mirror of
git://develop.git.wordpress.org/
synced 2025-01-17 12:58:25 +01:00
a31a90deb4
Props: danielbachhuber, whyisjake, peterwilson, xknown. Prevent stored XSS through wp_targeted_link_rel(). Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan. Update wp_kses_bad_protocol() to recognize : on uri attributes, wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function. Brings r46895 to the 5.3 branch. Props: xknown, nickdaugherty, peterwilsoncc. Prevent stored XSS in the block editor. Brings r46896 to the 5.3 branch. Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding. Props: aduth, epiqueras. git-svn-id: https://develop.svn.wordpress.org/branches/5.0@46915 602fd350-edb4-49c9-b593-d223f7449a82