KSES: Prevent normalization from unescaping escaped numeric character references.

Fixes an issue where `wp_kses_normalize_entities` would transform inputs like "'" into "'", changing the intended HTML text.

This behavior has present since the initial version of KSES was introduced in [649].

[2896] applied the normalization to post content for users without the "unfiltered_html" capability.

Developed in #9099.

Props jonsurrell, dmsnell, sirlouen.
Fixes #63630.


git-svn-id: https://develop.svn.wordpress.org/trunk@60616 602fd350-edb4-49c9-b593-d223f7449a82

Author: sirreal

src/wp-includes/kses.php

@@ -1958,14 +1958,45 @@ function wp_kses_normalize_entities( $content, $context = 'html' ) {
 	// Disarm all entities by converting & to &
 	$content = str_replace( '&', '&', $content );
 
-	// Change back the allowed entities in our list of allowed entities.
+	/*
+	 * Decode any character references that are now double-encoded.
+	 *
+	 * It's important that the following normalizations happen in the correct order.
+	 *
+	 * At this point, all `&` have been transformed to `&`. Double-encoded named character
+	 * references like `&` will be decoded back to their single-encoded form `&`.
+	 *
+	 * First, numeric (decimal and hexadecimal) character references must be handled so that
+	 * `	` becomes `	`. If the named character references were handled first, there
+	 * would be no way to know whether the double-encoded character reference had been produced
+	 * in this function or was the original input.
+	 *
+	 * Consider the two examples, first with named entity decoding followed by numeric
+	 * entity decoding. We'll use U+002E FULL STOP (.) in our example, this table follows the
+	 * string processing from left to right:
+	 *
+	 * | Input        | &-encoded        | Named ref double-decoded  | Numeric ref double-decoded |
+	 * | ------------ | ---------------- | ------------------------- | -------------------------- |
+	 * | `.`     | `.`     | `.`              | `.`                   |
+	 * | `.` | `.` | `.`              | `.`                   |
+	 *
+	 * Notice in the example above that different inputs result in the same result. The second case
+	 * was not normalized and produced HTML that is semantically different from the input.
+	 *
+	 * | Input        | &-encoded        |  Numeric ref double-decoded | Named ref double-decoded |
+	 * | ------------ | ---------------- | --------------------------- | ------------------------ |
+	 * | `.`     | `.`     | `.`                    | `.`                 |
+	 * | `.` | `.` | `.`            | `.`             |
+	 *
+	 * Here, each input is normalized to an appropriate output.
+	 */
+	$content = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $content );
+	$content = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $content );
 	if ( 'xml' === $context ) {
 		$content = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_xml_named_entities', $content );
 	} else {
 		$content = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $content );
 	}
-	$content = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $content );
-	$content = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $content );
 
 	return $content;
 }

tests/phpunit/tests/kses.php

@@ -597,6 +597,12 @@ public static function data_normalize_entities(): array {
 			'Encoded named ref &'        => array( '&', '&' ),
 			'Encoded named ref &'        => array( '&', '&' ),
 			'Encoded named ref &'       => array( '&', '&' ),
+			'Encoded numeric ref ''      => array( ''', ''' ),
+			'Encoded numeric ref ''      => array( ''', ''' ),
+			'Encoded numeric ref ''     => array( ''', ''' ),
+			'Encoded hex ref ''         => array( ''', ''' ),
+			'Encoded hex ref ''         => array( ''', ''' ),
+			'Encoded hex ref ''        => array( ''', ''' ),
 
 			/*
 			 * The codepoint value here is outside of the valid unicode range whose
@@ -609,6 +615,7 @@ public static function data_normalize_entities(): array {
 
 	/**
 	 * @ticket 26290
+	 * @ticket 63630
 	 *
 	 * @dataProvider data_normalize_entities
 	 */