[wp-trac] [WordPress Trac] #5917: Kses should apply bad-protocol
check only to URI typed attributes
WordPress Trac
wp-trac at lists.automattic.com
Tue Feb 19 09:30:07 GMT 2008
#5917: Kses should apply bad-protocol check only to URI typed attributes
--------------------------+-------------------------------------------------
Reporter: takayukister | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.6
Component: General | Version: 2.5
Severity: normal | Keywords: kses has-patch
--------------------------+-------------------------------------------------
Kses HTML filter (wp-includes/kses.php) applies "bad protocol" check to
all attribute values now. It treats string including a colon (:) as URI,
and if the string doesn't have an allowed protocol (http, https, ftp,
...), it delete the letters before colon as a bad protocol.
But this rule is too strict in many cases. For example, if you want to
write
{{{
<img src="C-3PO.png" alt="Star Wars Episode IV: A New Hope" />
}}}
"Star Wars Episode IV:" will be deleted as a bad protocol.
{{{
<img src="R2-D2.png" alt="Fig 1: R2-D2" />
}}}
"Fig 1:" will be deleted as a bad protocol.
Alt attribute values are not URI. So bad protocol checking shouldn't be
needed.
I wrote a patch which makes kses apply bad-protocol check only to URI
typed attributes. I referred to HTML spec for attribute types.
http://www.w3.org/TR/REC-html40/index/attributes.html
--
Ticket URL: <http://trac.wordpress.org/ticket/5917>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list