[wp-trac] [WordPress Trac] #33848: Protect again vulnerability in Netscape 4?

WordPress Trac noreply at wordpress.org
Sun Sep 13 11:30:45 UTC 2015 

#33848: Protect again vulnerability in Netscape 4?
-------------------------+-----------------------------
 Reporter:  dmsnell      |      Owner:
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Security     |    Version:  trunk
 Severity:  normal       |   Keywords:
  Focuses:  performance  |
-------------------------+-----------------------------
 While scanning through `wp_kses()` trying to understand some performance
 issues, I jumped into `wp_kses_js_entities()`, which wouldn't have stood
 out to me if I hadn't seen its description...

    Removes the HTML JavaScript entities found in early versions of
 '''Netscape 4'''.

 This strips out JavaScript that was allowed to be written inside of HTML
 attributes in a non-standard way but was later removed:

 {{{
 <br size="&{ get_br_size() }" />
 }}}

 The Stack Exchange [http://security.stackexchange.com/questions/64925/xss-
 technique-javascript-include page describing this vulnerability] is pretty
 informative and suggests that the problem was mostly being taken care of
 ''circa'' 2000. I also couldn't find any information on modern browsers
 supporting this at all. It appears to maybe have only ever affected
 Netscape 4.

 I looked into the commit history and realized that '''we have never
 touched this line of code'''! It appears to have
 [https://core.trac.wordpress.org/browser/trunk/wp-
 includes/kses.php?rev=709 come over from the original] '''kses''' library
 that [http://sourceforge.net/projects/kses/ still lives on SourceForge],
 though it was only added in version 0.2.0, a month and a half after the
 original 0.1.0 release in 2003.

 My guess is that at the time some people were still using vulnerable
 browsers which led Ulf to add it into his library of protection, but we
 never thought about when we originally included it into core. Nowadays I
 wonder if we couldn't get rid of it, thinking that this isn't a
 vulnerability for any browser in the market today.

 Interestingly, Ilearned why it's called what it is - from the original
 author in the README:
    Finally, the name kses comes from the terms XSS and access.

 Proposing to pull out security checks frightens me, but this is running
 `preg_replace()` on so much that it's not even funny, and it probably
 never catches anything because no one even knows that this was an exploit
 long ago. Therefore, I would like to ask for some feedback on whether we
 actually need this, whether it serves any purpose, and whether or not we
 could help the project by removing it from `wp-includes/kses.php`.

 cc: @nbachiyski

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33848>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list