[wp-trac] [WordPress Trac] #19354: wMulti-site wp_kses_hair() strips "data:" from base64-encoded images pasted into rich editior with Data URI scheme

WordPress Trac wp-trac at lists.automattic.com
Fri Nov 25 03:34:46 UTC 2011 

#19354: wMulti-site wp_kses_hair() strips "data:" from base64-encoded images pasted
into rich editior with Data URI scheme
--------------------------+--------------------------------------
 Reporter:  hardy101      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Editor        |    Version:  3.2.1
 Severity:  normal        |   Keywords:  needs-patch dev-feedback
--------------------------+--------------------------------------
 When inserting images into a post via copy-paste, Firefox will paste a
 base64 text string (using the Data URI scheme) into the post editor.  The
 result will look something like:

 <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA
 AAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO
 9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot">

 When the post is saved, the "data:" portion of the src attribute is
 stripped away by wp_kses_hair() via the line:

 if ( in_array(strtolower($attrname), $uris) )
    $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);

 "data:" is treated as a protocol prefix, and is not seen as part of the
 src attribute.

 To reproduce this error, try the following in Firefox:

 1) Do a Google image search for a rendom image.
 2) Right-click -> "Copy Image"
 3) Paste into rich text editor
 4) Save post
 5) View HTML tab of the editor and notice that the "data:" scheme has been
 removed.

 A side effect of this issue is that the image src is treated as a relative
 image path on the server (in subdirectory "image/png" with long string of
 characters as the "file name."  The server will typically report an error
 in its log file about the request length of the URI being too long.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/19354>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list