本文整理匯總了PHP中wp_kses_bad_protocol函數的典型用法代碼示例。如果您正苦於以下問題:PHP wp_kses_bad_protocol函數的具體用法?PHP wp_kses_bad_protocol怎麽用?PHP wp_kses_bad_protocol使用的例子?那麽, 這裏精選的函數代碼示例或許可以為您提供幫助。
在下文中一共展示了wp_kses_bad_protocol函數的15個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的PHP代碼示例。
示例1: esc_url
function esc_url($url, $protocols = null, $_context = 'display')
{
$original_url = $url;
if ('' == $url) {
return $url;
}
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\\|*\'()\\x80-\\xff]|i', '', $url);
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = _deep_replace($strip, $url);
$url = str_replace(';//', '://', $url);
if (strpos($url, ':') === false && substr($url, 0, 1) != '/' && substr($url, 0, 1) != '#' && !preg_match('/^[a-z0-9-]+?\\.php/i', $url)) {
$url = 'http://' . $url;
}
if ('display' == $_context) {
$url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
$url = str_replace("'", ''', $url);
}
if (!is_array($protocols)) {
$protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn');
}
if (wp_kses_bad_protocol($url, $protocols) != $url) {
return '';
}
return apply_filters('clean_url', $url, $original_url, $_context);
}
示例2: nextgen_esc_url
function nextgen_esc_url($url, $protocols = null, $_context = 'display')
{
$original_url = $url;
if ('' == $url) {
return $url;
}
$url = preg_replace('|[^a-z0-9 \\-~+_.?#=!&;,/:%@$\\|*\'()\\x80-\\xff]|i', '', $url);
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = _deep_replace($strip, $url);
$url = str_replace(';//', '://', $url);
/* If the URL doesn't appear to contain a scheme, we
* presume it needs http:// appended (unless a relative
* link starting with /, # or ? or a php file).
*/
if (strpos($url, ':') === false && !in_array($url[0], array('/', '#', '?')) && !preg_match('/^[a-z0-9-]+?\\.php/i', $url)) {
$url = 'http://' . $url;
}
// Replace ampersands and single quotes only when displaying.
if ('display' == $_context) {
$url = wp_kses_normalize_entities($url);
$url = str_replace('&', '&', $url);
$url = str_replace("'", ''', $url);
$url = str_replace('%', '%25', $url);
$url = str_replace(' ', '%20', $url);
}
if ('/' === $url[0]) {
$good_protocol_url = $url;
} else {
if (!is_array($protocols)) {
$protocols = wp_allowed_protocols();
}
$good_protocol_url = wp_kses_bad_protocol($url, $protocols);
if (strtolower($good_protocol_url) != strtolower($url)) {
return '';
}
}
return apply_filters('clean_url', $good_protocol_url, $original_url, $_context);
}
示例3: request
/**
* Send an HTTP request to a URI.
*
* Please note: The only URI that are supported in the HTTP Transport implementation
* are the HTTP and HTTPS protocols.
*
* @access public
* @since 2.7.0
*
* @param string $url The request URL.
* @param string|array $args {
* Optional. Array or string of HTTP request arguments.
*
* @type string $method Request method. Accepts 'GET', 'POST', 'HEAD', or 'PUT'.
* Some transports technically allow others, but should not be
* assumed. Default 'GET'.
* @type int $timeout How long the connection should stay open in seconds. Default 5.
* @type int $redirection Number of allowed redirects. Not supported by all transports
* Default 5.
* @type string $httpversion Version of the HTTP protocol to use. Accepts '1.0' and '1.1'.
* Default '1.0'.
* @type string $user-agent User-agent value sent.
* Default WordPress/' . get_bloginfo( 'version' ) . '; ' . get_bloginfo( 'url' ).
* @type bool $reject_unsafe_urls Whether to pass URLs through wp_http_validate_url().
* Default false.
* @type bool $blocking Whether the calling code requires the result of the request.
* If set to false, the request will be sent to the remote server,
* and processing returned to the calling code immediately, the caller
* will know if the request succeeded or failed, but will not receive
* any response from the remote server. Default true.
* @type string|array $headers Array or string of headers to send with the request.
