/bp-forums/bbpress/bb-includes/backpress/functions.kses.php

  1. <?php 
  2. // Last sync [WP17185] 
  3.  
  4. /** 
  5. * kses 0.2.2 - HTML/XHTML filter that only allows some elements and attributes 
  6. * Copyright (C) 2002, 2003, 2005 Ulf Harnhammar 
  7. * 
  8. * This program is free software and open source software; you can redistribute 
  9. * it and/or modify it under the terms of the GNU General Public License as 
  10. * published by the Free Software Foundation; either version 2 of the License,  
  11. * or (at your option) any later version. 
  12. * 
  13. * This program is distributed in the hope that it will be useful, but WITHOUT 
  14. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 
  15. * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 
  16. * more details. 
  17. * 
  18. * You should have received a copy of the GNU General Public License along 
  19. * with this program; if not, write to the Free Software Foundation, Inc.,  
  20. * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA or visit 
  21. * http://www.gnu.org/licenses/gpl.html 
  22. *  
  23. * [kses strips evil scripts!] 
  24. * 
  25. * Added wp_ prefix to avoid conflicts with existing kses users 
  26. * 
  27. * @version 0.2.2 
  28. * @copyright (C) 2002, 2003, 2005 
  29. * @author Ulf Harnhammar <http://advogato.org/person/metaur/> 
  30. * 
  31. * @package External 
  32. * @subpackage KSES 
  33. * 
  34. */ 
  35.  
  36. /** 
  37. * You can override this in a plugin. 
  38. * 
  39. * @since 1.2.0 
  40. */ 
  41. if ( ! defined( 'BP_CUSTOM_TAGS' ) ) 
  42. define( 'BP_CUSTOM_TAGS', false ); 
  43.  
  44. if ( ! BP_CUSTOM_TAGS ) { 
  45. /** 
  46. * Kses global for default allowable HTML tags. 
  47. * 
  48. * Can be override by using CUSTOM_TAGS constant. 
  49. * 
  50. * @global array $allowedposttags 
  51. * @since 2.0.0 
  52. */ 
  53. $allowedposttags = array( 
  54. 'address' => array(),  
  55. 'a' => array( 
  56. 'class' => array (),  
  57. 'href' => array (),  
  58. 'id' => array (),  
  59. 'title' => array (),  
  60. 'rel' => array (),  
  61. 'rev' => array (),  
  62. 'name' => array (),  
  63. 'target' => array()),  
  64. 'abbr' => array( 
  65. 'class' => array (),  
  66. 'title' => array ()),  
  67. 'acronym' => array( 
  68. 'title' => array ()),  
  69. 'article' => array( 
  70. 'align' => array (),  
  71. 'class' => array (),  
  72. 'dir' => array (),  
  73. 'lang' => array(),  
  74. 'style' => array (),  
  75. 'xml:lang' => array(),  
  76. ),  
  77. 'aside' => array( 
  78. 'align' => array (),  
  79. 'class' => array (),  
  80. 'dir' => array (),  
  81. 'lang' => array(),  
  82. 'style' => array (),  
  83. 'xml:lang' => array(),  
  84. ),  
  85. 'b' => array(),  
  86. 'big' => array(),  
  87. 'blockquote' => array( 
  88. 'id' => array (),  
  89. 'cite' => array (),  
  90. 'class' => array(),  
  91. 'lang' => array(),  
  92. 'xml:lang' => array()),  
  93. 'br' => array ( 
  94. 'class' => array ()),  
  95. 'button' => array( 
  96. 'disabled' => array (),  
  97. 'name' => array (),  
  98. 'type' => array (),  
  99. 'value' => array ()),  
  100. 'caption' => array( 
  101. 'align' => array (),  
  102. 'class' => array ()),  
  103. 'cite' => array ( 
  104. 'class' => array(),  
  105. 'dir' => array(),  
  106. 'lang' => array(),  
  107. 'title' => array ()),  
  108. 'code' => array ( 
  109. 'style' => array()),  
  110. 'col' => array( 
  111. 'align' => array (),  
  112. 'char' => array (),  
  113. 'charoff' => array (),  
  114. 'span' => array (),  
  115. 'dir' => array(),  
  116. 'style' => array (),  
  117. 'valign' => array (),  
  118. 'width' => array ()),  
  119. 'del' => array( 
  120. 'datetime' => array ()),  
  121. 'dd' => array(),  
  122. 'details' => array( 
  123. 'align' => array (),  
  124. 'class' => array (),  
  125. 'dir' => array (),  
  126. 'lang' => array(),  
  127. 'open' => array (),  
  128. 'style' => array (),  
  129. 'xml:lang' => array(),  
  130. ),  
  131. 'div' => array( 
  132. 'align' => array (),  
  133. 'class' => array (),  
  134. 'dir' => array (),  
  135. 'lang' => array(),  
  136. 'style' => array (),  
  137. 'xml:lang' => array()),  
  138. 'dl' => array(),  
  139. 'dt' => array(),  
  140. 'em' => array(),  
  141. 'fieldset' => array(),  
  142. 'figure' => array( 
  143. 'align' => array (),  
  144. 'class' => array (),  
  145. 'dir' => array (),  
  146. 'lang' => array(),  
  147. 'style' => array (),  
  148. 'xml:lang' => array(),  
  149. ),  
  150. 'figcaption' => array( 
  151. 'align' => array (),  
  152. 'class' => array (),  
  153. 'dir' => array (),  
  154. 'lang' => array(),  
  155. 'style' => array (),  
  156. 'xml:lang' => array(),  
  157. ),  
  158. 'font' => array( 
  159. 'color' => array (),  
  160. 'face' => array (),  
  161. 'size' => array ()),  
  162. 'footer' => array( 
  163. 'align' => array (),  
  164. 'class' => array (),  
  165. 'dir' => array (),  
  166. 'lang' => array(),  
  167. 'style' => array (),  
  168. 'xml:lang' => array(),  
  169. ),  
  170. 'form' => array( 
  171. 'action' => array (),  
  172. 'accept' => array (),  
  173. 'accept-charset' => array (),  
  174. 'enctype' => array (),  
  175. 'method' => array (),  
  176. 'name' => array (),  
  177. 'target' => array ()),  
  178. 'h1' => array( 
  179. 'align' => array (),  
  180. 'class' => array (),  
  181. 'id' => array (),  
  182. 'style' => array ()),  
  183. 'h2' => array ( 
  184. 'align' => array (),  
  185. 'class' => array (),  
  186. 'id' => array (),  
  187. 'style' => array ()),  
  188. 'h3' => array ( 
  189. 'align' => array (),  
  190. 'class' => array (),  
  191. 'id' => array (),  
  192. 'style' => array ()),  
  193. 'h4' => array ( 
  194. 'align' => array (),  
