diff -r -U2 wordpress.orig/wp-includes/formatting.php wordpress/wp-includes/formatting.php --- wordpress.orig/wp-includes/formatting.php 2009-11-11 17:10:13.000000000 -0600 +++ wordpress/wp-includes/formatting.php 2011-01-11 10:34:13.970920002 -0600 @@ -2092,6 +2092,7 @@ // Replace ampersands and single quotes only when displaying. if ( 'display' == $context ) { - $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); - $url = str_replace( "'", ''', $url ); + $url = wp_kses_normalize_entities( $url ); + $url = str_replace( '&', '&', $url ); + $url = str_replace( "'", ''', $url ); } diff -r -U2 wordpress.orig/wp-includes/kses.php wordpress/wp-includes/kses.php --- wordpress.orig/wp-includes/kses.php 2009-07-08 04:53:22.000000000 -0500 +++ wordpress/wp-includes/kses.php 2011-01-11 10:47:04.468920001 -0600 @@ -534,5 +534,5 @@ } - if ( $arreach['name'] == 'style' ) { + if ( strtolower($arreach['name']) == 'style' ) { $orig_value = $arreach['value']; @@ -626,5 +626,5 @@ { $thisval = $match[1]; - if ( in_array($attrname, $uris) ) + if ( in_array(strtolower($attrname), $uris) ) $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); @@ -642,5 +642,5 @@ { $thisval = $match[1]; - if ( in_array($attrname, $uris) ) + if ( in_array(strtolower($attrname), $uris) ) $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); @@ -658,5 +658,5 @@ { $thisval = $match[1]; - if ( in_array($attrname, $uris) ) + if ( in_array(strtolower($attrname), $uris) ) $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); @@ -882,12 +882,7 @@ */ function wp_kses_bad_protocol_once($string, $allowed_protocols) { - global $_kses_allowed_protocols; - $_kses_allowed_protocols = $allowed_protocols; - - $string2 = preg_split('/:|:|:/i', $string, 2); - if ( isset($string2[1]) && !preg_match('%/\?%', $string2[0]) ) - $string = wp_kses_bad_protocol_once2($string2[0]) . trim($string2[1]); - else - $string = preg_replace_callback('/^((&[^;]*;|[\sA-Za-z0-9])*)'.'(:|:|&#[Xx]3[Aa];)\s*/', 'wp_kses_bad_protocol_once2', $string); + $string2 = preg_split( '/:|�*58;|�*3a;/i', $string, 2 ); + if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) + $string = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ) . trim( $string2[1] ); return $string; @@ -903,19 +898,9 @@ * @since 1.0.0 * - * @param mixed $matches string or preg_replace_callback() matches array to check for bad protocols + * @param string $string URI scheme to check against the whitelist + * @param string $allowed_protocols Allowed protocols * @return string Sanitized content */ -function wp_kses_bad_protocol_once2($matches) { - global $_kses_allowed_protocols; - - if ( is_array($matches) ) { - if ( ! isset($matches[1]) || empty($matches[1]) ) - return ''; - - $string = $matches[1]; - } else { - $string = $matches; - } - +function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) { $string2 = wp_kses_decode_entities($string); $string2 = preg_replace('/\s/', '', $string2); @@ -926,6 +911,6 @@ $allowed = false; - foreach ( (array) $_kses_allowed_protocols as $one_protocol) - if (strtolower($one_protocol) == $string2) { + foreach ( (array) $allowed_protocols as $one_protocol ) + if ( strtolower($one_protocol) == $string2 ) { $allowed = true; break;