* Default empty array.
* @type array $cookies List of cookies to send with the request. Default empty array.
* @type string|array $body Body to send with the request. Default null.
* @type bool $compress Whether to compress the $body when sending the request.
* Default false.
* @type bool $decompress Whether to decompress a compressed response. If set to false and
* compressed content is returned in the response anyway, it will
* need to be separately decompressed. Default true.
* @type bool $sslverify Whether to verify SSL for the request. Default true.
* @type string sslcertificates Absolute path to an SSL certificate .crt file.
* Default ABSPATH . WPINC . '/certificates/ca-bundle.crt'.
* @type bool $stream Whether to stream to a file. If set to true and no filename was
* given, it will be droped it in the WP temp dir and its name will
* be set using the basename of the URL. Default false.
* @type string $filename Filename of the file to write to when streaming. $stream must be
* set to true. Default null.
* @type int $limit_response_size Size in bytes to limit the response to. Default null.
*
* }
* @return array|WP_Error Array containing 'headers', 'body', 'response', 'cookies', 'filename'.
* A WP_Error instance upon error.
*/
public function request($url, $args = array())
{
$defaults = array('method' => 'GET', 'timeout' => apply_filters('http_request_timeout', 5), 'redirection' => apply_filters('http_request_redirection_count', 5), 'httpversion' => apply_filters('http_request_version', '1.0'), 'user-agent' => apply_filters('http_headers_useragent', 'WordPress/' . get_bloginfo('version') . '; ' . get_bloginfo('url')), 'reject_unsafe_urls' => apply_filters('http_request_reject_unsafe_urls', false), 'blocking' => true, 'headers' => array(), 'cookies' => array(), 'body' => null, 'compress' => false, 'decompress' => true, 'sslverify' => true, 'sslcertificates' => ABSPATH . WPINC . '/certificates/ca-bundle.crt', 'stream' => false, 'filename' => null, 'limit_response_size' => null);
// Pre-parse for the HEAD checks.
$args = wp_parse_args($args);
// By default, Head requests do not cause redirections.
if (isset($args['method']) && 'HEAD' == $args['method']) {
$defaults['redirection'] = 0;
}
$r = wp_parse_args($args, $defaults);
/**
* Filters the arguments used in an HTTP request.
*
* @since 2.7.0
*
* @param array $r An array of HTTP request arguments.
* @param string $url The request URL.
*/
$r = apply_filters('http_request_args', $r, $url);
// The transports decrement this, store a copy of the original value for loop purposes.
if (!isset($r['_redirection'])) {
$r['_redirection'] = $r['redirection'];
}
/**
* Filters whether to preempt an HTTP request's return value.
*
* Returning a non-false value from the filter will short-circuit the HTTP request and return
* early with that value. A filter should return either:
*
* - An array containing 'headers', 'body', 'response', 'cookies', and 'filename' elements
* - A WP_Error instance
* - boolean false (to avoid short-circuiting the response)
*
* Returning any other value may result in unexpected behaviour.
*
* @since 2.9.0
*
* @param false|array|WP_Error $preempt Whether to preempt an HTTP request's return value. Default false.
* @param array $r HTTP request arguments.
* @param string $url The request URL.
*/
$pre = apply_filters('pre_http_request', false, $r, $url);
if (false !== $pre) {
return $pre;
}
if (function_exists('wp_kses_bad_protocol')) {
if ($r['reject_unsafe_urls']) {
//.........這裏部分代碼省略.........
示例4: wp_http_validate_url
/**
* Validate a URL for safe use in the HTTP API.
*
* @since 3.5.2
*
* @return mixed URL or false on failure.