  195. 'class' => array (),  
  196. 'id' => array (),  
  197. 'style' => array ()),  
  198. 'h5' => array ( 
  199. 'align' => array (),  
  200. 'class' => array (),  
  201. 'id' => array (),  
  202. 'style' => array ()),  
  203. 'h6' => array ( 
  204. 'align' => array (),  
  205. 'class' => array (),  
  206. 'id' => array (),  
  207. 'style' => array ()),  
  208. 'header' => array( 
  209. 'align' => array (),  
  210. 'class' => array (),  
  211. 'dir' => array (),  
  212. 'lang' => array(),  
  213. 'style' => array (),  
  214. 'xml:lang' => array(),  
  215. ),  
  216. 'hgroup' => array( 
  217. 'align' => array (),  
  218. 'class' => array (),  
  219. 'dir' => array (),  
  220. 'lang' => array(),  
  221. 'style' => array (),  
  222. 'xml:lang' => array(),  
  223. ),  
  224. 'hr' => array ( 
  225. 'align' => array (),  
  226. 'class' => array (),  
  227. 'noshade' => array (),  
  228. 'size' => array (),  
  229. 'width' => array ()),  
  230. 'i' => array(),  
  231. 'img' => array( 
  232. 'alt' => array (),  
  233. 'align' => array (),  
  234. 'border' => array (),  
  235. 'class' => array (),  
  236. 'height' => array (),  
  237. 'hspace' => array (),  
  238. 'longdesc' => array (),  
  239. 'vspace' => array (),  
  240. 'src' => array (),  
  241. 'style' => array (),  
  242. 'width' => array ()),  
  243. 'ins' => array( 
  244. 'datetime' => array (),  
  245. 'cite' => array ()),  
  246. 'kbd' => array(),  
  247. 'label' => array( 
  248. 'for' => array ()),  
  249. 'legend' => array( 
  250. 'align' => array ()),  
  251. 'li' => array ( 
  252. 'align' => array (),  
  253. 'class' => array ()),  
  254. 'menu' => array ( 
  255. 'class' => array (),  
  256. 'style' => array (),  
  257. 'type' => array ()),  
  258. 'nav' => array( 
  259. 'align' => array (),  
  260. 'class' => array (),  
  261. 'dir' => array (),  
  262. 'lang' => array(),  
  263. 'style' => array (),  
  264. 'xml:lang' => array(),  
  265. ),  
  266. 'p' => array( 
  267. 'class' => array (),  
  268. 'align' => array (),  
  269. 'dir' => array(),  
  270. 'lang' => array(),  
  271. 'style' => array (),  
  272. 'xml:lang' => array()),  
  273. 'pre' => array( 
  274. 'style' => array(),  
  275. 'width' => array ()),  
  276. 'q' => array( 
  277. 'cite' => array ()),  
  278. 's' => array(),  
  279. 'span' => array ( 
  280. 'class' => array (),  
  281. 'dir' => array (),  
  282. 'align' => array (),  
  283. 'lang' => array (),  
  284. 'style' => array (),  
  285. 'title' => array (),  
  286. 'xml:lang' => array()),  
  287. 'section' => array( 
  288. 'align' => array (),  
  289. 'class' => array (),  
  290. 'dir' => array (),  
  291. 'lang' => array(),  
  292. 'style' => array (),  
  293. 'xml:lang' => array(),  
  294. ),  
  295. 'strike' => array(),  
  296. 'strong' => array(),  
  297. 'sub' => array(),  
  298. 'summary' => array( 
  299. 'align' => array (),  
  300. 'class' => array (),  
  301. 'dir' => array (),  
  302. 'lang' => array(),  
  303. 'style' => array (),  
  304. 'xml:lang' => array(),  
  305. ),  
  306. 'sup' => array(),  
  307. 'table' => array( 
  308. 'align' => array (),  
  309. 'bgcolor' => array (),  
  310. 'border' => array (),  
  311. 'cellpadding' => array (),  
  312. 'cellspacing' => array (),  
  313. 'class' => array (),  
  314. 'dir' => array(),  
  315. 'id' => array(),  
  316. 'rules' => array (),  
  317. 'style' => array (),  
  318. 'summary' => array (),  
  319. 'width' => array ()),  
  320. 'tbody' => array( 
  321. 'align' => array (),  
  322. 'char' => array (),  
  323. 'charoff' => array (),  
  324. 'valign' => array ()),  
  325. 'td' => array( 
  326. 'abbr' => array (),  
  327. 'align' => array (),  
  328. 'axis' => array (),  
  329. 'bgcolor' => array (),  
  330. 'char' => array (),  
  331. 'charoff' => array (),  
  332. 'class' => array (),  
  333. 'colspan' => array (),  
  334. 'dir' => array(),  
  335. 'headers' => array (),  
  336. 'height' => array (),  
  337. 'nowrap' => array (),  
  338. 'rowspan' => array (),  
  339. 'scope' => array (),  
  340. 'style' => array (),  
  341. 'valign' => array (),  
  342. 'width' => array ()),  
  343. 'textarea' => array( 
  344. 'cols' => array (),  
  345. 'rows' => array (),  
  346. 'disabled' => array (),  
  347. 'name' => array (),  
  348. 'readonly' => array ()),  
  349. 'tfoot' => array( 
  350. 'align' => array (),  
  351. 'char' => array (),  
  352. 'class' => array (),  
  353. 'charoff' => array (),  
  354. 'valign' => array ()),  
  355. 'th' => array( 
  356. 'abbr' => array (),  
  357. 'align' => array (),  
  358. 'axis' => array (),  
  359. 'bgcolor' => array (),  
  360. 'char' => array (),  
  361. 'charoff' => array (),  
  362. 'class' => array (),  
  363. 'colspan' => array (),  
  364. 'headers' => array (),  
  365. 'height' => array (),  
  366. 'nowrap' => array (),  
  367. 'rowspan' => array (),  
  368. 'scope' => array (),  
  369. 'valign' => array (),  
  370. 'width' => array ()),  
  371. 'thead' => array( 
  372. 'align' => array (),  
  373. 'char' => array (),  
  374. 'charoff' => array (),  
  375. 'class' => array (),  
  376. 'valign' => array ()),  
  377. 'title' => array(),  
  378. 'tr' => array( 
  379. 'align' => array (),  
  380. 'bgcolor' => array (),  
  381. 'char' => array (),  
  382. 'charoff' => array (),  
  383. 'class' => array (),  
  384. 'style' => array (),  
  385. 'valign' => array ()),  
  386. 'tt' => array(),  
  387. 'u' => array(),  
  388. 'ul' => array ( 
  389. 'class' => array (),  
  390. 'style' => array (),  
  391. 'type' => array ()),  
  392. 'ol' => array ( 
  393. 'class' => array (),  
  394. 'start' => array (),  
  395. 'style' => array (),  
  396. 'type' => array ()),  
  397. 'var' => array ()); 
  398.  
