[wp-trac] [WordPress Trac] #12394: kses removes valid attribute from xhtml elements
WordPress Trac
wp-trac at lists.automattic.com
Sun Feb 28 03:35:16 UTC 2010
#12394: kses removes valid attribute from xhtml elements
--------------------------+-------------------------------------------------
Reporter: dougal | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Formatting | Version: 2.9.2
Severity: normal | Keywords: has-patch, tested, kses, xhtml, html
--------------------------+-------------------------------------------------
Changes (by dougal):
* version: => 2.9.2
Comment:
Attached a diff for test_post_filtering.php for a couple of minor kses
checks, including the one mentioned in this bug.
Really, as mentioned in the wordpress-dev IRC chat the other day, we
should probably work on a whole suite of security-related kses checks.
This reminded me that a while back, there was a suggestion of replacing
kses with HTML Purifier. However, I see that HTML Purifier is PHP 5 only,
so that decision will have to wait until the PHP version requirement for
WordPress is updated in the future.
However, this might be a good resource to look at for formulating unit
tests: http://htmlpurifier.org/live/smoketests/xssAttacks.php
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12394#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list