[wp-trac] Re: [WordPress Trac] #5644: wp_kses_normalize_entities regular expression does not use callback

WordPress Trac wp-trac at lists.automattic.com
Sat Jan 12 03:15:04 GMT 2008


#5644: wp_kses_normalize_entities regular expression does not use callback
------------------------+---------------------------------------------------
 Reporter:  darkdragon  |        Owner:  westi   
     Type:  defect      |       Status:  assigned
 Priority:  normal      |    Milestone:  2.6     
Component:  Security    |      Version:          
 Severity:  normal      |   Resolution:          
 Keywords:  kses        |  
------------------------+---------------------------------------------------
Comment (by darkdragon):

 I was wrong about wp_kses_bad_protocol_once(), since from what I've read
 on php.net on preg_replace_callback() it does not allow for adding
 parameters and the replacement in that needs to have a parameter passed to
 the callback function. Which is not possible.

 I pointed it out since using 'e' replacement parameter has bitten phpBB
 quite a few times and is ''generally'' seen as being a security risk. I'm
 unsure if that stands here, since I'm not a security expert.

 Preventing something could go a long way however, since the fix is
 relatively trivial and should not break anything.

 I'm unsure how much support you have for the Kses library.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/5644#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list