[wp-trac] [WordPress Trac] #12394: kses removes valid attribute from xhtml elements

WordPress Trac wp-trac at lists.automattic.com
Sun Feb 28 03:35:16 UTC 2010


#12394: kses removes valid attribute from xhtml elements
--------------------------+-------------------------------------------------
 Reporter:  dougal        |       Owner:                                      
     Type:  defect (bug)  |      Status:  new                                 
 Priority:  normal        |   Milestone:  3.0                                 
Component:  Formatting    |     Version:  2.9.2                               
 Severity:  normal        |    Keywords:  has-patch, tested, kses, xhtml, html
--------------------------+-------------------------------------------------
Changes (by dougal):

  * version:  => 2.9.2


Comment:

 Attached a diff for test_post_filtering.php for a couple of minor kses
 checks, including the one mentioned in this bug.

 Really, as mentioned in the wordpress-dev IRC chat the other day, we
 should probably work on a whole suite of security-related kses checks.

 This reminded me that a while back, there was a suggestion of replacing
 kses with HTML Purifier. However, I see that HTML Purifier is PHP 5 only,
 so that decision will have to wait until the PHP version requirement for
 WordPress is updated in the future.

 However, this might be a good resource to look at for formulating unit
 tests: http://htmlpurifier.org/live/smoketests/xssAttacks.php

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/12394#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list