*/
function wp_http_validate_url($url)
{
$original_url = $url;
$url = wp_kses_bad_protocol($url, array('http', 'https'));
if (!$url || strtolower($url) !== strtolower($original_url)) {
return false;
}
$parsed_url = @parse_url($url);
if (!$parsed_url || empty($parsed_url['host'])) {
return false;
}
if (isset($parsed_url['user']) || isset($parsed_url['pass'])) {
return false;
}
if (false !== strpbrk($parsed_url['host'], ':#?[]')) {
return false;
}
$parsed_home = @parse_url(get_option('home'));
$same_host = strtolower($parsed_home['host']) === strtolower($parsed_url['host']);
if (!$same_host) {
$host = trim($parsed_url['host'], '.');
if (preg_match('#^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$#', $host)) {
$ip = $host;
} else {
$ip = gethostbyname($host);
if ($ip === $host) {
// Error condition for gethostbyname()
$ip = false;
}
}
if ($ip) {
$parts = array_map('intval', explode('.', $ip));
if (127 === $parts[0] || 10 === $parts[0] || 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] || 192 === $parts[0] && 168 === $parts[1]) {
// If host appears local, reject unless specifically allowed.
/**
* Check if HTTP request is external or not.
*
* Allows to change and allow external requests for the HTTP request.
*
* @since 3.6.0
*
* @param bool false Whether HTTP request is external or not.
* @param string $host IP of the requested host.
* @param string $url URL of the requested host.
*/
if (!apply_filters('http_request_host_is_external', false, $host, $url)) {
return false;
}
}
}
}
if (empty($parsed_url['port'])) {
return $url;
}
$port = $parsed_url['port'];
if (80 === $port || 443 === $port || 8080 === $port) {
return $url;
}
if ($parsed_home && $same_host && $parsed_home['port'] === $port) {
return $url;
}
return false;
}
示例5: test_wp_kses_bad_protocol
function test_wp_kses_bad_protocol()
{
$bad = array('dummy:alert(1)', 'javascript:alert(1)', 'JaVaScRiPt:alert(1)', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert('XSS')', 'jav ascript:alert(1);', 'jav	ascript:alert(1);', 'jav
ascript:alert(1);', 'jav
ascript:alert(1);', '  javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:alert(1)//?:', 'feed:javascript:alert(1)', 'feed:javascript:feed:javascript:feed:javascript:alert(1)');
foreach ($bad as $k => $x) {
$result = wp_kses_bad_protocol(wp_kses_normalize_entities($x), wp_allowed_protocols());
if (!empty($result) && $result != 'alert(1);' && $result != 'alert(1)') {
switch ($k) {
case 6:
$this->assertEquals('javascript&#0000058alert(1);', $result);
break;
case 12:
$this->assertEquals(str_replace('&', '&', $x), $result);
break;
case 22:
$this->assertEquals('javascript&#0000058alert(1);', $result);
break;
case 23:
$this->assertEquals('javascript&#0000058alert(1)//?:', $result);
break;
case 24:
$this->assertEquals('feed:alert(1)', $result);
break;
default:
$this->fail("wp_kses_bad_protocol failed on {$x}. Result: {$result}");
}
}
}
$safe = array('dummy:alert(1)', 'HTTP://example.org/', 'http://example.org/', 'http://example.org/', 'http://example.org/', 'https://example.org', 'http://example.org/wp-admin/post.php?post=2&action=edit', 'http://example.org/index.php?test='blah'');
foreach ($safe as $x) {
$result = wp_kses_bad_protocol(wp_kses_normalize_entities($x), array('http', 'https', 'dummy'));
if ($result != $x && $result != 'http://example.org/') {
$this->fail("wp_kses_bad_protocol incorrectly blocked {$x}");
}
}
}
示例6: esc_url
/**
* Checks and cleans a URL.
*
* A number of characters are removed from the URL. If the URL is for displaying
* (the default behaviour) ampersands are also replaced. The 'clean_url' filter
* is applied to the returned cleaned URL.
*
* @since 2.8.0
* @uses wp_kses_bad_protocol() To only permit protocols in the URL set
* via $protocols or the common ones set in the function.
*
* @param string $url The URL to be cleaned.
* @param array $protocols Optional. An array of acceptable protocols.
* Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
* @param string $_context Private. Use esc_url_raw() for database usage.
* @return string The cleaned $url after the 'clean_url' filter is applied.
*/
function esc_url( $url, $protocols = null, $_context = 'display' ) {
$original_url = $url;
if ( '' == $url )
return $url;
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = _deep_replace($strip, $url);
$url = str_replace(';//', '://', $url);
/* If the URL doesn't appear to contain a scheme, we
* presume it needs http:// appended (unless a relative
* link starting with /, # or ? or a php file).