  399. /** 
  400. * Kses allowed HTML elements. 
  401. * 
  402. * @global array $allowedtags 
  403. * @since 1.0.0 
  404. */ 
  405. $allowedtags = array( 
  406. 'a' => array( 
  407. 'href' => array (),  
  408. 'title' => array ()),  
  409. 'abbr' => array( 
  410. 'title' => array ()),  
  411. 'acronym' => array( 
  412. 'title' => array ()),  
  413. 'b' => array(),  
  414. 'blockquote' => array( 
  415. 'cite' => array ()),  
  416. // 'br' => array(),  
  417. 'cite' => array (),  
  418. 'code' => array(),  
  419. 'del' => array( 
  420. 'datetime' => array ()),  
  421. // 'dd' => array(),  
  422. // 'dl' => array(),  
  423. // 'dt' => array(),  
  424. 'em' => array (), 'i' => array (),  
  425. // 'ins' => array('datetime' => array(), 'cite' => array()),  
  426. // 'li' => array(),  
  427. // 'ol' => array(),  
  428. // 'p' => array(),  
  429. 'q' => array( 
  430. 'cite' => array ()),  
  431. 'strike' => array(),  
  432. 'strong' => array(),  
  433. // 'sub' => array(),  
  434. // 'sup' => array(),  
  435. // 'u' => array(),  
  436. // 'ul' => array(),  
  437. ); 
  438.  
  439. $allowedentitynames = array( 
  440. 'nbsp', 'iexcl', 'cent', 'pound', 'curren', 'yen',  
  441. 'brvbar', 'sect', 'uml', 'copy', 'ordf', 'laquo',  
  442. 'not', 'shy', 'reg', 'macr', 'deg', 'plusmn',  
  443. 'acute', 'micro', 'para', 'middot', 'cedil', 'ordm',  
  444. 'raquo', 'iquest', 'Agrave', 'Aacute', 'Acirc', 'Atilde',  
  445. 'Auml', 'Aring', 'AElig', 'Ccedil', 'Egrave', 'Eacute',  
  446. 'Ecirc', 'Euml', 'Igrave', 'Iacute', 'Icirc', 'Iuml',  
  447. 'ETH', 'Ntilde', 'Ograve', 'Oacute', 'Ocirc', 'Otilde',  
  448. 'Ouml', 'times', 'Oslash', 'Ugrave', 'Uacute', 'Ucirc',  
  449. 'Uuml', 'Yacute', 'THORN', 'szlig', 'agrave', 'aacute',  
  450. 'acirc', 'atilde', 'auml', 'aring', 'aelig', 'ccedil',  
  451. 'egrave', 'eacute', 'ecirc', 'euml', 'igrave', 'iacute',  
  452. 'icirc', 'iuml', 'eth', 'ntilde', 'ograve', 'oacute',  
  453. 'ocirc', 'otilde', 'ouml', 'divide', 'oslash', 'ugrave',  
  454. 'uacute', 'ucirc', 'uuml', 'yacute', 'thorn', 'yuml',  
  455. 'quot', 'amp', 'lt', 'gt', 'apos', 'OElig',  
  456. 'oelig', 'Scaron', 'scaron', 'Yuml', 'circ', 'tilde',  
  457. 'ensp', 'emsp', 'thinsp', 'zwnj', 'zwj', 'lrm',  
  458. 'rlm', 'ndash', 'mdash', 'lsquo', 'rsquo', 'sbquo',  
  459. 'ldquo', 'rdquo', 'bdquo', 'dagger', 'Dagger', 'permil',  
  460. 'lsaquo', 'rsaquo', 'euro', 'fnof', 'Alpha', 'Beta',  
  461. 'Gamma', 'Delta', 'Epsilon', 'Zeta', 'Eta', 'Theta',  
  462. 'Iota', 'Kappa', 'Lambda', 'Mu', 'Nu', 'Xi',  
  463. 'Omicron', 'Pi', 'Rho', 'Sigma', 'Tau', 'Upsilon',  
  464. 'Phi', 'Chi', 'Psi', 'Omega', 'alpha', 'beta',  
  465. 'gamma', 'delta', 'epsilon', 'zeta', 'eta', 'theta',  
  466. 'iota', 'kappa', 'lambda', 'mu', 'nu', 'xi',  
  467. 'omicron', 'pi', 'rho', 'sigmaf', 'sigma', 'tau',  
  468. 'upsilon', 'phi', 'chi', 'psi', 'omega', 'thetasym',  
  469. 'upsih', 'piv', 'bull', 'hellip', 'prime', 'Prime',  
  470. 'oline', 'frasl', 'weierp', 'image', 'real', 'trade',  
  471. 'alefsym', 'larr', 'uarr', 'rarr', 'darr', 'harr',  
  472. 'crarr', 'lArr', 'uArr', 'rArr', 'dArr', 'hArr',  
  473. 'forall', 'part', 'exist', 'empty', 'nabla', 'isin',  
  474. 'notin', 'ni', 'prod', 'sum', 'minus', 'lowast',  
  475. 'radic', 'prop', 'infin', 'ang', 'and', 'or',  
  476. 'cap', 'cup', 'int', 'sim', 'cong', 'asymp',  
  477. 'ne', 'equiv', 'le', 'ge', 'sub', 'sup',  
  478. 'nsub', 'sube', 'supe', 'oplus', 'otimes', 'perp',  
  479. 'sdot', 'lceil', 'rceil', 'lfloor', 'rfloor', 'lang',  
  480. 'rang', 'loz', 'spades', 'clubs', 'hearts', 'diams',  
  481. ); 
  482.  
  483. /** 
  484. * Filters content and keeps only allowable HTML elements. 
  485. * 
  486. * This function makes sure that only the allowed HTML element names, attribute 
  487. * names and attribute values plus only sane HTML entities will occur in 
  488. * $string. You have to remove any slashes from PHP's magic quotes before you 
  489. * call this function. 
  490. * 
  491. * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',  
  492. * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This 
  493. * covers all common link protocols, except for 'javascript' which should not 
  494. * be allowed for untrusted users. 
