Changeset 2744639 for anrghg

Timestamp:

06/18/2022 11:33:53 PM (4 years ago)

Author:

anrghg

Message:

0.81.6.0

0.81.6 (2022-06-18)

• Security: KSES whitelist: Fix bug in whitelist extension.
• Security: Stop trying to use a global KSES whitelist.
• Security: Date meta tags: Tailor KSES whitelists to the instance.

Location:

anrghg

Files:

• tags/0.81.6 (copied) (copied from anrghg/trunk)
• tags/0.81.6/anrghg.php (modified) (7 diffs)
• tags/0.81.6/package.json (modified) (1 diff)
• tags/0.81.6/readme.txt (modified) (2 diffs)
• trunk/anrghg.php (modified) (7 diffs)
• trunk/package.json (modified) (1 diff)
• trunk/readme.txt (modified) (2 diffs)

anrghg/tags/0.81.6/anrghg.php

@@ -14 +14 @@
  * Tested PHP up to: 8.0
  * CAUTION: The following field is parsed in the stable tag folder for upgrade configuration:
- * Version: 0.81.5
+ * Version: 0.81.6
  * Author: ANRGHG
  * Author URI: https://anrghg.sunsite.fr
@@ -79 +79 @@
  * @var string C_S_ANRGHG_VER  Plugin version constant.
  */
-define( 'C_S_ANRGHG_VER', '0.81.5' );
+define( 'C_S_ANRGHG_VER', '0.81.6' );
 
