[wp-trac] Re: [WordPress Trac] #3290: Importer strips img class and
style
WordPress Trac
wp-trac at lists.automattic.com
Tue Nov 28 01:08:36 GMT 2006
#3290: Importer strips img class and style
-----------------------------+----------------------------------------------
Reporter: foolswisdom | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.1
Component: Administration | Version: 2.1
Severity: major | Resolution:
Keywords: import importer |
-----------------------------+----------------------------------------------
Comment (by foolswisdom):
filosofo, my generous teacher!
All imports are done with "author" privileges. Thank you for describing
the design limitation.
ENV: WP trunk r6949
I duplicated that as an "author" posting those img tags are stripped
I now see that those tags for img are not allowed because they are not
included in in $allowedposttags . I found an old wp-testers thread that
says this is for security reasons:
http://comox.textdrive.com/pipermail/wp-testers/2005-September/000461.html
I found at least one popular theme is very heavy on its use of img class
tags, http://cutline.tubetorial.com/image-handling-with-cutline/#comment-
481
PREVIOUS WORKAROUND
my-hacks.php file, CUSTOM_TAGS[[br]]
[resolved] Can Wordpress Support Pictures Inside Comments? [[br]]
http://wordpress.org/support/topic/43139?replies=17
QUESTIONS
I am left with the following questions:
1. I would like to better understand the security issues with the class
tag, and so far have not found anything on the web. ?
2. How about style, is it safe? Can it be added to $allowedposttags?
POSSIBLE SOLUTIONS
It seem this bug has exposed two independent issues:
* Possibly additional $allowedposttags values
* Import with filtering appropriate to the user (if exists) or establish
if new [[br]]
Code changes for r3430 (Make the xmlrpc user the current user) seems
possibly useful
--
Ticket URL: <http://trac.wordpress.org/ticket/3290#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list