[wp-hackers] Why kses filtered html strips class?

Chris chris.hearn01 at ntlworld.com
Fri Aug 3 19:41:40 GMT 2007


Otto,
thanks for the explanation - I guess I will  either use HTML purifier, 
or simply unfiltered HTML access to my editors - who I trust - I want to 
fix this some way, and these 2 options seem the best.
Chris


Otto wrote:
> On 8/2/07, Chris <chris.hearn01 at ntlworld.com> wrote:
>   
>> Still dont understand why WP whacks it tho!
>>     
>
> Because class is a security risk. So is style and such. With access to
> classes and/or styles, it's possible to absolutely position some text
> or other code elsewhere on the page. Perhaps overwriting a login form
> or something else, and thus allowing one of your editors to trick
> somebody into giving up information. There's other ways to do bad
> things with class too, the point is that if they have unfettered
> access to class adjustment then they can potentially change your site
> in insecure ways.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>   


More information about the wp-hackers mailing list