*/
if ( strpos($url, ':') === false && ! in_array( $url[0], array( '/', '#', '?' ) ) &&
! preg_match('/^[a-z0-9-]+?\.php/i', $url) )
$url = 'http://' . $url;
// Replace ampersands and single quotes only when displaying.
if ( 'display' == $_context ) {
$url = wp_kses_normalize_entities( $url );
$url = str_replace( '&', '&', $url );
$url = str_replace( "'", ''', $url );
}
if ( '/' === $url[0] ) {
$good_protocol_url = $url;
} else {
if ( ! is_array( $protocols ) )
$protocols = wp_allowed_protocols();
$good_protocol_url = wp_kses_bad_protocol( $url, $protocols );
if ( strtolower( $good_protocol_url ) != strtolower( $url ) )
return '';
}
/**
* Filter a string cleaned and escaped for output as a URL.
*
* @since 2.3.0
*
* @param string $good_protocol_url The cleaned URL to be returned.
* @param string $original_url The URL prior to cleaning.
* @param string $_context If 'display', replace ampersands and single quotes only.
*/
return apply_filters( 'clean_url', $good_protocol_url, $original_url, $_context );
}
示例7: request
//.........這裏部分代碼省略.........
*
* @since 2.7.0
*
* @param array $r An array of HTTP request arguments.
* @param string $url The request URL.
*/
$r = apply_filters('http_request_args', $r, $url);
// The transports decrement this, store a copy of the original value for loop purposes.
if (!isset($r['_redirection'])) {
$r['_redirection'] = $r['redirection'];
}
/**
* Filter whether to preempt an HTTP request's return value.
*
* Returning a non-false value from the filter will short-circuit the HTTP request and return
* early with that value. A filter should return either:
*
* - An array containing 'headers', 'body', 'response', 'cookies', and 'filename' elements
* - A WP_Error instance
* - boolean false (to avoid short-circuiting the response)
*
* Returning any other value may result in unexpected behaviour.
*
* @since 2.9.0
*
* @param false|array|WP_Error $preempt Whether to preempt an HTTP request's return value. Default false.
* @param array $r HTTP request arguments.
* @param string $url The request URL.
*/
$pre = apply_filters('pre_http_request', false, $r, $url);
if (false !== $pre) {
return $pre;
}
if (function_exists('wp_kses_bad_protocol')) {
if ($r['reject_unsafe_urls']) {
$url = wp_http_validate_url($url);
}
if ($url) {
$url = wp_kses_bad_protocol($url, array('http', 'https', 'ssl'));
}
}
$arrURL = @parse_url($url);
if (empty($url) || empty($arrURL['scheme'])) {
return new WP_Error('http_request_failed', __('A valid URL was not provided.'));
}
if ($this->block_request($url)) {
return new WP_Error('http_request_failed', __('User has blocked requests through HTTP.'));
}
/*
* Determine if this is a https call and pass that on to the transport functions
* so that we can blacklist the transports that do not support ssl verification
*/
$r['ssl'] = $arrURL['scheme'] == 'https' || $arrURL['scheme'] == 'ssl';
// Determine if this request is to OUR install of WordPress.
$homeURL = parse_url(get_bloginfo('url'));
$r['local'] = 'localhost' == $arrURL['host'] || isset($homeURL['host']) && $homeURL['host'] == $arrURL['host'];
unset($homeURL);
/*
* If we are streaming to a file but no filename was given drop it in the WP temp dir
* and pick its name using the basename of the $url.