  495. * 
  496. * @since 1.0.0 
  497. * 
  498. * @param string $string Content to filter through kses 
  499. * @param array $allowed_html List of allowed HTML elements 
  500. * @param array $allowed_protocols Optional. Allowed protocol in links. 
  501. * @return string Filtered content with only allowed HTML elements 
  502. */ 
  503. function wp_kses($string, $allowed_html, $allowed_protocols = array ()) { 
  504. $allowed_protocols = wp_parse_args( $allowed_protocols, apply_filters('kses_allowed_protocols', array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn') )); 
  505. $string = wp_kses_no_null($string); 
  506. $string = wp_kses_js_entities($string); 
  507. $string = wp_kses_normalize_entities($string); 
  508. $allowed_html_fixed = wp_kses_array_lc($allowed_html); 
  509. $string = wp_kses_hook($string, $allowed_html_fixed, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook 
  510. return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols); 
  511.  
  512. /** 
  513. * You add any kses hooks here. 
  514. * 
  515. * There is currently only one kses WordPress hook and it is called here. All 
  516. * parameters are passed to the hooks and expected to recieve a string. 
  517. * 
  518. * @since 1.0.0 
  519. * 
  520. * @param string $string Content to filter through kses 
  521. * @param array $allowed_html List of allowed HTML elements 
  522. * @param array $allowed_protocols Allowed protocol in links 
  523. * @return string Filtered content through 'pre_kses' hook 
  524. */ 
  525. function wp_kses_hook($string, $allowed_html, $allowed_protocols) { 
  526. $string = apply_filters('pre_kses', $string, $allowed_html, $allowed_protocols); 
  527. return $string; 
  528.  
  529. /** 
  530. * This function returns kses' version number. 
  531. * 
  532. * @since 1.0.0 
  533. * 
  534. * @return string KSES Version Number 
  535. */ 
  536. function wp_kses_version() { 
  537. return '0.2.2'; 
  538.  
  539. /** 
  540. * Searches for HTML tags, no matter how malformed. 
  541. * 
  542. * It also matches stray ">" characters. 
  543. * 
  544. * @since 1.0.0 
  545. * 
  546. * @param string $string Content to filter 
  547. * @param array $allowed_html Allowed HTML elements 
  548. * @param array $allowed_protocols Allowed protocols to keep 
  549. * @return string Content with fixed HTML tags 
  550. */ 
  551. function wp_kses_split($string, $allowed_html, $allowed_protocols) { 
  552. global $pass_allowed_html, $pass_allowed_protocols; 
  553. $pass_allowed_html = $allowed_html; 
  554. $pass_allowed_protocols = $allowed_protocols; 
  555. return preg_replace_callback( '%((<!--.*?(-->|$))|(<[^>]*(>|$)|>))%', '_wp_kses_split_callback', $string ); 
  556.  
  557. /** 
  558. * Callback for wp_kses_split. 
  559. * 
  560. * @since 3.1.0 
  561. * @access private 
  562. */ 
  563. function _wp_kses_split_callback( $match ) { 
  564. global $pass_allowed_html, $pass_allowed_protocols; 
  565. return wp_kses_split2( $match[1], $pass_allowed_html, $pass_allowed_protocols ); 
  566.  
  567. /** 
  568. * Callback for wp_kses_split for fixing malformed HTML tags. 
  569. * 
  570. * This function does a lot of work. It rejects some very malformed things like 
  571. * <:::>. It returns an empty string, if the element isn't allowed (look ma, no 
  572. * strip_tags()!). Otherwise it splits the tag into an element and an attribute 
  573. * list. 
  574. * 
  575. * After the tag is split into an element and an attribute list, it is run 
  576. * through another filter which will remove illegal attributes and once that is 
  577. * completed, will be returned. 
  578. * 
  579. * @access private 
  580. * @since 1.0.0 
  581. * @uses wp_kses_attr() 
  582. * 
  583. * @param string $string Content to filter 
  584. * @param array $allowed_html Allowed HTML elements 
  585. * @param array $allowed_protocols Allowed protocols to keep 
  586. * @return string Fixed HTML element 
  587. */ 
  588. function wp_kses_split2($string, $allowed_html, $allowed_protocols) { 
  589. $string = wp_kses_stripslashes($string); 
  590.  
  591. if (substr($string, 0, 1) != '<') 
  592. return '>'; 
  593. # It matched a ">" character 
  594.  
  595. if (preg_match('%^<!--(.*?)(-->)?$%', $string, $matches)) { 
  596. $string = str_replace(array('<!--', '-->'), '', $matches[1]); 
  597. while ( $string != $newstring = wp_kses($string, $allowed_html, $allowed_protocols) ) 
  598. $string = $newstring; 
  599. if ( $string == '' ) 
  600. return ''; 
  601. // prevent multiple dashes in comments 
  602. $string = preg_replace('/--+/', '-', $string); 
  603. // prevent three dashes closing a comment 
  604. $string = preg_replace('/-$/', '', $string); 
  605. return "<!--{$string}-->"; 
  606. # Allow HTML comments 
  607.  
  608. if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches)) 
  609. return ''; 
  610. # It's seriously malformed 
  611.  
  612. $slash = trim($matches[1]); 
  613. $elem = $matches[2]; 
  614. $attrlist = $matches[3]; 
  615.  
  616. if (!@isset($allowed_html[strtolower($elem)])) 
  617. return ''; 
  618. # They are using a not allowed HTML element 
  619.  
  620. if ($slash != '') 
  621. return "<$slash$elem>"; 
  622. # No attributes are allowed for closing elements 
  623.  
  624. return wp_kses_attr("$slash$elem", $attrlist, $allowed_html, $allowed_protocols); 
  625.  
  626. /** 
  627. * Removes all attributes, if none are allowed for this element. 
  628. * 
  629. * If some are allowed it calls wp_kses_hair() to split them further, and then 
  630. * it builds up new HTML code from the data that kses_hair() returns. It also 
  631. * removes "<" and ">" characters, if there are any left. One more thing it does 
  632. * is to check if the tag has a closing XHTML slash, and if it does, it puts one 
  633. * in the returned code as well. 
  634. * 
  635. * @since 1.0.0 
  636. * 
  637. * @param string $element HTML element/tag 
  638. * @param string $attr HTML attributes from HTML element to closing HTML element tag 
  639. * @param array $allowed_html Allowed HTML elements 
  640. * @param array $allowed_protocols Allowed protocols to keep 
  641. * @return string Sanitized HTML element 
  642. */ 
  643. function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) { 
  644. # Is there a closing XHTML slash at the end of the attributes? 
