[wp-trac] [WordPress Trac] #19414: Filter 'kses_allowed_protocols' is only applied once in function wp_allowed_protocols() & function esc_url() returns empty string;

[WordPress Trac]

#19414: Filter 'kses_allowed_protocols' is only applied once in function
wp_allowed_protocols()  & function esc_url() returns empty string;
--------------------------+------------------------------
 Reporter:  Anatta        |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Security      |     Version:  3.3
 Severity:  major         |  Resolution:
 Keywords:  close         |
--------------------------+------------------------------

Comment (by Anatta):

 @duck I agree for custom calls but in this case the esc_url() call is
 being made during the rendering of the admin-bar,  modifying the esc_url()
 call in this case is not possible without modifying wp-includes/class-wp-
 admin-bar.php.  There are no other actions or filters between the
 wp_before_admin_bar_render and wp_after_admin_bar_render hooks that can be
 used to enable a javascript action on an admin-bar link.

 Given the prominence and focus of the new admin bar, I can imagine
 increased instances of developers wishing to add more functionality to it.
 Given that the only workaround is currently to globally enable the
 javascript protocol, any plugin with admin-bar javascript would be
 advertising a vulnerability.

 Either a patch to allow more targeted filtering of wp_allowed_protocols(),
 or amendments to allow targeted exceptions for the admin bar (or dropping
 the esc_url call for the admin bar) seem justified.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/19414#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software