 /**
@@ -1074 +1074 @@
 
 /**
- * Generates the whitelist for `wp_kses()`.
+ * Generates a global whitelist for `wp_kses()`.
  *
  * @since 0.81.5
- * User input is supported by $allowedposttags and $allowedtags.
+ * @since 0.81.6 Fix bug in whitelist extension.
+ * @since 0.81.6 Tailor whitelists to the instance for more efficiency.
+ * Global KSES whitelists are a non-starter, because they defeat the
+ * KSES design goals, e.g. the button[onclick] should not be allowed
+ * on public pages. But the input[checked,class,id,type] is required
+ * on public pages to support display toggle checkboxes. WordPress’s
+ * implementation of global attributes is lacking the [tabindex] and
+ * most [aria-*] attributes. Thus, KSES + WordPress is bad for a11y.
+ * Therefore our KSES whitelists should be tailored to the instance.
+ *
+ * User input may be supported by $allowedposttags.
  * @see wp-includes/kses.php
  * @see also the `$global_attributes` in `wp-includes/kses.php:2520`.
@@ -1083 +1093 @@
  * `wp_kses()` escapes `>` (and `<`) as HTML entities.
  *
- * BUG REPORT: After the tabindex argument is properly added to div,
- * the input and meta elements are not added.
- * With array_push() instead of [], the function breaks down.
- *
+ * global $allowedtags provided along with $allowedposttags is a very
+ * limited subset of the latter, so merging it in would be pointless.
+ * @global $allowedposttags      WordPress KSES whitelist.
+ * @global $g_m_anrghg_whitelist Extended KSES whitelist.
  * @return array $g_m_anrghg_whitelist
  */
 function anrghg_whitelist() {
-    global $allowedposttags, $allowedtags, $g_m_anrghg_whitelist;
+    global $allowedposttags, $g_m_anrghg_whitelist;
     if ( false === $g_m_anrghg_whitelist ) {
         $g_m_anrghg_whitelist = $allowedposttags;
-        foreach ( $allowedtags as $l_s_name => $l_m_val ) {
-            if ( array_key_exists( $l_s_name, $g_m_anrghg_whitelist ) ) {
-                $g_m_anrghg_whitelist[ $l_s_name ] = array_merge( $g_m_anrghg_whitelist[ $l_s_name ], $allowedtags[ $l_s_name ] );
-            } else {
-                $g_m_anrghg_whitelist[] = $allowedtags[ $l_s_name ];
-            }
-        }
         $l_a_whitelist = array(
             'a'        => array(
-                'class'    => true,
-                'href'     => true,
                 'tabindex' => true,
             ),
-            'br'       => array(),
-            'button'   => array(
-                'class'   => true,
-                'id'      => true,
-                'name'    => true,
-                'onclick' => true,
-                'type'    => true,
-            ),
-            'code'     => array(
-                'class' => true,
-            ),
-            'datalist' => array(
-                'id' => true,
-            ),
             'div'      => array(
-                'aria-hidden'     => true,
-                'autofocus'       => true,
-                'class'           => true,
-                'contenteditable' => true,
-                'hidden'          => true,
-                'id'              => true,
                 'tabindex'        => true,
             ),
-            'fieldset' => array(),
             'input'    => array(
-                'aria-label'  => true,
                 'checked'     => true,
                 'class'       => true,
                 'id'          => true,
-                'name'        => true,
-                'min'         => true,
-                'max'         => true,
-                'step'        => true,
-                'list'        => true,
-                'onkeyup'     => true,
-                'placeholder' => true,
                 'type'        => true,
-                'value'       => true,
             ),
             'label'    => array(
                 'class' => true,
                 'for'   => true,
-            ),
-            'legend'   => array(
-                'aria-hidden' => true,
-                'aria-label'  => true,
-                'class'       => true,
-            ),
-            'li'       => array(
-                'class' => true,
-            ),
-            'meta'     => array(
-                'content'  => true,
-                'name'     => true,
-                'property' => true,
-            ),
-            'option'   => array(
-                'aria-label' => true,
-                'selected'   => true,
-                'value'      => true,
-            ),
-            'optgroup' => array(
-                'label' => true,
-            ),
-            'p'        => array(
-                'class' => true,
-            ),
-            'select'   => array(
-                'id'   => true,
-                'name' => true,
-            ),
-            'span'     => array(
-                'class' => true,
-                'id'    => true,
-            ),
-            'table'    => array(
-                'class' => true,
-            ),
-            'tbody'    => array(),
-            'td'       => array(),
-            'textarea' => array(
-                'class'       => true,
-                'id'          => true,
-                'name'        => true,
-                'placeholder' => true,
-            ),
-            'tr'       => array(
-                'id' => true,
-            ),
-            'ul'       => array(
-                'class' => true,
             ),
         );
@@ -1203 +1125 @@
                 $g_m_anrghg_whitelist[ $l_s_name ] = array_merge( $g_m_anrghg_whitelist[ $l_s_name ], $l_a_whitelist[ $l_s_name ] );
             } else {
-                $g_m_anrghg_whitelist[] = $l_a_whitelist[ $l_s_name ];
+                $g_m_anrghg_whitelist[ $l_s_name ] = $l_a_whitelist[ $l_s_name ];
             }
         }
@@ -3188 +3110 @@
 function anrghg_add_date_meta_tags() {
     if ( anrghg_apply_config( 'anrghg_date_meta_common_published' ) ) {
-        echo (
-            "\t<meta name=\"date\" content=\"" . get_the_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n"
+        echo wp_kses(
+            "\t<meta name=\"date\" content=\"" . get_the_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n",
+            array( 'meta' => array( 'name' => true, 'content' => true ) )
         );
     }
     if ( anrghg_apply_config( 'anrghg_date_meta_common_last_edit' ) ) {
-        anrghg_kses_echo(
-            "\t<meta name=\"last-modified\" content=\"" . get_the_modified_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n"
+        echo wp_kses(
+            "\t<meta name=\"last-modified\" content=\"" . get_the_modified_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n",
+            array( 'meta' => array( 'name' => true, 'content' => true ) )
         );
     }
     if ( anrghg_apply_config( 'anrghg_date_meta_open_g_published' ) ) {
-        anrghg_kses_echo(
-            "\t<meta property=\"article:published_time\" content=\"" . get_the_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n"
+        echo wp_kses(
+            "\t<meta property=\"article:published_time\" content=\"" . get_the_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n",
+            array( 'meta' => array( 'property' => true, 'content' => true ) )
         );
     }
     if ( anrghg_apply_config( 'anrghg_date_meta_open_g_last_edit' ) ) {
-        anrghg_kses_echo(
-            "\t<meta property=\"article:modified_time\" content=\"" . get_the_modified_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n"
+        echo wp_kses(
+            "\t<meta property=\"article:modified_time\" content=\"" . get_the_modified_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n",
+            array( 'meta' => array( 'property' => true, 'content' => true ) )
         );
     }
@@ -5384 +5310 @@
     'wp_footer',
     function() {
-        global $g_s_anrghg_footer;
+        global $g_s_anrghg_footer, $g_m_anrghg_whitelist;
         if ( ! empty( $g_s_anrghg_footer ) ) {
             anrghg_kses_echo( "\r\n\r\n" . '<div class="anrghg-footer-complement-list">' );

