[wp-trac] [WordPress Trac] #32812: Customizer Menus: Escaping inconsistencies

WordPress Trac noreply at wordpress.org
Fri Oct 23 04:20:11 UTC 2015 

#32812: Customizer Menus: Escaping inconsistencies
--------------------------+---------------------------
 Reporter:  swissspidy    |       Owner:  valendesigns
     Type:  defect (bug)  |      Status:  assigned
 Priority:  normal        |   Milestone:  4.4
Component:  Customize     |     Version:  4.3
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+---------------------------

Comment (by westonruter):

 The sanitization relies on `wp_update_nav_menu_item()`, which itself
 relies on the sanitization in `wp_insert_post()`, which does:

 {{{#!php
 <?php
 $postarr = sanitize_post($postarr, 'db');
 }}}

 Which then then for the nav menu item's label, does:

 {{{#!php
 <?php
 $post['post_title'] = sanitize_post_field('post_title',
 $post['post_title'], $post['ID'], 'db');
 }}}

 This in turn will apply the filters:

 * `pre_the_title`
 * `title_save_pre`

 The latter hook gets filtered by `wp_filter_kses` which is added by
 `kses_init_filters()`. Then in turn `kses_init()` is what calls this,
 ''but'' only if the user can't do `unfiltered_html`:

 {{{#!php
 <?php
 function kses_init() {
         kses_remove_filters();

         if ( ! current_user_can( 'unfiltered_html' ) ) {
                 kses_init_filters();
         }
 }
 }}}

 (Whew. What a path to go down to ensure something gets sanitized.)

 Only admins can access the menus admin page because they have
 `edit_theme_options`. Additionally, only admins can have the
 `unfiltered_html` capability, and only on non-multisite installs
 (normally). Users who have `unfiltered_html` can add arbitrary HTML to
 post content as well, so allowing arbitrary HTML in menu titles isn't
 making it any less secure.

 So, if you are an administrator user on a non-multisite install you can
 ''currently'' add a `script` tag to your nav menu item's label. Why would
 you want to do this? There should be no good reason. For multisite
 installs, the `script` tags get stripped out by kses.

 In any case, it seems that by having menus in the Customizer just re-use
 `wp_update_nav_menu_item()` for sanitization of the title, then we just
 mirror the functionality of the menus admin page and how it sanitizes (or
 doesn't sanitize) the data.

 @jorbin @jeremyfelt Are you confident in [attachment:32812.diff]?

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32812#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list