  645.  
  646. $xhtml_slash = ''; 
  647. if (preg_match('%\s*/\s*$%', $attr)) 
  648. $xhtml_slash = ' /'; 
  649.  
  650. # Are any attributes allowed at all for this element? 
  651.  
  652. if (@ count($allowed_html[strtolower($element)]) == 0) 
  653. return "<$element$xhtml_slash>"; 
  654.  
  655. # Split it 
  656.  
  657. $attrarr = wp_kses_hair($attr, $allowed_protocols); 
  658.  
  659. # Go through $attrarr, and save the allowed attributes for this element 
  660. # in $attr2 
  661.  
  662. $attr2 = ''; 
  663.  
  664. foreach ($attrarr as $arreach) { 
  665. if (!@ isset ($allowed_html[strtolower($element)][strtolower($arreach['name'])])) 
  666. continue; # the attribute is not allowed 
  667.  
  668. $current = $allowed_html[strtolower($element)][strtolower($arreach['name'])]; 
  669. if ($current == '') 
  670. continue; # the attribute is not allowed 
  671.  
  672. if (!is_array($current)) 
  673. $attr2 .= ' '.$arreach['whole']; 
  674. # there are no checks 
  675.  
  676. else { 
  677. # there are some checks 
  678. $ok = true; 
  679. foreach ($current as $currkey => $currval) 
  680. if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) { 
  681. $ok = false; 
  682. break; 
  683.  
  684. if ( strtolower($arreach['name']) == 'style' ) { 
  685. $orig_value = $arreach['value']; 
  686.  
  687. $value = safecss_filter_attr($orig_value); 
  688.  
  689. if ( empty($value) ) 
  690. continue; 
  691.  
  692. $arreach['value'] = $value; 
  693.  
  694. $arreach['whole'] = str_replace($orig_value, $value, $arreach['whole']); 
  695.  
  696. if ($ok) 
  697. $attr2 .= ' '.$arreach['whole']; # it passed them 
  698. } # if !is_array($current) 
  699. } # foreach 
  700.  
  701. # Remove any "<" or ">" characters 
  702.  
  703. $attr2 = preg_replace('/[<>]/', '', $attr2); 
  704.  
  705. return "<$element$attr2$xhtml_slash>"; 
  706.  
  707. /** 
  708. * Builds an attribute list from string containing attributes. 
  709. * 
  710. * This function does a lot of work. It parses an attribute list into an array 
  711. * with attribute data, and tries to do the right thing even if it gets weird 
  712. * input. It will add quotes around attribute values that don't have any quotes 
  713. * or apostrophes around them, to make it easier to produce HTML code that will 
  714. * conform to W3C's HTML specification. It will also remove bad URL protocols 
  715. * from attribute values. It also reduces duplicate attributes by using the 
  716. * attribute defined first (foo='bar' foo='baz' will result in foo='bar'). 
  717. * 
  718. * @since 1.0.0 
  719. * 
  720. * @param string $attr Attribute list from HTML element to closing HTML element tag 
  721. * @param array $allowed_protocols Allowed protocols to keep 
  722. * @return array List of attributes after parsing 
  723. */ 
  724. function wp_kses_hair($attr, $allowed_protocols) { 
  725. $attrarr = array (); 
  726. $mode = 0; 
  727. $attrname = ''; 
  728. $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action'); 
  729.  
  730. # Loop through the whole attribute list 
  731.  
  732. while (strlen($attr) != 0) { 
  733. $working = 0; # Was the last operation successful? 
  734.  
  735. switch ($mode) { 
  736. case 0 : # attribute name, href for instance 
  737.  
  738. if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) { 
  739. $attrname = $match[1]; 
  740. $working = $mode = 1; 
  741. $attr = preg_replace('/^[-a-zA-Z]+/', '', $attr); 
  742.  
  743. break; 
  744.  
  745. case 1 : # equals sign or valueless ("selected") 
  746.  
  747. if (preg_match('/^\s*=\s*/', $attr)) # equals sign 
  748. $working = 1; 
  749. $mode = 2; 
  750. $attr = preg_replace('/^\s*=\s*/', '', $attr); 
  751. break; 
  752.  
  753. if (preg_match('/^\s+/', $attr)) # valueless 
  754. $working = 1; 
  755. $mode = 0; 
  756. if(FALSE === array_key_exists($attrname, $attrarr)) { 
  757. $attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y'); 
  758. $attr = preg_replace('/^\s+/', '', $attr); 
  759.  
  760. break; 
  761.  
  762. case 2 : # attribute value, a URL after href= for instance 
  763.  
  764. if (preg_match('%^"([^"]*)"(\s+|/?$)%', $attr, $match)) 
  765. # "value" 
  766. $thisval = $match[1]; 
  767. if ( in_array(strtolower($attrname), $uris) ) 
  768. $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); 
  769.  
  770. if(FALSE === array_key_exists($attrname, $attrarr)) { 
  771. $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n'); 
  772. $working = 1; 
  773. $mode = 0; 
  774. $attr = preg_replace('/^"[^"]*"(\s+|$)/', '', $attr); 
  775. break; 
  776.  
  777. if (preg_match("%^'([^']*)'(\s+|/?$)%", $attr, $match)) 
  778. # 'value' 
  779. $thisval = $match[1]; 
  780. if ( in_array(strtolower($attrname), $uris) ) 
  781. $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); 
  782.  
  783. if(FALSE === array_key_exists($attrname, $attrarr)) { 
  784. $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname='$thisval'", 'vless' => 'n'); 
  785. $working = 1; 
  786. $mode = 0; 
  787. $attr = preg_replace("/^'[^']*'(\s+|$)/", '', $attr); 
  788. break; 
  789.  
  790. if (preg_match("%^([^\s\"']+)(\s+|/?$)%", $attr, $match)) 
  791. # value 
  792. $thisval = $match[1]; 
  793. if ( in_array(strtolower($attrname), $uris) ) 
  794. $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); 
  795.  
  796. if(FALSE === array_key_exists($attrname, $attrarr)) { 
  797. $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n'); 
  798. # We add quotes to conform to W3C's HTML spec. 
  799. $working = 1; 
  800. $mode = 0; 
  801. $attr = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attr); 
  802.  
  803. break; 
  804. } # switch 
  805.  
  806. if ($working == 0) # not well formed, remove and try again 
  807. $attr = wp_kses_html_error($attr); 
  808. $mode = 0; 
  809. } # while 
  810.  