*/
if ($r['stream'] && empty($r['filename'])) {
$r['filename'] = get_temp_dir() . wp_unique_filename(get_temp_dir(), basename($url));
}
/*
* Force some settings if we are streaming to a file and check for existence and perms
示例8: clean_url
function clean_url( $url, $protocols = null ) {
if ('' == $url) return $url;
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%]|i', '', $url);
$strip = array('%0d', '%0a');
$url = str_replace($strip, '', $url);
$url = str_replace(';//', '://', $url);
// Append http unless a relative link starting with / or a php file.
if ( strpos($url, '://') === false &&
substr( $url, 0, 1 ) != '/' && !preg_match('/^[a-z0-9]+?\.php/i', $url) )
$url = 'http://' . $url;
$url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
if ( !is_array($protocols) )
$protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet');
if ( wp_kses_bad_protocol( $url, $protocols ) != $url )
return '';
return $url;
}
示例9: clean_url
function clean_url($url, $protocols = null, $context = 'display')
{
$original_url = $url;
if ('' == $url) {
return $url;
}
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@()]|i', '', $url);
$strip = array('%0d', '%0a');
$url = str_replace($strip, '', $url);
$url = str_replace(';//', '://', $url);
/* If the URL doesn't appear to contain a scheme, we
* presume it needs http:// appended (unless a relative
* link starting with / or a php file).
*/
if (strpos($url, ':') === false && substr($url, 0, 1) != '/' && !preg_match('/^[a-z0-9-]+?\\.php/i', $url)) {
$url = 'http://' . $url;
}
// Replace ampersands ony when displaying.
if ('display' == $context) {
$url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
}
if (!is_array($protocols)) {
$protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet');
}
if (wp_kses_bad_protocol($url, $protocols) != $url) {
return '';
}
return apply_filters('clean_url', $url, $original_url, $context);
}
示例10: wp_kses_hair
/**
* wp_kses_hair() - Builds an attribute list from string containing attributes.
*
* This function does a lot of work. It parses an attribute list into an array
* with attribute data, and tries to do the right thing even if it gets weird
* input. It will add quotes around attribute values that don't have any quotes
* or apostrophes around them, to make it easier to produce HTML code that will
* conform to W3C's HTML specification. It will also remove bad URL protocols
* from attribute values. It also reduces duplicate attributes by using the
* attribute defined first (foo='bar' foo='baz' will result in foo='bar').
*
* @since 1.0.0
*
* @param string $attr Attribute list from HTML element to closing HTML element tag
* @param array $allowed_protocols Allowed protocols to keep
* @return array List of attributes after parsing
*/
function wp_kses_hair($attr, $allowed_protocols)
{
$attrarr = array();
$mode = 0;
$attrname = '';
# Loop through the whole attribute list
while (strlen($attr) != 0) {
$working = 0;
# Was the last operation successful?
switch ($mode) {
case 0:
# attribute name, href for instance
if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) {
$attrname = $match[1];
$working = $mode = 1;
$attr = preg_replace('/^[-a-zA-Z]+/', '', $attr);
}
break;
case 1:
# equals sign or valueless ("selected")
if (preg_match('/^\\s*=\\s*/', $attr)) {
$working = 1;
$mode = 2;
$attr = preg_replace('/^\\s*=\\s*/', '', $attr);
break;
}
if (preg_match('/^\\s+/', $attr)) {
$working = 1;
$mode = 0;
if (FALSE === array_key_exists($attrname, $attrarr)) {
$attrarr[$attrname] = array('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
}
$attr = preg_replace('/^\\s+/', '', $attr);
}
break;
case 2:
# attribute value, a URL after href= for instance
if (preg_match('/^"([^"]*)"(\\s+|$)/', $attr, $match)) {
$thisval = wp_kses_bad_protocol($match[1], $allowed_protocols);
if (FALSE === array_key_exists($attrname, $attrarr)) {
$attrarr[$attrname] = array('name' => $attrname, 'value' => $thisval, 'whole' => "{$attrname}=\"{$thisval}\"", 'vless' => 'n');
}
$working = 1;
$mode = 0;
$attr = preg_replace('/^"[^"]*"(\\s+|$)/', '', $attr);
break;
}
if (preg_match("/^'([^']*)'(\\s+|\$)/", $attr, $match)) {
$thisval = wp_kses_bad_protocol($match[1], $allowed_protocols);
if (FALSE === array_key_exists($attrname, $attrarr)) {
$attrarr[$attrname] = array('name' => $attrname, 'value' => $thisval, 'whole' => "{$attrname}='{$thisval}'", 'vless' => 'n');
}
$working = 1;
$mode = 0;
$attr = preg_replace("/^'[^']*'(\\s+|\$)/", '', $attr);
break;
}
if (preg_match("%^([^\\s\"']+)(\\s+|\$)%", $attr, $match)) {
$thisval = wp_kses_bad_protocol($match[1], $allowed_protocols);
if (FALSE === array_key_exists($attrname, $attrarr)) {
$attrarr[$attrname] = array('name' => $attrname, 'value' => $thisval, 'whole' => "{$attrname}=\"{$thisval}\"", 'vless' => 'n');
