'acirc',
 514          'atilde',
 515          'auml',
 516          'aring',
 517          'aelig',
 518          'ccedil',
 519          'egrave',
 520          'eacute',
 521          'ecirc',
 522          'euml',
 523          'igrave',
 524          'iacute',
 525          'icirc',
 526          'iuml',
 527          'eth',
 528          'ntilde',
 529          'ograve',
 530          'oacute',
 531          'ocirc',
 532          'otilde',
 533          'ouml',
 534          'divide',
 535          'oslash',
 536          'ugrave',
 537          'uacute',
 538          'ucirc',
 539          'uuml',
 540          'yacute',
 541          'thorn',
 542          'yuml',
 543          'quot',
 544          'amp',
 545          'lt',
 546          'gt',
 547          'apos',
 548          'OElig',
 549          'oelig',
 550          'Scaron',
 551          'scaron',
 552          'Yuml',
 553          'circ',
 554          'tilde',
 555          'ensp',
 556          'emsp',
 557          'thinsp',
 558          'zwnj',
 559          'zwj',
 560          'lrm',
 561          'rlm',
 562          'ndash',
 563          'mdash',
 564          'lsquo',
 565          'rsquo',
 566          'sbquo',
 567          'ldquo',
 568          'rdquo',
 569          'bdquo',
 570          'dagger',
 571          'Dagger',
 572          'permil',
 573          'lsaquo',
 574          'rsaquo',
 575          'euro',
 576          'fnof',
 577          'Alpha',
 578          'Beta',
 579          'Gamma',
 580          'Delta',
 581          'Epsilon',
 582          'Zeta',
 583          'Eta',
 584          'Theta',
 585          'Iota',
 586          'Kappa',
 587          'Lambda',
 588          'Mu',
 589          'Nu',
 590          'Xi',
 591          'Omicron',
 592          'Pi',
 593          'Rho',
 594          'Sigma',
 595          'Tau',
 596          'Upsilon',
 597          'Phi',
 598          'Chi',
 599          'Psi',
 600          'Omega',
 601          'alpha',
 602          'beta',
 603          'gamma',
 604          'delta',
 605          'epsilon',
 606          'zeta',
 607          'eta',
 608          'theta',
 609          'iota',
 610          'kappa',
 611          'lambda',
 612          'mu',
 613          'nu',
 614          'xi',
 615          'omicron',
 616          'pi',
 617          'rho',
 618          'sigmaf',
 619          'sigma',
 620          'tau',
 621          'upsilon',
 622          'phi',
 623          'chi',
 624          'psi',
 625          'omega',
 626          'thetasym',
 627          'upsih',
 628          'piv',
 629          'bull',
 630          'hellip',
 631          'prime',
 632          'Prime',
 633          'oline',
 634          'frasl',
 635          'weierp',
 636          'image',
 637          'real',
 638          'trade',
 639          'alefsym',
 640          'larr',
 641          'uarr',
 642          'rarr',
 643          'darr',
 644          'harr',
 645          'crarr',
 646          'lArr',
 647          'uArr',
 648          'rArr',
 649          'dArr',
 650          'hArr',
 651          'forall',
 652          'part',
 653          'exist',
 654          'empty',
 655          'nabla',
 656          'isin',
 657          'notin',
 658          'ni',
 659          'prod',
 660          'sum',
 661          'minus',
 662          'lowast',
 663          'radic',
 664          'prop',
 665          'infin',
 666          'ang',
 667          'and',
 668          'or',
 669          'cap',
 670          'cup',
 671          'int',
 672          'sim',
 673          'cong',
 674          'asymp',
 675          'ne',
 676          'equiv',
 677          'le',
 678          'ge',
 679          'sub',
 680          'sup',
 681          'nsub',
 682          'sube',
 683          'supe',
 684          'oplus',
 685          'otimes',
 686          'perp',
 687          'sdot',
 688          'lceil',
 689          'rceil',
 690          'lfloor',
 691          'rfloor',
 692          'lang',
 693          'rang',
 694          'loz',
 695          'spades',
 696          'clubs',
 697          'hearts',
 698          'diams',
 699          'sup1',
 700          'sup2',
 701          'sup3',
 702          'frac14',
 703          'frac12',
 704          'frac34',
 705          'there4',
 706      );
 707  
 708      /**
 709       * @var string[] $allowedxmlentitynames Array of KSES allowed XML entitity names.
 710       * @since 5.5.0
 711       */
 712      $allowedxmlnamedentities = array(
 713          'amp',
 714          'lt',
 715          'gt',
 716          'apos',
 717          'quot',
 718      );
 719  
 720      $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags );
 721  } else {
 722      $allowedtags     = wp_kses_array_lc( $allowedtags );
 723      $allowedposttags = wp_kses_array_lc( $allowedposttags );
 724  }
 725  
 726  /**
 727   * Filters text content and strips out disallowed HTML.
 728   *
 729   * This function makes sure that only the allowed HTML element names, attribute
 730   * names, attribute values, and HTML entities will occur in the given text string.
 731   *
 732   * This function expects unslashed data.
 733   *
 734   * @see wp_kses_post() for specifically filtering post content and fields.
 735   * @see wp_allowed_protocols() for the default allowed protocols in link URLs.
 736   *
 737   * @since 1.0.0
 738   *
 739   * @param string         $string            Text content to filter.
 740   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 741   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 742   *                                          for the list of accepted context names.
 743   * @param string[]       $allowed_protocols Array of allowed URL protocols.
 744   * @return string Filtered content containing only the allowed HTML.
 745   */
 746  function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
 747      if ( empty( $allowed_protocols ) ) {
 748          $allowed_protocols = wp_allowed_protocols();
 749      }
 750  
 751      $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
 752      $string = wp_kses_normalize_entities( $string );
 753      $string = wp_kses_hook( $string, $allowed_html, $allowed_protocols );
 754  
 755      return wp_kses_split( $string, $allowed_html, $allowed_protocols );
 756  }
 757  
 758  /**
 759   * Filters one HTML attribute and ensures its value is allowed.
 760   *
 761   * This function can escape data in some situations where `wp_kses()` must strip the whole attribute.
 762   *
 763   * @since 4.2.3
 764   *
 765   * @param string $string  The 'whole' attribute, including name and value.
 766   * @param string $element The HTML element name to which the attribute belongs.
 767   * @return string Filtered attribute.
 768   */
 769  function wp_kses_one_attr( $string, $element ) {
 770      $uris              = wp_kses_uri_attributes();
 771      $allowed_html      = wp_kses_allowed_html( 'post' );
 772      $allowed_protocols = wp_allowed_protocols();
 773      $string            = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
 774  
 775      // Preserve leading and trailing whitespace.
 776      $matches = array();
 777      preg_match( '/^\s*/', $string, $matches );
 778      $lead = $matches[0];
 779      preg_match( '/\s*$/', $string, $matches );
 780      $trail = $matches[0];
 781      if ( empty( $trail ) ) {
 782          $string = substr( $string, strlen( $lead ) );
 783      } else {
 784          $string = substr( $string, strlen( $lead ), -strlen( $trail ) );
 785      }
 786  
 787      // Parse attribute name and value from input.
 788      $split = preg_split( '/\s*=\s*/', $string, 2 );
 789      $name  = $split[0];
 790      if ( count( $split ) == 2 ) {
 791          $value = $split[1];
 792  
 793          // Remove quotes surrounding $value.
 794          // Also guarantee correct quoting in $string for this one attribute.
 795          if ( '' === $value ) {
 796              $quote = '';
 797          } else {
 798              $quote = $value[0];
 799          }
 800          if ( '"' === $quote || "'" === $quote ) {
 801              if ( substr( $value, -1 ) != $quote ) {
 802                  return '';
 803              }
 804              $value = substr( $value, 1, -1 );
 805          } else {
 806              $quote = '"';
 807          }
 808  
 809          // Sanitize quotes, angle braces, and entities.
 810          $value = esc_attr( $value );
 811  
 812          // Sanitize URI values.