  811. if ($mode == 1 && FALSE === array_key_exists($attrname, $attrarr)) 
  812. # special case, for when the attribute list ends with a valueless 
  813. # attribute like "selected" 
  814. $attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y'); 
  815.  
  816. return $attrarr; 
  817.  
  818. /** 
  819. * Performs different checks for attribute values. 
  820. * 
  821. * The currently implemented checks are "maxlen", "minlen", "maxval", "minval" 
  822. * and "valueless" with even more checks to come soon. 
  823. * 
  824. * @since 1.0.0 
  825. * 
  826. * @param string $value Attribute value 
  827. * @param string $vless Whether the value is valueless. Use 'y' or 'n' 
  828. * @param string $checkname What $checkvalue is checking for. 
  829. * @param mixed $checkvalue What constraint the value should pass 
  830. * @return bool Whether check passes 
  831. */ 
  832. function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) { 
  833. $ok = true; 
  834.  
  835. switch (strtolower($checkname)) { 
  836. case 'maxlen' : 
  837. # The maxlen check makes sure that the attribute value has a length not 
  838. # greater than the given value. This can be used to avoid Buffer Overflows 
  839. # in WWW clients and various Internet servers. 
  840.  
  841. if (strlen($value) > $checkvalue) 
  842. $ok = false; 
  843. break; 
  844.  
  845. case 'minlen' : 
  846. # The minlen check makes sure that the attribute value has a length not 
  847. # smaller than the given value. 
  848.  
  849. if (strlen($value) < $checkvalue) 
  850. $ok = false; 
  851. break; 
  852.  
  853. case 'maxval' : 
  854. # The maxval check does two things: it checks that the attribute value is 
  855. # an integer from 0 and up, without an excessive amount of zeroes or 
  856. # whitespace (to avoid Buffer Overflows). It also checks that the attribute 
  857. # value is not greater than the given value. 
  858. # This check can be used to avoid Denial of Service attacks. 
  859.  
  860. if (!preg_match('/^\s{0, 6}[0-9]{1, 6}\s{0, 6}$/', $value)) 
  861. $ok = false; 
  862. if ($value > $checkvalue) 
  863. $ok = false; 
  864. break; 
  865.  
  866. case 'minval' : 
  867. # The minval check checks that the attribute value is a positive integer,  
  868. # and that it is not smaller than the given value. 
  869.  
  870. if (!preg_match('/^\s{0, 6}[0-9]{1, 6}\s{0, 6}$/', $value)) 
  871. $ok = false; 
  872. if ($value < $checkvalue) 
  873. $ok = false; 
  874. break; 
  875.  
  876. case 'valueless' : 
  877. # The valueless check checks if the attribute has a value 
  878. # (like <a href="blah">) or not (<option selected>). If the given value 
  879. # is a "y" or a "Y", the attribute must not have a value. 
  880. # If the given value is an "n" or an "N", the attribute must have one. 
  881.  
  882. if (strtolower($checkvalue) != $vless) 
  883. $ok = false; 
  884. break; 
  885. } # switch 
  886.  
  887. return $ok; 
  888.  
  889. /** 
  890. * Sanitize string from bad protocols. 
  891. * 
  892. * This function removes all non-allowed protocols from the beginning of 
  893. * $string. It ignores whitespace and the case of the letters, and it does 
  894. * understand HTML entities. It does its work in a while loop, so it won't be 
  895. * fooled by a string like "javascript:javascript:alert(57)". 
  896. * 
  897. * @since 1.0.0 
  898. * 
  899. * @param string $string Content to filter bad protocols from 
  900. * @param array $allowed_protocols Allowed protocols to keep 
  901. * @return string Filtered content 
  902. */ 
  903. function wp_kses_bad_protocol($string, $allowed_protocols) { 
  904. $string = wp_kses_no_null($string); 
  905. $string2 = $string.'a'; 
  906.  
  907. while ($string != $string2) { 
  908. $string2 = $string; 
  909. $string = wp_kses_bad_protocol_once($string, $allowed_protocols); 
  910. } # while 
  911.  
  912. return $string; 
  913.  
  914. /** 
  915. * Removes any NULL characters in $string. 
  916. * 
  917. * @since 1.0.0 
  918. * 
  919. * @param string $string 
  920. * @return string 
  921. */ 
  922. function wp_kses_no_null($string) { 
  923. $string = preg_replace('/\0+/', '', $string); 
  924. $string = preg_replace('/(\\\\0)+/', '', $string); 
  925.  
  926. return $string; 
  927.  
  928. /** 
  929. * Strips slashes from in front of quotes. 
  930. * 
  931. * This function changes the character sequence \" to just ". It leaves all 
  932. * other slashes alone. It's really weird, but the quoting from 
  933. * preg_replace(//e) seems to require this. 
  934. * 
  935. * @since 1.0.0 
  936. * 
  937. * @param string $string String to strip slashes 
  938. * @return string Fixed strings with quoted slashes 
  939. */ 
  940. function wp_kses_stripslashes($string) { 
  941. return preg_replace('%\\\\"%', '"', $string); 
  942.  
  943. /** 
  944. * Goes through an array and changes the keys to all lower case. 
  945. * 
  946. * @since 1.0.0 
  947. * 
  948. * @param array $inarray Unfiltered array 
  949. * @return array Fixed array with all lowercase keys 
  950. */ 
  951. function wp_kses_array_lc($inarray) { 
  952. $outarray = array (); 
  953.  
  954. foreach ( (array) $inarray as $inkey => $inval) { 
  955. $outkey = strtolower($inkey); 
  956. $outarray[$outkey] = array (); 
  957.  
  958. foreach ( (array) $inval as $inkey2 => $inval2) { 
  959. $outkey2 = strtolower($inkey2); 
  960. $outarray[$outkey][$outkey2] = $inval2; 
  961. } # foreach $inval 
  962. } # foreach $inarray 
  963.  
  964. return $outarray; 
  965.  
  966. /** 
  967. * Removes the HTML JavaScript entities found in early versions of Netscape 4. 
  968. * 
  969. * @since 1.0.0 
  970. * 
  971. * @param string $string 
  972. * @return string 
  973. */ 
  974. function wp_kses_js_entities($string) { 
  975. return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string); 
  976.  
  977. /** 
  978. * Handles parsing errors in wp_kses_hair(). 
  979. * 
  980. * The general plan is to remove everything to and including some whitespace,  
  981. * but it deals with quotes and apostrophes as well. 
  982. * 
  983. * @since 1.0.0 
  984. * 
  985. * @param string $string 
  986. * @return string 
  987. */ 
  988. function wp_kses_html_error($string) { 
  989. return preg_replace('/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string); 
  990.  