}
# We add quotes to conform to W3C's HTML spec.
$working = 1;
$mode = 0;
$attr = preg_replace("%^[^\\s\"']+(\\s+|\$)%", '', $attr);
}
break;
}
# switch
if ($working == 0) {
$attr = wp_kses_html_error($attr);
$mode = 0;
}
}
# while
if ($mode == 1 && FALSE === array_key_exists($attrname, $attrarr)) {
# special case, for when the attribute list ends with a valueless
# attribute like "selected"
$attrarr[$attrname] = array('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y');
}
return $attrarr;
}
示例11: esc_url
/**
* Checks and cleans a URL. This function is from WordPress.
*
* A number of characters are removed from the URL. If the URL is for displaying
* (the default behaviour) ampersands are also replaced. The 'clean_url' filter
* is applied to the returned cleaned URL.
*
* @since 2.8.0
* @uses wp_kses_bad_protocol() To only permit protocols in the URL set
* via $protocols or the common ones set in the function.
*
* @param string $url The URL to be cleaned.
* @param array $protocols Optional. An array of acceptable protocols.
* Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
* @param string $_context Private. Use esc_url_raw() for database usage.
* @return string The cleaned $url after the 'clean_url' filter is applied.
*/
public function esc_url($url, $protocols = null, $_context = 'display')
{
$original_url = $url;
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\\|*\'()\\x80-\\xff]|i', '', $url);
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = _deep_replace($strip, $url);
$url = str_replace(';//', '://', $url);
// Replace ampersands and single quotes only when displaying.
if ('display' == $_context) {
$url = wp_kses_normalize_entities($url);
$url = str_replace('&', '&', $url);
$url = str_replace('\'', ''', $url);
}
if (!empty($url[0]) && '/' === $url[0]) {
$good_protocol_url = $url;
} else {
if (!is_array($protocols)) {
$protocols = wp_allowed_protocols();
}
$good_protocol_url = wp_kses_bad_protocol($url, $protocols);
if (strtolower($good_protocol_url) != strtolower($url)) {
return '';
}
}
/**
* Filter a string cleaned and escaped for output as a URL.
*
* @since 2.3.0
*
* @param string $good_protocol_url The cleaned URL to be returned.
* @param string $original_url The URL prior to cleaning.
* @param string $_context If 'display', replace ampersands and single quotes only.
*/
return apply_filters('clean_url', $good_protocol_url, $original_url, $_context);
}
示例12: clean_url
function clean_url( $url, $protocols = null ) {
if ('' == $url) return $url;
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%]|i', '', $url);
$strip = array('%0d', '%0a');
$url = str_replace($strip, '', $url);
$url = str_replace(';//', '://', $url);
$url = (!strstr($url, '://')) ? 'http://'.$url : $url;
$url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
if ( !is_array($protocols) )
$protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet');
if ( wp_kses_bad_protocol( $url, $protocols ) != $url )
return '';
return $url;
}
示例13: freshy_theme_page
function freshy_theme_page()
{
global $freshy_options;
if ($_GET['page'] == basename(__FILE__)) {
$array_themes_strings = array('lime', 'blue', 'red');
if (isset($_POST['freshy_options_update'])) {
$freshy_updated_options = array();
$freshy_updated_options = $_POST;
if (isset($freshy_updated_options['theme']) && $freshy_updated_options['changedtheme'] == 1) {