 813          if ( in_array( strtolower( $name ), $uris, true ) ) {
 814              $value = wp_kses_bad_protocol( $value, $allowed_protocols );
 815          }
 816  
 817          $string = "$name=$quote$value$quote";
 818          $vless  = 'n';
 819      } else {
 820          $value = '';
 821          $vless = 'y';
 822      }
 823  
 824      // Sanitize attribute by name.
 825      wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html );
 826  
 827      // Restore whitespace.
 828      return $lead . $string . $trail;
 829  }
 830  
 831  /**
 832   * Returns an array of allowed HTML tags and attributes for a given context.
 833   *
 834   * @since 3.5.0
 835   * @since 5.0.1 `form` removed as allowable HTML tag.
 836   *
 837   * @global array $allowedposttags
 838   * @global array $allowedtags
 839   * @global array $allowedentitynames
 840   *
 841   * @param string|array $context The context for which to retrieve tags. Allowed values are 'post',
 842   *                              'strip', 'data', 'entities', or the name of a field filter such as
 843   *                              'pre_user_description'.
 844   * @return array Array of allowed HTML tags and their allowed attributes.
 845   */
 846  function wp_kses_allowed_html( $context = '' ) {
 847      global $allowedposttags, $allowedtags, $allowedentitynames;
 848  
 849      if ( is_array( $context ) ) {
 850          /**
 851           * Filters the HTML that is allowed for a given context.
 852           *
 853           * @since 3.5.0
 854           *
 855           * @param array[]|string $context      Context to judge allowed tags by.
 856           * @param string         $context_type Context name.
 857           */
 858          return apply_filters( 'wp_kses_allowed_html', $context, 'explicit' );
 859      }
 860  
 861      switch ( $context ) {
 862          case 'post':
 863              /** This filter is documented in wp-includes/kses.php */
 864              $tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
 865  
 866              // 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
 867              if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
 868                  $tags = $allowedposttags;
 869  
 870                  $tags['form'] = array(
 871                      'action'         => true,
 872                      'accept'         => true,
 873                      'accept-charset' => true,
 874                      'enctype'        => true,
 875                      'method'         => true,
 876                      'name'           => true,
 877                      'target'         => true,
 878                  );
 879  
 880                  /** This filter is documented in wp-includes/kses.php */
 881                  $tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
 882              }
 883  
 884              return $tags;
 885  
 886          case 'user_description':
 887          case 'pre_user_description':
 888              $tags             = $allowedtags;
 889              $tags['a']['rel'] = true;
 890              /** This filter is documented in wp-includes/kses.php */
 891              return apply_filters( 'wp_kses_allowed_html', $tags, $context );
 892  
 893          case 'strip':
 894              /** This filter is documented in wp-includes/kses.php */
 895              return apply_filters( 'wp_kses_allowed_html', array(), $context );
 896  
 897          case 'entities':
 898              /** This filter is documented in wp-includes/kses.php */
 899              return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context );
 900  
 901          case 'data':
 902          default:
 903              /** This filter is documented in wp-includes/kses.php */
 904              return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context );
 905      }
 906  }
 907  
 908  /**
 909   * You add any KSES hooks here.
 910   *
 911   * There is currently only one KSES WordPress hook, {@see 'pre_kses'}, and it is called here.
 912   * All parameters are passed to the hooks and expected to receive a string.
 913   *
 914   * @since 1.0.0
 915   *
 916   * @param string         $string            Content to filter through KSES.
 917   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 918   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 919   *                                          for the list of accepted context names.
 920   * @param string[]       $allowed_protocols Array of allowed URL protocols.
 921   * @return string Filtered content through {@see 'pre_kses'} hook.
 922   */
 923  function wp_kses_hook( $string, $allowed_html, $allowed_protocols ) {
 924      /**
 925       * Filters content to be run through KSES.
 926       *
 927       * @since 2.3.0
 928       *
 929       * @param string         $string            Content to filter through KSES.
 930       * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 931       *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 932       *                                          for the list of accepted context names.
 933       * @param string[]       $allowed_protocols Array of allowed URL protocols.
 934       */
 935      return apply_filters( 'pre_kses', $string, $allowed_html, $allowed_protocols );
 936  }
 937  
 938  /**
 939   * Returns the version number of KSES.
 940   *
 941   * @since 1.0.0
 942   *
 943   * @return string KSES version number.
 944   */
 945  function wp_kses_version() {
 946      return '0.2.2';
 947  }
 948  
 949  /**
 950   * Searches for HTML tags, no matter how malformed.
 951   *
 952   * It also matches stray `>` characters.
 953   *
 954   * @since 1.0.0
 955   *
 956   * @global array[]|string $pass_allowed_html      An array of allowed HTML elements and attributes,
 957   *                                                or a context name such as 'post'.
 958   * @global string[]       $pass_allowed_protocols Array of allowed URL protocols.
 959   *
 960   * @param string         $string            Content to filter.
 961   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 962   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 963   *                                          for the list of accepted context names.
 964   * @param string[]       $allowed_protocols Array of allowed URL protocols.
 965   * @return string Content with fixed HTML tags
 966   */
 967  function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
 968      global $pass_allowed_html, $pass_allowed_protocols;
 969  
 970      $pass_allowed_html      = $allowed_html;
 971      $pass_allowed_protocols = $allowed_protocols;
 972  
 973      return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
 974  }
 975  
 976  /**
 977   * Returns an array of HTML attribute names whose value contains a URL.
 978   *
 979   * This function returns a list of all HTML attributes that must contain
 980   * a URL according to the HTML specification.
 981   *
 982   * This list includes URI attributes both allowed and disallowed by KSES.
 983   *
 984   * @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes
 985   *
 986   * @since 5.0.1
 987   *
 988   * @return string[] HTML attribute names whose value contains a URL.
 989   */
 990  function wp_kses_uri_attributes() {
 991      $uri_attributes = array(
 992          'action',
 993          'archive',
 994          'background',
 995          'cite',
 996          'classid',
 997          'codebase',
 998          'data',
 999          'formaction',
1000          'href',
1001          'icon',
1002          'longdesc',
1003          'manifest',
1004          'poster',
1005          'profile',
1006          'src',
1007          'usemap',
1008          'xmlns',
1009      );
1010  
1011      /**
1012       * Filters the list of attributes that are required to contain a URL.
1013       *
1014       * Use this filter to add any `data-` attributes that are required to be
1015       * validated as a URL.
1016       *
1017       * @since 5.0.1
1018       *
1019       * @param string[] $uri_attributes HTML attribute names whose value contains a URL.
1020       */
1021      $uri_attributes = apply_filters( 'wp_kses_uri_attributes', $uri_attributes );
1022  
1023      return $uri_attributes;
1024  }
1025  
1026  /**
1027   * Callback for `wp_kses_split()`.
1028   *
1029   * @since 3.1.0
1030   * @access private
1031   * @ignore
1032   *
1033   * @global array[]|string $pass_allowed_html      An array of allowed HTML elements and attributes,
1034   *                                                or a context name such as 'post'.
1035   * @global string[]       $pass_allowed_protocols Array of allowed URL protocols.
1036   *
1037   * @param array $matches preg_replace regexp matches
1038   * @return string
1039   */
1040  function _wp_kses_split_callback( $match ) {
1041      global $pass_allowed_html, $pass_allowed_protocols;
1042  
1043      return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
1044  }
1045  
1046  /**
1047   * Callback for `wp_kses_split()` for fixing malformed HTML tags.
1048   *
1049   * This function does a lot of work. It rejects some very malformed things like
1050   * `<:::>`. It returns an empty string, if the element isn't allowed (look ma, no
1051   * `strip_tags()`!). Otherwise it splits the tag into an element and an attribute
1052   * list.
1053   *
1054   * After the tag is split into an element and an attribute list, it is run
1055   * through another filter which will remove illegal attributes and once that is
1056   * completed, will be returned.
1057   *
1058   * @access private
1059   * @ignore
1060   * @since 1.0.0
1061   *
1062   * @param string         $string            Content to filter.
1063   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
1064   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
1065   *                                          for the list of accepted context names.