anrghg/tags/0.81.6/package.json

@@ -1 +1 @@
 {
   "name": "anrghg",
-  "version": "0.81.5",
+  "version": "0.81.6",
   "description": "A.N.R.GHG Publishing Helper",
   "main": "index.js",

anrghg/tags/0.81.6/readme.txt

@@ -8 +8 @@
 Requires PHP: 5.6
 Tested PHP up to: 8.0
-Package Version: 0.81.5.0
-Version: 0.81.5
+Package Version: 0.81.6.0
+Version: 0.81.6
 CAUTION: The following field is parsed in trunk/ for release configuration:
-Stable Tag: 0.81.5
+Stable Tag: 0.81.6
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -502 +502 @@
 == Changelog ==
 
+= 0.81.6 (2022-06-18) =
+
+* Security: KSES whitelist: Fix bug in whitelist extension.
+* Security: Stop trying to use a global KSES whitelist.
+* Security: Date meta tags: Tailor KSES whitelists to the instance.
+
 = 0.81.5 (2022-06-18) =
 
 * Security: Internal style sheets: Secure output.
 * Security: Internal style sheets: Restore direct child selectors.
-* Security: KSES: Properly implement the whitelist with extensions.
-* Security: KSES: Document unfixable bug in implementation.
+* Security: KSES: Try implementing the whitelist with extensions.
 
 = 0.81.4 (2022-06-17) =

anrghg/trunk/anrghg.php

@@ -14 +14 @@
  * Tested PHP up to: 8.0
  * CAUTION: The following field is parsed in the stable tag folder for upgrade configuration:
- * Version: 0.81.5
+ * Version: 0.81.6
  * Author: ANRGHG
  * Author URI: https://anrghg.sunsite.fr
@@ -79 +79 @@
  * @var string C_S_ANRGHG_VER  Plugin version constant.
  */
-define( 'C_S_ANRGHG_VER', '0.81.5' );
+define( 'C_S_ANRGHG_VER', '0.81.6' );
 