freshy_set_theme($freshy_updated_options['theme'], $freshy_updated_options['advanced_options']);
} else {
$freshy_updated_options['header_bg_custom'] = wp_kses_bad_protocol($freshy_updated_options['header_bg_custom'], array('http', 'https'));
update_option('freshy_options', $freshy_updated_options);
$freshy_options = get_option('freshy_options');
echo '<div class="updated"><p>' . __('XTEC options updated.', 'xtec-11') . '</p></div>';
}
}
echo '
<div class="wrap">
<h2>' . __('XTEC Options', 'xtec-11') . '</h2>
<form name="freshy_options_form" method="post">
<input type="hidden" name="freshy_options_update" value="update" />
<input type="hidden" name="changedtheme" id="changedtheme" value="0" />
<fieldset class="options">
<legend>' . __('Theme switcher', 'xtec-11') . '</legend>
<table id="freshy_menu_options" width="100%" cellspacing="2" cellpadding="5" class="editform">
<col style="width:50%;"/><col/>
<tr>
<td>
<label>' . __('Enter the label of the Homepage menu link', 'xtec-11') . ' </label>
<br/>
<small>' . __('info : modifying these labels should break internationalisation', 'xtec-11') . '</small>
</td>
<td>
<input name="first_menu_label" type="text" value="' . $freshy_options['first_menu_label'] . '"/>
</td>
</tr>';
if (function_exists('yy_menu')) {
echo '
<tr>
<td>
<label>' . __('Enter the label of the Blog menu link', 'xtec-11') . ' </label>
<br/>
<small>' . __('info : this is specially for YammYamm', 'xtec-11') . '</small>
</td>
<td>
<input name="blog_menu_label" type="text" value="' . $freshy_options['blog_menu_label'] . '"/>
</td>
</tr>';
}
echo '
<tr>
<td>
<label>' . __('Enter the label of the last menu link', 'xtec-11') . ' </label>
</td>
<td>
<input name="last_menu_label" type="text" value="' . $freshy_options['last_menu_label'] . '"/>
</td>
</tr>
<tr>
<td>
<label>' . __('Title color, ex: #006699', 'xtec-11') . ' </label>
</td>
<td>
<input style="width:100px;" id="color_title_custom" name="color_title_custom" type="text" value="' . $freshy_options['color_title_custom'] . '"/>
</td>
</tr>
<tr>
<td>
<label>' . __('Subtitle color, ex: #3af567', 'xtec-11') . ' </label>
</td>
<td>
<input style="width:100px;" id="color_subtitle_custom" name="color_subtitle_custom" type="text" value="' . $freshy_options['color_subtitle_custom'] . '"/>
</td>
</tr>
<tr>
<td>
<label>' . __('Absolute url of your own css style', 'xtec-11') . ' </label><br />
<small><a href="' . get_bloginfo('stylesheet_directory') . '/style-default.css" title="' . __('Click', 'xtec-11') . '">' . __('Download css default', 'xtec-11') . '</a></small>
</td>
<td>
<input style="width:370px;" id="css_style_custom" name="css_style_custom" type="text" value="' . $freshy_options['css_style_custom'] . '"/>
</td>
</tr>
<tr>
<td>
<label>' . __('Absolute url of your own image', 'xtec-11') . ' </label>
</td>
<td>
<div style="border:1px solid silver;float:left;margin:2px;width:400px;height:50px;display:block;background:url(';
echo $freshy_options['header_bg_custom'] . ') transparent 0 0;">
<input style="margin:10px;width:370px;" id="header_bg_custom" name="header_bg_custom" type="text" value="' . $freshy_options['header_bg_custom'] . '"/>
</div>
</td>
</tr>
';
if ($freshy_options['header_bg_custom'] != "") {
//.........這裏部分代碼省略.........
示例14: wp_http_validate_url
/**
* Validate a URL for safe use in the HTTP API.
*
* @since 3.5.2
*
* @return mixed URL or false on failure.
