KSES: Deprecate wp_kses_js_entities().

This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape. I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4. Props dmsnell, desrosj. Fixes #33848. Built from https://develop.svn.wordpress.org/trunk@38785 git-svn-id: http://core.svn.wordpress.org/trunk@38728 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-10-13 22:25:31 +00:00
parent acd764a1d3
commit 456f8015b7
3 changed files with 27 additions and 15 deletions
--- a/wp-includes/deprecated.php
+++ b/wp-includes/deprecated.php
@@ -3772,3 +3772,29 @@ function get_paged_template() {

 	return get_query_template( 'paged' );
 }
+
+/**
+ * Removes the HTML JavaScript entities found in early versions of Netscape 4.
+ *
+ * Previously, this function was pulled in from the original
+ * import of kses and removed a specific vulnerability only
+ * existent in early version of Netscape 4. However, this
+ * vulnerability never affected any other browsers and can
+ * be considered safe for the modern web.
+ *
+ * The regular expression which sanitized this vulnerability
+ * has been removed in consideration of the performance and
+ * energy demands it placed, now merely passing through its
+ * input to the return.
+ *
+ * @since 1.0.0
+ * @deprecated deprecated since 4.7
+ *
+ * @param string $string
+ * @return string
+ */
+function wp_kses_js_entities( $string ) {
+	_deprecated_function( __FUNCTION__, '4.7.0' );
+
+	return preg_replace( '%&\s*\{[^}]*(\}\s*;?|$)%', '', $string );
+}