_wp_kses_allow_pdf_objects

The timeline below displays how wordpress function _wp_kses_allow_pdf_objects has changed across different WordPress versions. If a version is not listed, refer to the next available version below.

WordPress Version: 5.9

/**
 * Helper function to check if this is a safe PDF URL.
 *
 * @since 5.9.0
 * @access private
 * @ignore
 *
 * @param string $url The URL to check.
 * @return bool True if the URL is safe, false otherwise.
 */
function _wp_kses_allow_pdf_objects($url)
{
    // We're not interested in URLs that contain query strings or fragments.
    if (str_contains($url, '?') || str_contains($url, '#')) {
        return false;
    }
    // If it doesn't have a PDF extension, it's not safe.
    if (!str_ends_with($url, '.pdf')) {
        return false;
    }
    // If the URL host matches the current site's media URL, it's safe.
    $upload_info = wp_upload_dir(null, false);
    $parsed_url = wp_parse_url($upload_info['url']);
    $upload_host = isset($parsed_url['host']) ? $parsed_url['host'] : '';
    $upload_port = isset($parsed_url['port']) ? ':' . $parsed_url['port'] : '';
    if (str_starts_with($url, "http://{$upload_host}{$upload_port}/") || str_starts_with($url, "https://{$upload_host}{$upload_port}/")) {
        return true;
    }
    return false;
}