[wp-trac] [WordPress Trac] #3043: both WYSIWYG and plain editor are stripping tags.

WordPress Trac wp-trac at lists.automattic.com
Wed Aug 16 11:13:33 GMT 2006


#3043: both WYSIWYG and plain editor are stripping tags.
----------------------+-----------------------------------------------------
 Reporter:  morpheu5  |       Owner:  anonymous                      
     Type:  defect    |      Status:  new                            
 Priority:  high      |   Milestone:                                 
Component:  Security  |     Version:  2.0.4                          
 Severity:  major     |    Keywords:  editor strip stripping tag tags
----------------------+-----------------------------------------------------
 Hi you all. I'm running WP 2.0.4 on a server with PHP Version 5.1.4-pl4-
 gentoo with Hardening-Patch 0.4.11.

 The problem is that the tags are being stripped by WP and gets replaced
 with <p> and <br />. The problem may reside in the hardening patch - as
 stated by the owner of the server - which cleans up potentially malicious
 content for security issues. He said that this behaviour will be
 integrated in PHP 5.2.x as the standard behaviour. He also said that this
 is a per-server setting, not a per-directory one.

 I'm pretty new the WP code for making a patch on it (and honestly I found
 that code to be a real damn big mess) so I'm just suggesting you to encode
 the html content got from the form with htmlentities() before working on
 it and decode it with html_decode_entity() before sending it back to the
 user. I actually don't know much about how the hardening patch works for
 this issue but I guess that this would be enough.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/3043>
WordPress Trac <http://wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list