[wp-trac] [WordPress Trac] #28699: \0 (backslash+zero) gets stripped from post content for users without "unfiltered_html"
WordPress Trac
noreply at wordpress.org
Tue Jul 1 18:40:04 UTC 2014
#28699: \0 (backslash+zero) gets stripped from post content for users without
"unfiltered_html"
------------------------------------------+------------------
Reporter: azaozz | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.0
Component: Formatting | Version: 1.0
Severity: normal | Resolution:
Keywords: needs-patch needs-unit-tests | Focuses:
------------------------------------------+------------------
Comment (by miqrogroove):
I think there's a significant concern with the XSS Cheat Sheet example:
{{{
<DIV STYLE="background-
image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
}}}
Because, wp_kses_no_null() is used inside of safecss_filter_attr(). If
the latter function has any usage outside of the usual wp_kses_attr()
calls, then someone could be depending on the removal of hex codes for
security.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28699#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list