[wp-trac] Re: [WordPress Trac] #5644: wp_kses_normalize_entities
regular expression does not use callback
WordPress Trac
wp-trac at lists.automattic.com
Sat Jan 12 03:15:04 GMT 2008
#5644: wp_kses_normalize_entities regular expression does not use callback
------------------------+---------------------------------------------------
Reporter: darkdragon | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.6
Component: Security | Version:
Severity: normal | Resolution:
Keywords: kses |
------------------------+---------------------------------------------------
Comment (by darkdragon):
I was wrong about wp_kses_bad_protocol_once(), since from what I've read
on php.net on preg_replace_callback() it does not allow for adding
parameters and the replacement in that needs to have a parameter passed to
the callback function. Which is not possible.
I pointed it out since using 'e' replacement parameter has bitten phpBB
quite a few times and is ''generally'' seen as being a security risk. I'm
unsure if that stands here, since I'm not a security expert.
Preventing something could go a long way however, since the fix is
relatively trivial and should not break anything.
I'm unsure how much support you have for the Kses library.
--
Ticket URL: <http://trac.wordpress.org/ticket/5644#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list