  991. /** 
  992. * Sanitizes content from bad protocols and other characters. 
  993. * 
  994. * This function searches for URL protocols at the beginning of $string, while 
  995. * handling whitespace and HTML entities. 
  996. * 
  997. * @since 1.0.0 
  998. * 
  999. * @param string $string Content to check for bad protocols 
  1000. * @param string $allowed_protocols Allowed protocols 
  1001. * @return string Sanitized content 
  1002. */ 
  1003. function wp_kses_bad_protocol_once($string, $allowed_protocols) { 
  1004. $string2 = preg_split( '/:|�*58;|�*3a;/i', $string, 2 ); 
  1005. if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) 
  1006. $string = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ) . trim( $string2[1] ); 
  1007.  
  1008. return $string; 
  1009.  
  1010. /** 
  1011. * Callback for wp_kses_bad_protocol_once() regular expression. 
  1012. * 
  1013. * This function processes URL protocols, checks to see if they're in the 
  1014. * white-list or not, and returns different data depending on the answer. 
  1015. * 
  1016. * @access private 
  1017. * @since 1.0.0 
  1018. * 
  1019. * @param string $string URI scheme to check against the whitelist 
  1020. * @param string $allowed_protocols Allowed protocols 
  1021. * @return string Sanitized content 
  1022. */ 
  1023. function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) { 
  1024. $string2 = wp_kses_decode_entities($string); 
  1025. $string2 = preg_replace('/\s/', '', $string2); 
  1026. $string2 = wp_kses_no_null($string2); 
  1027. $string2 = strtolower($string2); 
  1028.  
  1029. $allowed = false; 
  1030. foreach ( (array) $allowed_protocols as $one_protocol ) 
  1031. if ( strtolower($one_protocol) == $string2 ) { 
  1032. $allowed = true; 
  1033. break; 
  1034.  
  1035. if ($allowed) 
  1036. return "$string2:"; 
  1037. else 
  1038. return ''; 
  1039.  
  1040. /** 
  1041. * Converts and fixes HTML entities. 
  1042. * 
  1043. * This function normalizes HTML entities. It will convert "AT&T" to the correct 
  1044. * "AT&T", ":" to ":", "&#XYZZY;" to "&#XYZZY;" and so on. 
  1045. * 
  1046. * @since 1.0.0 
  1047. * 
  1048. * @param string $string Content to normalize entities 
  1049. * @return string Content with normalized entities 
  1050. */ 
  1051. function wp_kses_normalize_entities($string) { 
  1052. # Disarm all entities by converting & to & 
  1053.  
  1054. $string = str_replace('&', '&', $string); 
  1055.  
  1056. # Change back the allowed entities in our entity whitelist 
  1057.  
  1058. $string = preg_replace_callback('/&([A-Za-z]{2, 8});/', 'wp_kses_named_entities', $string); 
  1059. $string = preg_replace_callback('/&#(0*[0-9]{1, 7});/', 'wp_kses_normalize_entities2', $string); 
  1060. $string = preg_replace_callback('/&#[Xx](0*[0-9A-Fa-f]{1, 6});/', 'wp_kses_normalize_entities3', $string); 
  1061.  
  1062. return $string; 
  1063.  
  1064. /** 
  1065. * Callback for wp_kses_normalize_entities() regular expression. 
  1066. * 
  1067. * This function only accepts valid named entity references, which are finite,  
  1068. * case-sensitive, and highly scrutinized by HTML and XML validators. 
  1069. * 
  1070. * @since 3.0.0 
  1071. * 
  1072. * @param array $matches preg_replace_callback() matches array 
  1073. * @return string Correctly encoded entity 
  1074. */ 
  1075. function wp_kses_named_entities($matches) { 
  1076. global $allowedentitynames; 
  1077.  
  1078. if ( empty($matches[1]) ) 
  1079. return ''; 
  1080.  
  1081. $i = $matches[1]; 
  1082. return ( ( ! in_array($i, $allowedentitynames) ) ? "&$i;" : "&$i;" ); 
  1083.  
  1084. /** 
  1085. * Callback for wp_kses_normalize_entities() regular expression. 
  1086. * 
  1087. * This function helps wp_kses_normalize_entities() to only accept 16 bit values 
  1088. * and nothing more for &#number; entities. 
  1089. * 
  1090. * @access private 
  1091. * @since 1.0.0 
  1092. * 
  1093. * @param array $matches preg_replace_callback() matches array 
  1094. * @return string Correctly encoded entity 
  1095. */ 
  1096. function wp_kses_normalize_entities2($matches) { 
  1097. if ( empty($matches[1]) ) 
  1098. return ''; 
  1099.  
  1100. $i = $matches[1]; 
  1101. if (valid_unicode($i)) { 
  1102. $i = str_pad(ltrim($i, '0'), 3, '0', STR_PAD_LEFT); 
  1103. $i = "&#$i;"; 
  1104. } else { 
  1105. $i = "&#$i;"; 
  1106.  
  1107. return $i; 
  1108.  
  1109. /** 
  1110. * Callback for wp_kses_normalize_entities() for regular expression. 
  1111. * 
  1112. * This function helps wp_kses_normalize_entities() to only accept valid Unicode 
  1113. * numeric entities in hex form. 
  1114. * 
  1115. * @access private 
  1116. * 
  1117. * @param array $matches preg_replace_callback() matches array 
  1118. * @return string Correctly encoded entity 
  1119. */ 
  1120. function wp_kses_normalize_entities3($matches) { 
  1121. if ( empty($matches[1]) ) 
  1122. return ''; 
  1123.  
  1124. $hexchars = $matches[1]; 
  1125. return ( ( ! valid_unicode(hexdec($hexchars)) ) ? "&#x$hexchars;" : '&#x'.ltrim($hexchars, '0').';' ); 
  1126.  
  1127. /** 
  1128. * Helper function to determine if a Unicode value is valid. 
  1129. * 
  1130. * @param int $i Unicode value 
  1131. * @return bool true if the value was a valid Unicode number 
  1132. */ 
  1133. function valid_unicode($i) { 
  1134. return ( $i == 0x9 || $i == 0xa || $i == 0xd || 
  1135. ($i >= 0x20 && $i <= 0xd7ff) || 
  1136. ($i >= 0xe000 && $i <= 0xfffd) || 
  1137. ($i >= 0x10000 && $i <= 0x10ffff) ); 
  1138.  
  1139. /** 
  1140. * Convert all entities to their character counterparts. 
  1141. * 
  1142. * This function decodes numeric HTML entities (A and A). It doesn't do 
  1143. * anything with other entities like ä, but we don't need them in the URL 
  1144. * protocol whitelisting system anyway. 
