[wp-trac] Re: [WordPress Trac] #4409: KSES removes text after a non-tag less than sign

WordPress Trac wp-trac at lists.automattic.com
Tue Jul 3 22:00:33 GMT 2007

#4409: KSES removes text after a non-tag less than sign
 Reporter:  mdawaffe  |        Owner:  anonymous  
     Type:  defect    |       Status:  new        
 Priority:  high      |    Milestone:  2.3 (trunk)
Component:  General   |      Version:  2.2        
 Severity:  critical  |   Resolution:             
 Keywords:            |  
Comment (by mdawaffe):

 Replying to [comment:8 AmbushCommander]:
 > {{{
 > $html = preg_replace('/<([^A-Za-z0-9])/', '&lt;$1', $html);
 > }}}

 I don't think that regex is robust enough.  "bob<sue" or "<3" would still
 get caught.  Kids say the darndest things.

  1. Add {{{pre_kses}}} filter to kses (right where it says we should), but
 rearrange the order slightly (in a way that does not effect kses' efficacy
 ''at all'').
  2. Add regex to that filter to find and {{{wp_specialchars()}}}ize any
 lone less than signs.

 Kses is not modified in any problematic way.  Any strings that might have
 gotten stripped before but now aren't are run through both wp_specialchars
 ''and'' kses, so I don't believe there are any security issues.

Ticket URL: <http://trac.wordpress.org/ticket/4409#comment:9>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list