1066   * @param string[]       $allowed_protocols Array of allowed URL protocols.
1067   * @return string Fixed HTML element
1068   */
1069  function wp_kses_split2( $string, $allowed_html, $allowed_protocols ) {
1070      $string = wp_kses_stripslashes( $string );
1071  
1072      // It matched a ">" character.
1073      if ( '<' !== substr( $string, 0, 1 ) ) {
1074          return '&gt;';
1075      }
1076  
1077      // Allow HTML comments.
1078      if ( '<!--' === substr( $string, 0, 4 ) ) {
1079          $string = str_replace( array( '<!--', '-->' ), '', $string );
1080          while ( ( $newstring = wp_kses( $string, $allowed_html, $allowed_protocols ) ) != $string ) {
1081              $string = $newstring;
1082          }
1083          if ( '' === $string ) {
1084              return '';
1085          }
1086          // Prevent multiple dashes in comments.
1087          $string = preg_replace( '/--+/', '-', $string );
1088          // Prevent three dashes closing a comment.
1089          $string = preg_replace( '/-$/', '', $string );
1090          return "<!--{$string}-->";
1091      }
1092  
1093      // It's seriously malformed.
1094      if ( ! preg_match( '%^<\s*(/\s*)?([a-zA-Z0-9-]+)([^>]*)>?$%', $string, $matches ) ) {
1095          return '';
1096      }
1097  
1098      $slash    = trim( $matches[1] );
1099      $elem     = $matches[2];
1100      $attrlist = $matches[3];
1101  
1102      if ( ! is_array( $allowed_html ) ) {
1103          $allowed_html = wp_kses_allowed_html( $allowed_html );
1104      }
1105  
1106      // They are using a not allowed HTML element.
1107      if ( ! isset( $allowed_html[ strtolower( $elem ) ] ) ) {
1108          return '';
1109      }
1110  
1111      // No attributes are allowed for closing elements.
1112      if ( '' !== $slash ) {
1113          return "</$elem>";
1114      }
1115  
1116      return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols );
1117  }
1118  
1119  /**
1120   * Removes all attributes, if none are allowed for this element.
1121   *
1122   * If some are allowed it calls `wp_kses_hair()` to split them further, and then
1123   * it builds up new HTML code from the data that `kses_hair()` returns. It also
1124   * removes `<` and `>` characters, if there are any left. One more thing it does
1125   * is to check if the tag has a closing XHTML slash, and if it does, it puts one
1126   * in the returned code as well.
1127   *
1128   * @since 1.0.0
1129   *
1130   * @param string         $element           HTML element/tag.
1131   * @param string         $attr              HTML attributes from HTML element to closing HTML element tag.
1132   * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
1133   *                                          or a context name such as 'post'. See wp_kses_allowed_html()
1134   *                                          for the list of accepted context names.
1135   * @param string[]       $allowed_protocols Array of allowed URL protocols.
1136   * @return string Sanitized HTML element.
1137   */
1138  function wp_kses_attr( $element, $attr, $allowed_html, $allowed_protocols ) {
1139      if ( ! is_array( $allowed_html ) ) {
1140          $allowed_html = wp_kses_allowed_html( $allowed_html );
1141      }
1142  
1143      // Is there a closing XHTML slash at the end of the attributes?
1144      $xhtml_slash = '';
1145      if ( preg_match( '%\s*/\s*$%', $attr ) ) {
1146          $xhtml_slash = ' /';
1147      }
1148  
1149      // Are any attributes allowed at all for this element?
1150      $element_low = strtolower( $element );
1151      if ( empty( $allowed_html[ $element_low ] ) || true === $allowed_html[ $element_low ] ) {
1152          return "<$element$xhtml_slash>";
1153      }
1154  
1155      // Split it.
1156      $attrarr = wp_kses_hair( $attr, $allowed_protocols );
1157  
1158      // Go through $attrarr, and save the allowed attributes for this element
1159      // in $attr2.
1160      $attr2 = '';
1161      foreach ( $attrarr as $arreach ) {
1162          if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) {
1163              $attr2 .= ' ' . $arreach['whole'];
1164          }
1165      }
1166  
1167      // Remove any "<" or ">" characters.
1168      $attr2 = preg_replace( '/[<>]/', '', $attr2 );
1169  
1170      return "<$element$attr2$xhtml_slash>";
1171  }
1172  
1173  /**
1174   * Determines whether an attribute is allowed.
1175   *
1176   * @since 4.2.3
1177   * @since 5.0.0 Add support for `data-*` wildcard attributes.
1178   *
1179   * @param string $name         The attribute name. Passed by reference. Returns empty string when not allowed.
1180   * @param string $value        The attribute value. Passed by reference. Returns a filtered value.
1181   * @param string $whole        The `name=value` input. Passed by reference. Returns filtered input.
1182   * @param string $vless        Whether the attribute is valueless. Use 'y' or 'n'.
1183   * @param string $element      The name of the element to which this attribute belongs.
1184   * @param array  $allowed_html The full list of allowed elements and attributes.
1185   * @return bool Whether or not the attribute is allowed.
1186   */
1187  function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) {
1188      $name_low    = strtolower( $name );
1189      $element_low = strtolower( $element );
1190  
1191      if ( ! isset( $allowed_html[ $element_low ] ) ) {
1192          $name  = '';
1193          $value = '';
1194          $whole = '';
1195          return false;
1196      }
1197  
1198      $allowed_attr = $allowed_html[ $element_low ];
1199  
1200      if ( ! isset( $allowed_attr[ $name_low ] ) || '' === $allowed_attr[ $name_low ] ) {
1201          /*
1202           * Allow `data-*` attributes.
1203           *
1204           * When specifying `$allowed_html`, the attribute name should be set as
1205           * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
1206           * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
1207           *
1208           * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
1209           * double hyphens `--` are not accepted by WordPress.
1210           */
1211          if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] ) && preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match ) ) {
1212              /*
1213               * Add the whole attribute name to the allowed attributes and set any restrictions
1214               * for the `data-*` attribute values for the current element.
1215               */
1216              $allowed_attr[ $match[0] ] = $allowed_attr['data-*'];
1217          } else {
1218              $name  = '';
1219              $value = '';
1220              $whole = '';
1221              return false;
1222          }
1223      }
1224  
1225      if ( 'style' === $name_low ) {
1226          $new_value = safecss_filter_attr( $value );
1227  
1228          if ( empty( $new_value ) ) {
1229              $name  = '';
1230              $value = '';
1231              $whole = '';
1232              return false;
1233          }
1234  
1235          $whole = str_replace( $value, $new_value, $whole );
1236          $value = $new_value;
1237      }
1238  
1239      if ( is_array( $allowed_attr[ $name_low ] ) ) {
1240          // There are some checks.
1241          foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) {
1242              if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) {
1243                  $name  = '';
1244                  $value = '';
1245                  $whole = '';
1246                  return false;
1247              }
1248          }
1249      }
1250  
1251      return true;
1252  }
1253  
1254  /**
1255   * Builds an attribute list from string containing attributes.
1256   *
1257   * This function does a lot of work. It parses an attribute list into an array
1258   * with attribute data, and tries to do the right thing even if it gets weird
1259   * input. It will add quotes around attribute values that don't have any quotes
1260   * or apostrophes around them, to make it easier to produce HTML code that will
1261   * conform to W3C's HTML specification. It will also remove bad URL protocols
1262   * from attribute values. It also reduces duplicate attributes by using the
1263   * attribute defined first (`foo='bar' foo='baz'` will result in `foo='bar'`).
1264   *
1265   * @since 1.0.0
1266   *
1267   * @param string   $attr              Attribute list from HTML element to closing HTML element tag.
1268   * @param string[] $allowed_protocols Array of allowed URL protocols.
1269   * @return array[] Array of attribute information after parsing.
1270   */
1271  function wp_kses_hair( $attr, $allowed_protocols ) {
1272      $attrarr  = array();
1273      $mode     = 0;
1274      $attrname = '';
1275      $uris     = wp_kses_uri_attributes();
1276  
1277      // Loop through the whole attribute list.