  1145. * 
  1146. * @since 1.0.0 
  1147. * 
  1148. * @param string $string Content to change entities 
  1149. * @return string Content after decoded entities 
  1150. */ 
  1151. function wp_kses_decode_entities($string) { 
  1152. $string = preg_replace_callback('/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string); 
  1153. $string = preg_replace_callback('/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string); 
  1154.  
  1155. return $string; 
  1156.  
  1157. /** 
  1158. * Regex callback for wp_kses_decode_entities() 
  1159. * 
  1160. * @param array $match preg match 
  1161. * @return string 
  1162. */ 
  1163. function _wp_kses_decode_entities_chr( $match ) { 
  1164. return chr( $match[1] ); 
  1165.  
  1166. /** 
  1167. * Regex callback for wp_kses_decode_entities() 
  1168. * 
  1169. * @param array $match preg match 
  1170. * @return string 
  1171. */ 
  1172. function _wp_kses_decode_entities_chr_hexdec( $match ) { 
  1173. return chr( hexdec( $match[1] ) ); 
  1174.  
  1175. /** 
  1176. * Sanitize content with allowed HTML Kses rules. 
  1177. * 
  1178. * @since 1.0.0 
  1179. * @uses $allowedtags 
  1180. * 
  1181. * @param string $data Content to filter, expected to be escaped with slashes 
  1182. * @return string Filtered content 
  1183. */ 
  1184. function wp_filter_kses($data) { 
  1185. global $allowedtags; 
  1186. return addslashes( wp_kses(stripslashes( $data ), $allowedtags) ); 
  1187.  
  1188. /** 
  1189. * Sanitize content with allowed HTML Kses rules. 
  1190. * 
  1191. * @since 2.9.0 
  1192. * @uses $allowedtags 
  1193. * 
  1194. * @param string $data Content to filter, expected to not be escaped 
  1195. * @return string Filtered content 
  1196. */ 
  1197. function wp_kses_data($data) { 
  1198. global $allowedtags; 
  1199. return wp_kses( $data , $allowedtags ); 
  1200.  
  1201. /** 
  1202. * Sanitize content for allowed HTML tags for post content. 
  1203. * 
  1204. * Post content refers to the page contents of the 'post' type and not $_POST 
  1205. * data from forms. 
  1206. * 
  1207. * @since 2.0.0 
  1208. * @uses $allowedposttags 
  1209. * 
  1210. * @param string $data Post content to filter, expected to be escaped with slashes 
  1211. * @return string Filtered post content with allowed HTML tags and attributes intact. 
  1212. */ 
  1213. function wp_filter_post_kses($data) { 
  1214. global $allowedposttags; 
  1215. return addslashes ( wp_kses(stripslashes( $data ), $allowedposttags) ); 
  1216.  
  1217. /** 
  1218. * Sanitize content for allowed HTML tags for post content. 
  1219. * 
  1220. * Post content refers to the page contents of the 'post' type and not $_POST 
  1221. * data from forms. 
  1222. * 
  1223. * @since 2.9.0 
  1224. * @uses $allowedposttags 
  1225. * 
  1226. * @param string $data Post content to filter 
  1227. * @return string Filtered post content with allowed HTML tags and attributes intact. 
  1228. */ 
  1229. function wp_kses_post($data) { 
  1230. global $allowedposttags; 
  1231. return wp_kses( $data , $allowedposttags ); 
  1232.  
  1233. /** 
  1234. * Strips all of the HTML in the content. 
  1235. * 
  1236. * @since 2.1.0 
  1237. * 
  1238. * @param string $data Content to strip all HTML from 
  1239. * @return string Filtered content without any HTML 
  1240. */ 
  1241. function wp_filter_nohtml_kses($data) { 
  1242. return addslashes ( wp_kses(stripslashes( $data ), array()) ); 
  1243.  
  1244. // ! function kses_init_filters() 
  1245. // ! function kses_remove_filters() 
  1246. // ! function kses_init() 
  1247.  
  1248. /** 
  1249. * Inline CSS filter 
  1250. * 
  1251. * @since 2.8.1 
  1252. */ 
  1253. function safecss_filter_attr( $css, $deprecated = '' ) { 
  1254. if ( !empty( $deprecated ) ) 
  1255. _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented 
  1256.  
  1257. $css = wp_kses_no_null($css); 
  1258. $css = str_replace(array("\n", "\r", "\t"), '', $css); 
  1259.  
  1260. if ( preg_match( '%[\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments 
  1261. return ''; 
  1262.  
  1263. $css_array = explode( ';', trim( $css ) ); 
  1264. $allowed_attr = apply_filters( 'safe_style_css', array( 'text-align', 'margin', 'color', 'float',  
  1265. 'border', 'background', 'background-color', 'border-bottom', 'border-bottom-color',  
  1266. 'border-bottom-style', 'border-bottom-width', 'border-collapse', 'border-color', 'border-left',  
  1267. 'border-left-color', 'border-left-style', 'border-left-width', 'border-right', 'border-right-color',  
  1268. 'border-right-style', 'border-right-width', 'border-spacing', 'border-style', 'border-top',  
  1269. 'border-top-color', 'border-top-style', 'border-top-width', 'border-width', 'caption-side',  
  1270. 'clear', 'cursor', 'direction', 'font', 'font-family', 'font-size', 'font-style',  
  1271. 'font-variant', 'font-weight', 'height', 'letter-spacing', 'line-height', 'margin-bottom',  
  1272. 'margin-left', 'margin-right', 'margin-top', 'overflow', 'padding', 'padding-bottom',  
  1273. 'padding-left', 'padding-right', 'padding-top', 'text-decoration', 'text-indent', 'vertical-align',  
  1274. 'width' ) ); 
  1275.  
  1276. if ( empty($allowed_attr) ) 
  1277. return $css; 
  1278.  
  1279. $css = ''; 
  1280. foreach ( $css_array as $css_item ) { 
  1281. if ( $css_item == '' ) 
  1282. continue; 
  1283. $css_item = trim( $css_item ); 
  1284. $found = false; 
  1285. if ( strpos( $css_item, ':' ) === false ) { 
  1286. $found = true; 
  1287. } else { 
  1288. $parts = explode( ':', $css_item ); 
  1289. if ( in_array( trim( $parts[0] ), $allowed_attr ) ) 
  1290. $found = true; 
  1291. if ( $found ) { 
  1292. if( $css != '' ) 
  1293. $css .= ';'; 
  1294. $css .= $css_item; 
  1295.  
  1296. return $css; 
.