 /**
@@ -1074 +1074 @@
 
 /**
- * Generates the whitelist for `wp_kses()`.
+ * Generates a global whitelist for `wp_kses()`.
  *
  * @since 0.81.5
- * User input is supported by $allowedposttags and $allowedtags.
+ * @since 0.81.6 Fix bug in whitelist extension.
+ * @since 0.81.6 Tailor whitelists to the instance for more efficiency.
+ * Global KSES whitelists are a non-starter, because they defeat the
+ * KSES design goals, e.g. the button[onclick] should not be allowed
+ * on public pages. But the input[checked,class,id,type] is required
+ * on public pages to support display toggle checkboxes. WordPress’s
+ * implementation of global attributes is lacking the [tabindex] and
+ * most [aria-*] attributes. Thus, KSES + WordPress is bad for a11y.
+ * Therefore our KSES whitelists should be tailored to the instance.
+ *
+ * User input may be supported by $allowedposttags.
  * @see wp-includes/kses.php
  * @see also the `$global_attributes` in `wp-includes/kses.php:2520`.
@@ -1083 +1093 @@
  * `wp_kses()` escapes `>` (and `<`) as HTML entities.
  *
- * BUG REPORT: After the tabindex argument is properly added to div,
- * the input and meta elements are not added.
- * With array_push() instead of [], the function breaks down.
- *
+ * global $allowedtags provided along with $allowedposttags is a very
+ * limited subset of the latter, so merging it in would be pointless.
+ * @global $allowedposttags      WordPress KSES whitelist.
+ * @global $g_m_anrghg_whitelist Extended KSES whitelist.
  * @return array $g_m_anrghg_whitelist
  */
 function anrghg_whitelist() {
-    global $allowedposttags, $allowedtags, $g_m_anrghg_whitelist;
+    global $allowedposttags, $g_m_anrghg_whitelist;
     if ( false === $g_m_anrghg_whitelist ) {
         $g_m_anrghg_whitelist = $allowedposttags;
-        foreach ( $allowedtags as $l_s_name => $l_m_val ) {
-            if ( array_key_exists( $l_s_name, $g_m_anrghg_whitelist ) ) {
-                $g_m_anrghg_whitelist[ $l_s_name ] = array_merge( $g_m_anrghg_whitelist[ $l_s_name ], $allowedtags[ $l_s_name ] );
-            } else {
-                $g_m_anrghg_whitelist[] = $allowedtags[ $l_s_name ];
-            }
-        }
         $l_a_whitelist = array(
             'a'        => array(
-                'class'    => true,
-                'href'     => true,
                 'tabindex' => true,
             ),
-            'br'       => array(),
-            'button'   => array(
-                'class'   => true,
-                'id'      => true,
-                'name'    => true,
-                'onclick' => true,
-                'type'    => true,
-            ),
-            'code'     => array(
-                'class' => true,
-            ),
-            'datalist' => array(
-                'id' => true,
-            ),
             'div'      => array(
-                'aria-hidden'     => true,
-                'autofocus'       => true,
-                'class'           => true,
-                'contenteditable' => true,
-                'hidden'          => true,
-                'id'              => true,
                 'tabindex'        => true,
             ),
-            'fieldset' => array(),
             'input'    => array(
-                'aria-label'  => true,
                 'checked'     => true,
                 'class'       => true,
                 'id'          => true,
-                'name'        => true,
-                'min'         => true,
-                'max'         => true,
-                'step'        => true,
-                'list'        => true,
-                'onkeyup'     => true,
-                'placeholder' => true,
                 'type'        => true,
-                'value'       => true,
             ),
             'label'    => array(
                 'class' => true,
                 'for'   => true,
-            ),
-            'legend'   => array(
-                'aria-hidden' => true,
-                'aria-label'  => true,
-                'class'       => true,
-            ),
-            'li'       => array(
-                'class' => true,
-            ),
-            'meta'     => array(
-                'content'  => true,
-                'name'     => true,
-                'property' => true,
-            ),
-            'option'   => array(
-                'aria-label' => true,
-                'selected'   => true,
-                'value'      => true,
-            ),
-            'optgroup' => array(
-                'label' => true,
-            ),
-            'p'        => array(
-                'class' => true,
-            ),
-            'select'   => array(
-                'id'   => true,
-                'name' => true,
-            ),
-            'span'     => array(
-                'class' => true,
-                'id'    => true,
-            ),
-            'table'    => array(
-                'class' => true,
-            ),
-            'tbody'    => array(),
-            'td'       => array(),
-            'textarea' => array(
-                'class'       => true,
-                'id'          => true,
-                'name'        => true,
-                'placeholder' => true,
-            ),
-            'tr'       => array(
-                'id' => true,
-            ),
-            'ul'       => array(
-                'class' => true,
             ),
         );
@@ -1203 +1125 @@
                 $g_m_anrghg_whitelist[ $l_s_name ] = array_merge( $g_m_anrghg_whitelist[ $l_s_name ], $l_a_whitelist[ $l_s_name ] );
             } else {
-                $g_m_anrghg_whitelist[] = $l_a_whitelist[ $l_s_name ];
+                $g_m_anrghg_whitelist[ $l_s_name ] = $l_a_whitelist[ $l_s_name ];
             }
         }
@@ -3188 +3110 @@
 function anrghg_add_date_meta_tags() {
     if ( anrghg_apply_config( 'anrghg_date_meta_common_published' ) ) {
-        echo (
-            "\t<meta name=\"date\" content=\"" . get_the_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n"
+        echo wp_kses(
+            "\t<meta name=\"date\" content=\"" . get_the_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n",
+            array( 'meta' => array( 'name' => true, 'content' => true ) )
         );
     }
     if ( anrghg_apply_config( 'anrghg_date_meta_common_last_edit' ) ) {
-        anrghg_kses_echo(
-            "\t<meta name=\"last-modified\" content=\"" . get_the_modified_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n"
+        echo wp_kses(
+            "\t<meta name=\"last-modified\" content=\"" . get_the_modified_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n",
+            array( 'meta' => array( 'name' => true, 'content' => true ) )
         );
     }
     if ( anrghg_apply_config( 'anrghg_date_meta_open_g_published' ) ) {
-        anrghg_kses_echo(
-            "\t<meta property=\"article:published_time\" content=\"" . get_the_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n"
+        echo wp_kses(
+            "\t<meta property=\"article:published_time\" content=\"" . get_the_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n",
+            array( 'meta' => array( 'property' => true, 'content' => true ) )
         );
     }
     if ( anrghg_apply_config( 'anrghg_date_meta_open_g_last_edit' ) ) {
-        anrghg_kses_echo(
-            "\t<meta property=\"article:modified_time\" content=\"" . get_the_modified_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n"
+        echo wp_kses(
+            "\t<meta property=\"article:modified_time\" content=\"" . get_the_modified_date( 'Y-m-d\TH:i:sO' ) . "\" />\r\n",
+            array( 'meta' => array( 'property' => true, 'content' => true ) )
         );
     }
@@ -5384 +5310 @@
     'wp_footer',
     function() {
-        global $g_s_anrghg_footer;
+        global $g_s_anrghg_footer, $g_m_anrghg_whitelist;
         if ( ! empty( $g_s_anrghg_footer ) ) {
             anrghg_kses_echo( "\r\n\r\n" . '<div class="anrghg-footer-complement-list">' );

