[wp-trac] [WordPress Trac] #29557: PHP ≤ 5.4.8 Crashes on '[' Character in Posts
WordPress Trac
noreply at wordpress.org
Sat Sep 27 15:56:23 UTC 2014
#29557: PHP ≤ 5.4.8 Crashes on '[' Character in Posts
------------------------------------------------------+--------------------
Reporter: MrBobDobolina | Owner:
Type: defect (bug) | Status: new
Priority: highest omg bbq | Milestone: 4.0.1
Component: Formatting | Version: 4.0
Severity: blocker | Resolution:
Keywords: wptexturize has-patch commit fixed-major | Focuses:
------------------------------------------------------+--------------------
Comment (by miqrogroove):
Extra thoughts on the security impact:
From a larger perspective, neither patch would resolve potential HTML
corruption. With miqro-29557.5.patch a user who is allowed the necessary
contexts could do this:
{{{[caption - Is it wise to <a title="allow user content ] here? hmm">
maybe </a> ]}}}
Now assume the context does not support shortcodes, but is texturized.
Currently wptexturize() is unaware of the shortcode filter status and will
always avoid shortcodes. If shortcodes are in fact disabled, then
wptexturize() has avoided the wrong code, resulting in texturized HTML
elements.
I'm mentioning this here for two reasons: It is a known bug, and I think
miqro-29557.6.patch does not represent a significant regression as I did
earlier.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29557#comment:68>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list