*/
function wp_http_validate_url($url)
{
$url = wp_kses_bad_protocol($url, array('http', 'https'));
if (!$url) {
return false;
}
$parsed_url = @parse_url($url);
if (!$parsed_url || empty($parsed_url['host'])) {
return false;
}
if (isset($parsed_url['user']) || isset($parsed_url['pass'])) {
return false;
}
if (false !== strpos($parsed_url['host'], ':')) {
return false;
}
$parsed_home = @parse_url(get_option('home'));
$same_host = strtolower($parsed_home['host']) === strtolower($parsed_url['host']);
if (!$same_host) {
$host = trim($parsed_url['host'], '.');
if (preg_match('#^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$#', $host)) {
$ip = $host;
} else {
$ip = gethostbyname($host);
if ($ip === $host) {
// Error condition for gethostbyname()
$ip = false;
}
}
if ($ip) {
$parts = array_map('intval', explode('.', $ip));
if ('127.0.0.1' === $ip || 10 === $parts[0] || 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] || 192 === $parts[0] && 168 === $parts[1]) {
// If host appears local, reject unless specifically allowed.
if (!apply_filters('http_request_host_is_external', false, $host, $url)) {
return false;
}
}
}
}
if (empty($parsed_url['port'])) {
return $url;
}
$port = $parsed_url['port'];
if (80 === $port || 443 === $port || 8080 === $port) {
return $url;
}
if ($parsed_home && $same_host && $parsed_home['port'] === $port) {
return $url;
}
return false;
}
示例15: esc_url
/**
* Checks and cleans a URL.
*
* A number of characters are removed from the URL. If the URL is for displaying
* (the default behaviour) ampersands are also replaced. The 'clean_url' filter
* is applied to the returned cleaned URL.
*
* @since 2.8.0
*
* @param string $url The URL to be cleaned.
* @param array $protocols Optional. An array of acceptable protocols.
* Defaults to return value of wp_allowed_protocols()
* @param string $_context Private. Use esc_url_raw() for database usage.
* @return string The cleaned $url after the 'clean_url' filter is applied.
*/
function esc_url($url, $protocols = null, $_context = 'display')
{
$original_url = $url;
if ('' == $url) {
return $url;
}
$url = str_replace(' ', '%20', $url);
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\\|*\'()\\[\\]\\x80-\\xff]|i', '', $url);
if ('' === $url) {
return $url;
}
if (0 !== stripos($url, 'mailto:')) {
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = _deep_replace($strip, $url);
}
$url = str_replace(';//', '://', $url);
/* If the URL doesn't appear to contain a scheme, we
* presume it needs http:// prepended (unless a relative
* link starting with /, # or ? or a php file).
*/
if (strpos($url, ':') === false && !in_array($url[0], array('/', '#', '?')) && !preg_match('/^[a-z0-9-]+?\\.php/i', $url)) {
$url = 'http://' . $url;
}
// Replace ampersands and single quotes only when displaying.
if ('display' == $_context) {
$url = wp_kses_normalize_entities($url);
$url = str_replace('&', '&', $url);
$url = str_replace("'", ''', $url);
}
if (false !== strpos($url, '[') || false !== strpos($url, ']')) {
$parsed = wp_parse_url($url);
$front = '';
if (isset($parsed['scheme'])) {
$front .= $parsed['scheme'] . '://';
} elseif ('/' === $url[0]) {
$front .= '//';
}
if (isset($parsed['user'])) {
$front .= $parsed['user'];
}
if (isset($parsed['pass'])) {
$front .= ':' . $parsed['pass'];
}
if (isset($parsed['user']) || isset($parsed['pass'])) {
$front .= '@';
}
if (isset($parsed['host'])) {
$front .= $parsed['host'];
}
if (isset($parsed['port'])) {
$front .= ':' . $parsed['port'];
}
$end_dirty = str_replace($front, '', $url);
$end_clean = str_replace(array('[', ']'), array('%5B', '%5D'), $end_dirty);
$url = str_replace($end_dirty, $end_clean, $url);
}
if ('/' === $url[0]) {
$good_protocol_url = $url;
} else {
if (!is_array($protocols)) {
$protocols = wp_allowed_protocols();
}
$good_protocol_url = wp_kses_bad_protocol($url, $protocols);
if (strtolower($good_protocol_url) != strtolower($url)) {
return '';
}
}
/**
* Filter a string cleaned and escaped for output as a URL.
*
* @since 2.3.0
*
* @param string $good_protocol_url The cleaned URL to be returned.
* @param string $original_url The URL prior to cleaning.
* @param string $_context If 'display', replace ampersands and single quotes only.
*/
return apply_filters('clean_url', $good_protocol_url, $original_url, $_context);
}