1278  
1279      while ( strlen( $attr ) != 0 ) {
1280          $working = 0; // Was the last operation successful?
1281  
1282          switch ( $mode ) {
1283              case 0:
1284                  if ( preg_match( '/^([_a-zA-Z][-_a-zA-Z0-9:.]*)/', $attr, $match ) ) {
1285                      $attrname = $match[1];
1286                      $working  = 1;
1287                      $mode     = 1;
1288                      $attr     = preg_replace( '/^[_a-zA-Z][-_a-zA-Z0-9:.]*/', '', $attr );
1289                  }
1290  
1291                  break;
1292  
1293              case 1:
1294                  if ( preg_match( '/^\s*=\s*/', $attr ) ) { // Equals sign.
1295                      $working = 1;
1296                      $mode    = 2;
1297                      $attr    = preg_replace( '/^\s*=\s*/', '', $attr );
1298                      break;
1299                  }
1300  
1301                  if ( preg_match( '/^\s+/', $attr ) ) { // Valueless.
1302                      $working = 1;
1303                      $mode    = 0;
1304                      if ( false === array_key_exists( $attrname, $attrarr ) ) {
1305                          $attrarr[ $attrname ] = array(
1306                              'name'  => $attrname,
1307                              'value' => '',
1308                              'whole' => $attrname,
1309                              'vless' => 'y',
1310                          );
1311                      }
1312                      $attr = preg_replace( '/^\s+/', '', $attr );
1313                  }
1314  
1315                  break;
1316  
1317              case 2:
1318                  if ( preg_match( '%^"([^"]*)"(\s+|/?$)%', $attr, $match ) ) {
1319                      // "value"
1320                      $thisval = $match[1];
1321                      if ( in_array( strtolower( $attrname ), $uris, true ) ) {
1322                          $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols );
1323                      }
1324  
1325                      if ( false === array_key_exists( $attrname, $attrarr ) ) {
1326                          $attrarr[ $attrname ] = array(
1327                              'name'  => $attrname,
1328                              'value' => $thisval,
1329                              'whole' => "$attrname=\"$thisval\"",
1330                              'vless' => 'n',
1331                          );
1332                      }
1333                      $working = 1;
1334                      $mode    = 0;
1335                      $attr    = preg_replace( '/^"[^"]*"(\s+|$)/', '', $attr );
1336                      break;
1337                  }
1338  
1339                  if ( preg_match( "%^'([^']*)'(\s+|/?$)%", $attr, $match ) ) {
1340                      // 'value'
1341                      $thisval = $match[1];
1342                      if ( in_array( strtolower( $attrname ), $uris, true ) ) {
1343                          $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols );
1344                      }
1345  
1346                      if ( false === array_key_exists( $attrname, $attrarr ) ) {
1347                          $attrarr[ $attrname ] = array(
1348                              'name'  => $attrname,
1349                              'value' => $thisval,
1350                              'whole' => "$attrname='$thisval'",
1351                              'vless' => 'n',
1352                          );
1353                      }
1354                      $working = 1;
1355                      $mode    = 0;
1356                      $attr    = preg_replace( "/^'[^']*'(\s+|$)/", '', $attr );
1357                      break;
1358                  }
1359  
1360                  if ( preg_match( "%^([^\s\"']+)(\s+|/?$)%", $attr, $match ) ) {
1361                      // value
1362                      $thisval = $match[1];
1363                      if ( in_array( strtolower( $attrname ), $uris, true ) ) {
1364                          $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols );
1365                      }
1366  
1367                      if ( false === array_key_exists( $attrname, $attrarr ) ) {
1368                          $attrarr[ $attrname ] = array(
1369                              'name'  => $attrname,
1370                              'value' => $thisval,
1371                              'whole' => "$attrname=\"$thisval\"",
1372                              'vless' => 'n',
1373                          );
1374                      }
1375                      // We add quotes to conform to W3C's HTML spec.
1376                      $working = 1;
1377                      $mode    = 0;
1378                      $attr    = preg_replace( "%^[^\s\"']+(\s+|$)%", '', $attr );
1379                  }
1380  
1381                  break;
1382          } // End switch.
1383  
1384          if ( 0 == $working ) { // Not well-formed, remove and try again.
1385              $attr = wp_kses_html_error( $attr );
1386              $mode = 0;
1387          }
1388      } // End while.
1389  
1390      if ( 1 == $mode && false === array_key_exists( $attrname, $attrarr ) ) {
1391          // Special case, for when the attribute list ends with a valueless
1392          // attribute like "selected".
1393          $attrarr[ $attrname ] = array(
1394              'name'  => $attrname,
1395              'value' => '',
1396              'whole' => $attrname,
1397              'vless' => 'y',
1398          );
1399      }
1400  
1401      return $attrarr;
1402  }
1403  
1404  /**
1405   * Finds all attributes of an HTML element.
1406   *
1407   * Does not modify input.  May return "evil" output.
1408   *
1409   * Based on `wp_kses_split2()` and `wp_kses_attr()`.
1410   *
1411   * @since 4.2.3
1412   *
1413   * @param string $element HTML element.
1414   * @return array|bool List of attributes found in the element. Returns false on failure.
1415   */
1416  function wp_kses_attr_parse( $element ) {
1417      $valid = preg_match( '%^(<\s*)(/\s*)?([a-zA-Z0-9]+\s*)([^>]*)(>?)$%', $element, $matches );
1418      if ( 1 !== $valid ) {
1419          return false;
1420      }
1421  
1422      $begin  = $matches[1];
1423      $slash  = $matches[2];
1424      $elname = $matches[3];
1425      $attr   = $matches[4];
1426      $end    = $matches[5];
1427  
1428      if ( '' !== $slash ) {
1429          // Closing elements do not get parsed.
1430          return false;
1431      }
1432  
1433      // Is there a closing XHTML slash at the end of the attributes?
1434      if ( 1 === preg_match( '%\s*/\s*$%', $attr, $matches ) ) {
1435          $xhtml_slash = $matches[0];
1436          $attr        = substr( $attr, 0, -strlen( $xhtml_slash ) );
1437      } else {
1438          $xhtml_slash = '';
1439      }
1440  
1441      // Split it.
1442      $attrarr = wp_kses_hair_parse( $attr );
1443      if ( false === $attrarr ) {
1444          return false;
1445      }
1446  
1447      // Make sure all input is returned by adding front and back matter.
1448      array_unshift( $attrarr, $begin . $slash . $elname );
1449      array_push( $attrarr, $xhtml_slash . $end );
1450  
1451      return $attrarr;
1452  }
1453  
1454  /**
1455   * Builds an attribute list from string containing attributes.
1456   *
1457   * Does not modify input.  May return "evil" output.
1458   * In case of unexpected input, returns false instead of stripping things.
1459   *
1460   * Based on `wp_kses_hair()` but does not return a multi-dimensional array.
1461   *
1462   * @since 4.2.3
1463   *
1464   * @param string $attr Attribute list from HTML element to closing HTML element tag.
1465   * @return array|bool List of attributes found in $attr. Returns false on failure.
1466   */
1467  function wp_kses_hair_parse( $attr ) {
1468      if ( '' === $attr ) {
1469          return array();
1470      }
1471  
1472      // phpcs:disable Squiz.Strings.ConcatenationSpacing.PaddingFound -- don't remove regex indentation
1473      $regex =
1474          '(?:'
1475          .     '[_a-zA-Z][-_a-zA-Z0-9:.]*' // Attribute name.
1476          . '|'
1477          .     '\[\[?[^\[\]]+\]\]?'        // Shortcode in the name position implies unfiltered_html.
1478          . ')'
1479          . '(?:'               // Attribute value.
1480          .     '\s*=\s*'       // All values begin with '='.
1481          .     '(?:'
1482          .         '"[^"]*"'   // Double-quoted.
1483          .     '|'
1484          .         "'[^']*'"   // Single-quoted.
1485          .     '|'
1486          .         '[^\s"\']+' // Non-quoted.