anrghg/trunk/package.json

@@ -1 +1 @@
 {
   "name": "anrghg",
-  "version": "0.81.5",
+  "version": "0.81.6",
   "description": "A.N.R.GHG Publishing Helper",
   "main": "index.js",

anrghg/trunk/readme.txt

@@ -8 +8 @@
 Requires PHP: 5.6
 Tested PHP up to: 8.0
-Package Version: 0.81.5.0
-Version: 0.81.5
+Package Version: 0.81.6.0
+Version: 0.81.6
 CAUTION: The following field is parsed in trunk/ for release configuration:
-Stable Tag: 0.81.5
+Stable Tag: 0.81.6
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -502 +502 @@
 == Changelog ==
 
+= 0.81.6 (2022-06-18) =
+
+* Security: KSES whitelist: Fix bug in whitelist extension.
+* Security: Stop trying to use a global KSES whitelist.
+* Security: Date meta tags: Tailor KSES whitelists to the instance.
+
 = 0.81.5 (2022-06-18) =
 
 * Security: Internal style sheets: Secure output.
 * Security: Internal style sheets: Restore direct child selectors.
-* Security: KSES: Properly implement the whitelist with extensions.
-* Security: KSES: Document unfixable bug in implementation.
+* Security: KSES: Try implementing the whitelist with extensions.
 
 = 0.81.4 (2022-06-17) =