[wp-trac] Re: [WordPress Trac] #4409: KSES removes text after a
non-tag less than sign
WordPress Trac
wp-trac at lists.automattic.com
Tue Jul 3 22:00:33 GMT 2007
#4409: KSES removes text after a non-tag less than sign
----------------------+-----------------------------------------------------
Reporter: mdawaffe | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.3 (trunk)
Component: General | Version: 2.2
Severity: critical | Resolution:
Keywords: |
----------------------+-----------------------------------------------------
Comment (by mdawaffe):
Replying to [comment:8 AmbushCommander]:
> {{{
> $html = preg_replace('/<([^A-Za-z0-9])/', '<$1', $html);
> }}}
I don't think that regex is robust enough. "bob<sue" or "<3" would still
get caught. Kids say the darndest things.
4409b.diff
1. Add {{{pre_kses}}} filter to kses (right where it says we should), but
rearrange the order slightly (in a way that does not effect kses' efficacy
''at all'').
2. Add regex to that filter to find and {{{wp_specialchars()}}}ize any
lone less than signs.
Kses is not modified in any problematic way. Any strings that might have
gotten stripped before but now aren't are run through both wp_specialchars
''and'' kses, so I don't believe there are any security issues.
--
Ticket URL: <http://trac.wordpress.org/ticket/4409#comment:9>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list