1487          .         '(?:\s|$)'  // Must have a space.
1488          .     ')'
1489          . '|'
1490          .     '(?:\s|$)'      // If attribute has no value, space is required.
1491          . ')'
1492          . '\s*';              // Trailing space is optional except as mentioned above.
1493      // phpcs:enable
1494  
1495      // Although it is possible to reduce this procedure to a single regexp,
1496      // we must run that regexp twice to get exactly the expected result.
1497  
1498      $validation = "%^($regex)+$%";
1499      $extraction = "%$regex%";
1500  
1501      if ( 1 === preg_match( $validation, $attr ) ) {
1502          preg_match_all( $extraction, $attr, $attrarr );
1503          return $attrarr[0];
1504      } else {
1505          return false;
1506      }
1507  }
1508  
1509  /**
1510   * Performs different checks for attribute values.
1511   *
1512   * The currently implemented checks are "maxlen", "minlen", "maxval", "minval",
1513   * and "valueless".
1514   *
1515   * @since 1.0.0
1516   *
1517   * @param string $value      Attribute value.
1518   * @param string $vless      Whether the attribute is valueless. Use 'y' or 'n'.
1519   * @param string $checkname  What $checkvalue is checking for.
1520   * @param mixed  $checkvalue What constraint the value should pass.
1521   * @return bool Whether check passes.
1522   */
1523  function wp_kses_check_attr_val( $value, $vless, $checkname, $checkvalue ) {
1524      $ok = true;
1525  
1526      switch ( strtolower( $checkname ) ) {
1527          case 'maxlen':
1528              /*
1529               * The maxlen check makes sure that the attribute value has a length not
1530               * greater than the given value. This can be used to avoid Buffer Overflows
1531               * in WWW clients and various Internet servers.
1532               */
1533  
1534              if ( strlen( $value ) > $checkvalue ) {
1535                  $ok = false;
1536              }
1537              break;
1538  
1539          case 'minlen':
1540              /*
1541               * The minlen check makes sure that the attribute value has a length not
1542               * smaller than the given value.
1543               */
1544  
1545              if ( strlen( $value ) < $checkvalue ) {
1546                  $ok = false;
1547              }
1548              break;
1549  
1550          case 'maxval':
1551              /*
1552               * The maxval check does two things: it checks that the attribute value is
1553               * an integer from 0 and up, without an excessive amount of zeroes or
1554               * whitespace (to avoid Buffer Overflows). It also checks that the attribute
1555               * value is not greater than the given value.
1556               * This check can be used to avoid Denial of Service attacks.
1557               */
1558  
1559              if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) {
1560                  $ok = false;
1561              }
1562              if ( $value > $checkvalue ) {
1563                  $ok = false;
1564              }
1565              break;
1566  
1567          case 'minval':
1568              /*
1569               * The minval check makes sure that the attribute value is a positive integer,
1570               * and that it is not smaller than the given value.
1571               */
1572  
1573              if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) {
1574                  $ok = false;
1575              }
1576              if ( $value < $checkvalue ) {
1577                  $ok = false;
1578              }
1579              break;
1580  
1581          case 'valueless':
1582              /*
1583               * The valueless check makes sure if the attribute has a value
1584               * (like `<a href="blah">`) or not (`<option selected>`). If the given value
1585               * is a "y" or a "Y", the attribute must not have a value.
1586               * If the given value is an "n" or an "N", the attribute must have a value.
1587               */
1588  
1589              if ( strtolower( $checkvalue ) != $vless ) {
1590                  $ok = false;
1591              }
1592              break;
1593      } // End switch.
1594  
1595      return $ok;
1596  }
1597  
1598  /**
1599   * Sanitizes a string and removed disallowed URL protocols.
1600   *
1601   * This function removes all non-allowed protocols from the beginning of the
1602   * string. It ignores whitespace and the case of the letters, and it does
1603   * understand HTML entities. It does its work recursively, so it won't be
1604   * fooled by a string like `javascript:javascript:alert(57)`.
1605   *
1606   * @since 1.0.0
1607   *
1608   * @param string   $string            Content to filter bad protocols from.
1609   * @param string[] $allowed_protocols Array of allowed URL protocols.
1610   * @return string Filtered content.
1611   */
1612  function wp_kses_bad_protocol( $string, $allowed_protocols ) {
1613      $string     = wp_kses_no_null( $string );
1614      $iterations = 0;
1615  
1616      do {
1617          $original_string = $string;
1618          $string          = wp_kses_bad_protocol_once( $string, $allowed_protocols );
1619      } while ( $original_string != $string && ++$iterations < 6 );
1620  
1621      if ( $original_string != $string ) {
1622          return '';
1623      }
1624  
1625      return $string;
1626  }
1627  
1628  /**
1629   * Removes any invalid control characters in a text string.
1630   *
1631   * Also removes any instance of the `\0` string.
1632   *
1633   * @since 1.0.0
1634   *
1635   * @param string $string  Content to filter null characters from.
1636   * @param array  $options Set 'slash_zero' => 'keep' when '\0' is allowed. Default is 'remove'.
1637   * @return string Filtered content.
1638   */
1639  function wp_kses_no_null( $string, $options = null ) {
1640      if ( ! isset( $options['slash_zero'] ) ) {
1641          $options = array( 'slash_zero' => 'remove' );
1642      }
1643  
1644      $string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string );
1645      if ( 'remove' === $options['slash_zero'] ) {
1646          $string = preg_replace( '/\\\\+0+/', '', $string );
1647      }
1648  
1649      return $string;
1650  }
1651  
1652  /**
1653   * Strips slashes from in front of quotes.
1654   *
1655   * This function changes the character sequence `\"` to just `"`. It leaves all other
1656   * slashes alone. The quoting from `preg_replace(//e)` requires this.
1657   *
1658   * @since 1.0.0
1659   *
1660   * @param string $string String to strip slashes from.
1661   * @return string Fixed string with quoted slashes.
1662   */
1663  function wp_kses_stripslashes( $string ) {
1664      return preg_replace( '%\\\\"%', '"', $string );
1665  }
1666  
1667  /**
1668   * Converts the keys of an array to lowercase.
1669   *
1670   * @since 1.0.0
1671   *
1672   * @param array $inarray Unfiltered array.
1673   * @return array Fixed array with all lowercase keys.
1674   */
1675  function wp_kses_array_lc( $inarray ) {
1676      $outarray = array();
1677  
1678      foreach ( (array) $inarray as $inkey => $inval ) {
1679          $outkey              = strtolower( $inkey );
1680          $outarray[ $outkey ] = array();
1681  
1682          foreach ( (array) $inval as $inkey2 => $inval2 ) {
1683              $outkey2                         = strtolower( $inkey2 );
1684              $outarray[ $outkey ][ $outkey2 ] = $inval2;
1685          }
1686      }
1687  
1688      return $outarray;
1689  }
1690  
1691  /**
1692   * Handles parsing errors in `wp_kses_hair()`.
1693   *
1694   * The general plan is to remove everything to and including some whitespace,
1695   * but it deals with quotes and apostrophes as well.
1696   *
1697   * @since 1.0.0
1698   *
1699   * @param string $string
1700   * @return string
1701   */
1702  function wp_kses_html_error( $string ) {
1703      return preg_replace( '/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string );
1704  }
1705  
1706  /**
1707   * Sanitizes content from bad protocols and other characters.
1708   *
1709   * This function searches for URL protocols at the beginning of the string, while
1710   * handling whitespace and HTML entities.
1711   *
1712   * @since 1.0.0
1713   *
1714   * @param string   $string            Content to check for bad protocols.
1715   * @param string[] $allowed_protocols Array of allowed URL protocols.
1716   * @param int      $count             Depth of call recursion to this function.
1717   * @return string Sanitized content.
