[wp-trac] Re: [WordPress Trac] #3290: Importer strips img class and style

WordPress Trac wp-trac at lists.automattic.com
Tue Nov 28 01:08:36 GMT 2006

#3290: Importer strips img class and style
 Reporter:  foolswisdom      |        Owner:  anonymous
     Type:  defect           |       Status:  new      
 Priority:  high             |    Milestone:  2.1      
Component:  Administration   |      Version:  2.1      
 Severity:  major            |   Resolution:           
 Keywords:  import importer  |  
Comment (by foolswisdom):

 filosofo, my generous teacher!

 All imports are done with "author" privileges. Thank you for describing
 the design limitation.

 ENV: WP trunk r6949

 I duplicated that as an "author" posting those img tags are stripped

 I now see that those tags for img are not allowed because they are not
 included in in $allowedposttags . I found an old wp-testers thread that
 says this is for security reasons:

 I found at least one popular theme is very heavy on its use of img class
 tags, http://cutline.tubetorial.com/image-handling-with-cutline/#comment-


 my-hacks.php file, CUSTOM_TAGS[[br]]
 [resolved] Can Wordpress Support Pictures Inside Comments? [[br]]


 I am left with the following questions:

 1. I would like to better understand the security issues with the class
 tag, and so far have not found anything on the web. ?

 2. How about style, is it safe? Can it be added to $allowedposttags?


 It seem this bug has exposed two independent issues:

 * Possibly additional $allowedposttags values

 * Import with filtering appropriate to the user (if exists) or establish
 if new [[br]]
 Code changes for r3430 (Make the xmlrpc user the current user) seems
 possibly useful

Ticket URL: <http://trac.wordpress.org/ticket/3290#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list