1718   */
1719  function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
1720      $string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );
1721      $string2 = preg_split( '/:|&#0*58;|&#x0*3a;|&colon;/i', $string, 2 );
1722      if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
1723          $string   = trim( $string2[1] );
1724          $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );
1725          if ( 'feed:' === $protocol ) {
1726              if ( $count > 2 ) {
1727                  return '';
1728              }
1729              $string = wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count );
1730              if ( empty( $string ) ) {
1731                  return $string;
1732              }
1733          }
1734          $string = $protocol . $string;
1735      }
1736  
1737      return $string;
1738  }
1739  
1740  /**
1741   * Callback for `wp_kses_bad_protocol_once()` regular expression.
1742   *
1743   * This function processes URL protocols, checks to see if they're in the
1744   * list of allowed protocols or not, and returns different data depending
1745   * on the answer.
1746   *
1747   * @access private
1748   * @ignore
1749   * @since 1.0.0
1750   *
1751   * @param string   $string            URI scheme to check against the list of allowed protocols.
1752   * @param string[] $allowed_protocols Array of allowed URL protocols.
1753   * @return string Sanitized content.
1754   */
1755  function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {
1756      $string2 = wp_kses_decode_entities( $string );
1757      $string2 = preg_replace( '/\s/', '', $string2 );
1758      $string2 = wp_kses_no_null( $string2 );
1759      $string2 = strtolower( $string2 );
1760  
1761      $allowed = false;
1762      foreach ( (array) $allowed_protocols as $one_protocol ) {
1763          if ( strtolower( $one_protocol ) == $string2 ) {
1764              $allowed = true;
1765              break;
1766          }
1767      }
1768  
1769      if ( $allowed ) {
1770          return "$string2:";
1771      } else {
1772          return '';
1773      }
1774  }
1775  
1776  /**
1777   * Converts and fixes HTML entities.
1778   *
1779   * This function normalizes HTML entities. It will convert `AT&T` to the correct
1780   * `AT&amp;T`, `&#00058;` to `&#058;`, `&#XYZZY;` to `&amp;#XYZZY;` and so on.
1781   *
1782   * When `$context` is set to 'xml', HTML entities are converted to their code points.  For
1783   * example, `AT&T&hellip;&#XYZZY;` is converted to `AT&amp;T…&amp;#XYZZY;`.
1784   *
1785   * @since 1.0.0
1786   * @since 5.5.0 Added `$context` parameter.
1787   *
1788   * @param string $string  Content to normalize entities.
1789   * @param string $context Context for normalization. Can be either 'html' or 'xml'.
1790   *                        Default 'html'.
1791   * @return string Content with normalized entities.
1792   */
1793  function wp_kses_normalize_entities( $string, $context = 'html' ) {
1794      // Disarm all entities by converting & to &amp;
1795      $string = str_replace( '&', '&amp;', $string );
1796  
1797      // Change back the allowed entities in our list of allowed entities.
1798      if ( 'xml' === $context ) {
1799          $string = preg_replace_callback( '/&amp;([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_xml_named_entities', $string );
1800      } else {
1801          $string = preg_replace_callback( '/&amp;([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string );
1802      }
1803      $string = preg_replace_callback( '/&amp;#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string );
1804      $string = preg_replace_callback( '/&amp;#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string );
1805  
1806      return $string;
1807  }
1808  
1809  /**
1810   * Callback for `wp_kses_normalize_entities()` regular expression.
1811   *
1812   * This function only accepts valid named entity references, which are finite,
1813   * case-sensitive, and highly scrutinized by HTML and XML validators.
1814   *
1815   * @since 3.0.0
1816   *
1817   * @global array $allowedentitynames
1818   *
1819   * @param array $matches preg_replace_callback() matches array.
1820   * @return string Correctly encoded entity.
1821   */
1822  function wp_kses_named_entities( $matches ) {
1823      global $allowedentitynames;
1824  
1825      if ( empty( $matches[1] ) ) {
1826          return '';
1827      }
1828  
1829      $i = $matches[1];
1830      return ( ! in_array( $i, $allowedentitynames, true ) ) ? "&amp;$i;" : "&$i;";
1831  }
1832  
1833  /**
1834   * Callback for `wp_kses_normalize_entities()` regular expression.
1835   *
1836   * This function only accepts valid named entity references, which are finite,
1837   * case-sensitive, and highly scrutinized by XML validators.  HTML named entity
1838   * references are converted to their code points.
1839   *
1840   * @since 5.5.0
1841   *
1842   * @global array $allowedentitynames
1843   * @global array $allowedxmlnamedentities
1844   *
1845   * @param array $matches preg_replace_callback() matches array.
1846   * @return string Correctly encoded entity.
1847   */
1848  function wp_kses_xml_named_entities( $matches ) {
1849      global $allowedentitynames, $allowedxmlnamedentities;
1850  
1851      if ( empty( $matches[1] ) ) {
1852          return '';
1853      }
1854  
1855      $i = $matches[1];
1856  
1857      if ( in_array( $i, $allowedxmlnamedentities, true ) ) {
1858          return "&$i;";
1859      } elseif ( in_array( $i, $allowedentitynames, true ) ) {
1860          return html_entity_decode( "&$i;", ENT_HTML5 );
1861      }
1862  
1863      return "&amp;$i;";
1864  }
1865  
1866  /**
1867   * Callback for `wp_kses_normalize_entities()` regular expression.
1868   *
1869   * This function helps `wp_kses_normalize_entities()` to only accept 16-bit
1870   * values and nothing more for `&#number;` entities.
1871   *
1872   * @access private
1873   * @ignore
1874   * @since 1.0.0
1875   *
1876   * @param array $matches `preg_replace_callback()` matches array.
1877   * @return string Correctly encoded entity.
1878   */
1879  function wp_kses_normalize_entities2( $matches ) {
1880      if ( empty( $matches[1] ) ) {
1881          return '';
1882      }
1883  
1884      $i = $matches[1];
1885      if ( valid_unicode( $i ) ) {
1886          $i = str_pad( ltrim( $i, '0' ), 3, '0', STR_PAD_LEFT );
1887          $i = "&#$i;";
1888      } else {
1889          $i = "&amp;#$i;";
1890      }
1891  
1892      return $i;
1893  }
1894  
1895  /**
1896   * Callback for `wp_kses_normalize_entities()` for regular expression.
1897   *
1898   * This function helps `wp_kses_normalize_entities()` to only accept valid Unicode
1899   * numeric entities in hex form.
1900   *
1901   * @since 2.7.0
1902   * @access private
1903   * @ignore
1904   *
1905   * @param array $matches `preg_replace_callback()` matches array.
1906   * @return string Correctly encoded entity.
1907   */
1908  function wp_kses_normalize_entities3( $matches ) {
1909      if ( empty( $matches[1] ) ) {
1910          return '';
1911      }
1912  
1913      $hexchars = $matches[1];
1914      return ( ! valid_unicode( hexdec( $hexchars ) ) ) ? "&amp;#x$hexchars;" : '&#x' . ltrim( $hexchars, '0' ) . ';';
1915  }
1916  
1917  /**
1918   * Determines if a Unicode codepoint is valid.
1919   *
1920   * @since 2.7.0
1921   *
1922   * @param int $i Unicode codepoint.
1923   * @return bool Whether or not the codepoint is a valid Unicode codepoint.
1924   */
1925  function valid_unicode( $i ) {
1926      return ( 0x9 == $i || 0xa == $i || 0xd == $i ||
1927              ( 0x20 <= $i && $i <= 0xd7ff ) ||
1928              ( 0xe000 <= $i && $i <= 0xfffd ) ||
1929              ( 0x10000 <= $i && $i <= 0x10ffff ) );
1930  }
1931  
1932  /**
1933   * Converts all numeric HTML entities to their named counterparts.
1934   *
1935   * This function decodes numeric HTML entities (`&#65;` and `&#x41;`).
1936   * It doesn't do anything with named entities like `&auml;`, but we don't
1937   * need them in the allowed URL protocols system anyway.
1938   *
1939   * @since 1.0.0
1940   *
1941   * @param string $string Content to change entities.
1942   * @return string Content after decoded entities.
1943   */
1944  function wp_kses_decode_entities( $string ) {
1945      $string = preg_replace_callback( '/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string );
1946      $string = preg_replace_callback( '/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string );
1947  
1948      return $string;
1949  }
1950  
1951  /**
1952   * Regex callback for `wp_kses_decode_entities()`.
1953   *
1954   * @since 2.9.0
1955   * @access private
1956   * @ignore
1957   *
1958   * @param array $match preg match
1959   * @return string
1960   */
1961  function _wp_kses_decode_entities_chr( $match ) {
1962      return chr( $match[1] );
1963  }
1964  
1965  /**
1966   * Regex callback for `wp_kses_decode_entities()`.
1967   *
1968   * @since 2.9.0
1969   * @access private
1970   * @ignore
1971   *
1972   * @param array $match preg match
1973   * @return string
1974   */
1975  function _wp_kses_decode_entities_chr_hexdec( $match ) {
1976      return chr( hexdec( $match[1] ) );
1977  }
1978  
1979  /**
1980   * Sanitize content with allowed HTML KSES rules.
1981   *
1982   * This function expects slashed data.
1983   *
1984   * @since 1.0.0
1985   *
1986   * @param string $data Content to filter, expected to be escaped with slashes.
1987   * @return string Filtered content.
1988   */
1989  function wp_filter_kses( $data ) {
1990      return addslashes( wp_kses( stripslashes( $data ), current_filter() ) );
1991  }
1992  
1993  /**
1994   * Sanitize content with allowed HTML KSES rules.
1995   *
1996   * This function expects unslashed data.
1997   *
1998   * @since 2.9.0
1999   *
2000   * @param string $data Content to filter, expected to not be escaped.
2001   * @return string Filtered content.
2002   */
2003  function wp_kses_data( $data ) {
2004      return wp_kses( $data, current_filter() );
2005  }
2006  
2007  /**
2008   * Sanitizes content for allowed HTML tags for post content.
2009   *
2010   * Post content refers to the page contents of the 'post' type and not `$_POST`
2011   * data from forms.
2012   *
2013   * This function expects slashed data.
2014   *
2015   * @since 2.0.0
2016   *
2017   * @param string $data Post content to filter, expected to be escaped with slashes.
2018   * @return string Filtered post content with allowed HTML tags and attributes intact.
2019   */
2020  function wp_filter_post_kses( $data ) {
2021      return addslashes( wp_kses( stripslashes( $data ), 'post' ) );
2022  }
2023  
2024  /**
2025   * Sanitizes content for allowed HTML tags for post content.
2026   *
2027   * Post content refers to the page contents of the 'post' type and not `$_POST`
2028   * data from forms.
2029   *
2030   * This function expects unslashed data.
2031   *
2032   * @since 2.9.0
2033   *
2034   * @param string $data Post content to filter.
2035   * @return string Filtered post content with allowed HTML tags and attributes intact.
2036   */
2037  function wp_kses_post( $data ) {
2038      return wp_kses( $data, 'post' );
2039  }
2040  
2041  /**
2042   * Navigates through an array, object, or scalar, and sanitizes content for
2043   * allowed HTML tags for post content.
2044   *
2045   * @since 4.4.2
2046   *
2047   * @see map_deep()
2048   *
2049   * @param mixed $data The array, object, or scalar value to inspect.
2050   * @return mixed The filtered content.
2051   */
2052  function wp_kses_post_deep( $data ) {
2053      return map_deep( $data, 'wp_kses_post' );
2054  }
2055  
2056  /**
2057   * Strips all HTML from a text string.
2058   *
2059   * This function expects slashed data.
2060   *
2061   * @since 2.1.0
2062   *
2063   * @param string $data Content to strip all HTML from.
2064   * @return string Filtered content without any HTML.
2065   */
2066  function wp_filter_nohtml_kses( $data ) {
2067      return addslashes( wp_kses( stripslashes( $data ), 'strip' ) );
2068  }
2069  
2070  /**
2071   * Adds all KSES input form content filters.
2072   *
2073   * All hooks have default priority. The `wp_filter_kses()` function is added to
2074   * the 'pre_comment_content' and 'title_save_pre' hooks.
2075   *
2076   * The `wp_filter_post_kses()` function is added to the 'content_save_pre',
2077   * 'excerpt_save_pre', and 'content_filtered_save_pre' hooks.
2078   *
2079   * @since 2.0.0
2080   */
2081  function kses_init_filters() {
2082      // Normal filtering.
2083      add_filter( 'title_save_pre', 'wp_filter_kses' );
2084  
2085      // Comment filtering.
2086      if ( current_user_can( 'unfiltered_html' ) ) {
2087          add_filter( 'pre_comment_content', 'wp_filter_post_kses' );
2088      } else {
2089          add_filter( 'pre_comment_content', 'wp_filter_kses' );
2090      }
2091  
2092      // Post filtering.
2093      add_filter( 'content_save_pre', 'wp_filter_post_kses' );
2094      add_filter( 'excerpt_save_pre', 'wp_filter_post_kses' );
2095      add_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' );
2096  }
2097  
2098  /**
2099   * Removes all KSES input form content filters.
2100   *
2101   * A quick procedural method to removing all of the filters that KSES uses for
2102   * content in WordPress Loop.
2103   *
2104   * Does not remove the `kses_init()` function from {@see 'init'} hook (priority is
2105   * default). Also does not remove `kses_init()` function from {@see 'set_current_user'}
2106   * hook (priority is also default).
2107   *
2108   * @since 2.0.6
2109   */
2110  function kses_remove_filters() {
2111      // Normal filtering.
2112      remove_filter( 'title_save_pre', 'wp_filter_kses' );
2113  
2114      // Comment filtering.
2115      remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
2116      remove_filter( 'pre_comment_content', 'wp_filter_kses' );
2117  
2118      // Post filtering.
2119      remove_filter( 'content_save_pre', 'wp_filter_post_kses' );
2120      remove_filter( 'excerpt_save_pre', 'wp_filter_post_kses' );
2121      remove_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' );
2122  }
2123  
2124  /**
2125   * Sets up most of the KSES filters for input form content.
2126   *
2127   * First removes all of the KSES filters in case the current user does not need
2128   * to have KSES filter the content. If the user does not have `unfiltered_html`
2129   * capability, then KSES filters are added.
2130   *
2131   * @since 2.0.0
2132   */
2133  function kses_init() {
2134      kses_remove_filters();
2135  
2136      if ( ! current_user_can( 'unfiltered_html' ) ) {
2137          kses_init_filters();
2138      }
2139  }
2140  
2141  /**
2142   * Filters an inline style attribute and removes disallowed rules.
2143   *
2144   * @since 2.8.1
2145   *
2146   * @param string $css        A string of CSS rules.
2147   * @param string $deprecated Not used.
2148   * @return string Filtered string of CSS rules.
2149   */
2150  function safecss_filter_attr( $css, $deprecated = '' ) {
2151      if ( ! empty( $deprecated ) ) {
2152          _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented.
2153      }
2154  
2155      $css = wp_kses_no_null( $css );
2156      $css = str_replace( array( "\n", "\r", "\t" ), '', $css );
2157  
2158      $allowed_protocols = wp_allowed_protocols();
2159  
2160      $css_array = explode( ';', trim( $css ) );
2161  
2162      /**
2163       * Filters list of allowed CSS attributes.
2164       *
2165       * @since 2.8.1
2166       * @since 4.4.0 Added support for `min-height`, `max-height`, `min-width`, and `max-width`.
2167       * @since 4.6.0 Added support for `list-style-type`.
2168       * @since 5.0.0 Added support for `background-image`.
2169       * @since 5.1.0 Added support for `text-transform`.
2170       * @since 5.2.0 Added support for `background-position` and `grid-template-columns`.
2171       * @since 5.3.0 Added support for `grid`, `flex` and `column` layout properties.
2172       *              Extend `background-*` support of individual properties.
2173       * @since 5.3.1 Added support for gradient backgrounds.
2174       *
2175       * @param string[] $attr Array of allowed CSS attributes.
2176       */
2177      $allowed_attr = apply_filters(
2178          'safe_style_css',
2179          array(
2180              'background',
2181              'background-color',
2182              'background-image',
2183              'background-position',
2184              'background-size',
2185              'background-attachment',
2186              'background-blend-mode',
2187  
2188              'border',
2189              'border-radius',
2190              'border-width',
2191              'border-color',
2192              'border-style',
2193              'border-right',
2194              'border-right-color',
2195              'border-right-style',
2196              'border-right-width',
2197              'border-bottom',
2198              'border-bottom-color',
2199              'border-bottom-style',
2200              'border-bottom-width',
2201              'border-left',
2202              'border-left-color',
2203              'border-left-style',
2204              'border-left-width',
2205              'border-top',
2206              'border-top-color',
2207              'border-top-style',
2208              'border-top-width',
2209  
2210              'border-spacing',
2211              'border-collapse',
2212              'caption-side',
2213  
2214              'columns',
2215              'column-count',
2216              'column-fill',
2217              'column-gap',
2218              'column-rule',
2219              'column-span',
2220              'column-width',
2221  
2222              'color',
2223              'font',
2224              'font-family',
2225              'font-size',
2226              'font-style',
2227              'font-variant',
2228              'font-weight',
2229              'letter-spacing',
2230              'line-height',
2231              'text-align',
2232              'text-decoration',
2233              'text-indent',
2234              'text-transform',
2235  
2236              'height',
2237              'min-height',
2238              'max-height',
2239  
2240              'width',
2241              'min-width',
2242              'max-width',
2243  
2244              'margin',
2245              'margin-right',
2246              'margin-bottom',
2247              'margin-left',
2248              'margin-top',
2249  
2250              'padding',
2251              'padding-right',
2252              'padding-bottom',
2253              'padding-left',
2254              'padding-top',
2255  
2256              'flex',
2257              'flex-basis',
2258              'flex-direction',
2259              'flex-flow',
2260              'flex-grow',
2261              'flex-shrink',
2262  
2263              'grid-template-columns',
2264              'grid-auto-columns',
2265              'grid-column-start',
2266              'grid-column-end',
2267              'grid-column-gap',
2268              'grid-template-rows',
2269              'grid-auto-rows',
2270              'grid-row-start',
2271              'grid-row-end',
2272              'grid-row-gap',
2273              'grid-gap',
2274  
2275              'justify-content',
2276              'justify-items',
2277              'justify-self',
2278              'align-content',
2279              'align-items',
2280              'align-self',
2281  
2282              'clear',
2283              'cursor',
2284              'direction',
2285              'float',
2286              'list-style-type',
2287              'overflow',
2288              'vertical-align',
2289          )
2290      );
2291  
2292      /*
2293       * CSS attributes that accept URL data types.
2294       *
2295       * This is in accordance to the CSS spec and unrelated to
2296       * the sub-set of supported attributes above.
2297       *
2298       * See: https://developer.mozilla.org/en-US/docs/Web/CSS/url
2299       */
2300      $css_url_data_types = array(
2301          'background',
2302          'background-image',
2303  
2304          'cursor',
2305  
2306          'list-style',
2307          'list-style-image',
2308      );
2309  
2310      /*
2311       * CSS attributes that accept gradient data types.
2312       *
2313       */
2314      $css_gradient_data_types = array(
2315          'background',
2316          'background-image',
2317      );
2318  
2319      if ( empty( $allowed_attr ) ) {
2320          return $css;
2321      }
2322  
2323      $css = '';
2324      foreach ( $css_array as $css_item ) {
2325          if ( '' === $css_item ) {
2326              continue;
2327          }
2328  
2329          $css_item        = trim( $css_item );
2330          $css_test_string = $css_item;
2331          $found           = false;
2332          $url_attr        = false;
2333          $gradient_attr   = false;
2334  
2335          if ( strpos( $css_item, ':' ) === false ) {
2336              $found = true;
2337          } else {
2338              $parts        = explode( ':', $css_item, 2 );
2339              $css_selector = trim( $parts[0] );
2340  
2341              if ( in_array( $css_selector, $allowed_attr, true ) ) {
2342                  $found         = true;
2343                  $url_attr      = in_array( $css_selector, $css_url_data_types, true );
2344                  $gradient_attr = in_array( $css_selector, $css_gradient_data_types, true );
2345              }
2346          }
2347  
2348          if ( $found && $url_attr ) {
2349              // Simplified: matches the sequence `url(*)`.
2350              preg_match_all( '/url\([^)]+\)/', $parts[1], $url_matches );
2351  
2352              foreach ( $url_matches[0] as $url_match ) {
2353                  // Clean up the URL from each of the matches above.
2354                  preg_match( '/^url\(\s*([\'\"]?)(.*)(\g1)\s*\)$/', $url_match, $url_pieces );
2355  
2356                  if ( empty( $url_pieces[2] ) ) {
2357                      $found = false;
2358                      break;
2359                  }
2360  
2361                  $url = trim( $url_pieces[2] );
2362  
2363                  if ( empty( $url ) || wp_kses_bad_protocol( $url, $allowed_protocols ) !== $url ) {
2364                      $found = false;
2365                      break;
2366                  } else {
2367                      // Remove the whole `url(*)` bit that was matched above from the CSS.
2368                      $css_test_string = str_replace( $url_match, '', $css_test_string );
2369                  }
2370              }
2371          }
2372  
2373          if ( $found && $gradient_attr ) {
2374              $css_value = trim( $parts[1] );
2375              if ( preg_match( '/^(repeating-)?(linear|radial|conic)-gradient\(([^()]|rgb[a]?\([^()]*\))*\)$/', $css_value ) ) {
2376                  // Remove the whole `gradient` bit that was matched above from the CSS.
2377                  $css_test_string = str_replace( $css_value, '', $css_test_string );
2378              }
2379          }
2380  
2381          if ( $found ) {
2382              // Check for any CSS containing \ ( & } = or comments, except for url() usage checked above.
2383              $allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
2384  
2385              /**
2386               * Filters the check for unsafe CSS in `safecss_filter_attr`.
2387               *
2388               * Enables developers to determine whether a section of CSS should be allowed or discarded.
2389               * By default, the value will be false if the part contains \ ( & } = or comments.
2390               * Return true to allow the CSS part to be included in the output.
2391               *
2392               * @since 5.5.0
2393               *
2394               * @param bool   $allow_css       Whether the CSS in the test string is considered safe.
2395               * @param string $css_test_string The CSS string to test.
2396               */
2397              $allow_css = apply_filters( 'safecss_filter_attr_allow_css', $allow_css, $css_test_string );
2398  
2399               // Only add the CSS part if it passes the regex check.
2400              if ( $allow_css ) {
2401                  if ( '' !== $css ) {
2402                      $css .= ';';
2403                  }
2404  
2405                  $css .= $css_item;
2406              }
2407          }
2408      }
2409  
2410      return $css;
2411  }
2412  
2413  /**
2414   * Helper function to add global attributes to a tag in the allowed HTML list.
2415   *
2416   * @since 3.5.0
2417   * @since 5.0.0 Add support for `data-*` wildcard attributes.
2418   * @access private
2419   * @ignore
2420   *
2421   * @param array $value An array of attributes.
2422   * @return array The array of attributes with global attributes added.
2423   */
2424  function _wp_add_global_attributes( $value ) {
2425      $global_attributes = array(
2426          'aria-describedby' => true,
2427          'aria-details'     => true,
2428          'aria-label'       => true,
2429          'aria-labelledby'  => true,
2430          'aria-hidden'      => true,
2431          'class'            => true,
2432          'id'               => true,
2433          'style'            => true,
2434          'title'            => true,
2435          'role'             => true,
2436          'data-*'           => true,
2437      );
2438  
2439      if ( true === $value ) {
2440          $value = array();
2441      }
2442  
2443      if ( is_array( $value ) ) {
2444          return array_merge( $value, $global_attributes );
2445      }
2446  
2447      return $value;
2448  }


Generated: Sat Nov 28 01:00:03 2020 Cross-referenced by PHPXref 0.7.1