[wp-trac] [WordPress Trac] #40317: Change to wp_allowed_protocols to allow modification by plugins

WordPress Trac noreply at wordpress.org
Thu Mar 30 16:57:43 UTC 2017 

#40317: Change to wp_allowed_protocols to allow modification by plugins
--------------------------+-----------------------------
 Reporter:  krishardy     |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Security      |    Version:  4.7.3
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 wp_allowed_protocols() in wp-includes/functions.php works by holding a
 static variable that is populated upon the first call to
 wp_allowed_protocols() and then allows modification of the static
 $protocols variable by plugins that have registered a callable as a
 'kses_allowed_protocol' filter.

 In the event where wp_allowed_protocols() has been called (perhaps by
 another plugin) before a plugin is loaded and issues an
 add_filter('kses_allowed_protocol', ...) call, it becomes impossible to
 modify the protocol array returned by wp_allowed_protocols() when the
 plugin is loaded.

 In my specific situation, the Member Mouse plugin has an issue with any UI
 objects which rely upon <a href="javascript:doSomething();"> attributes
 get "sanitized" by wp_kses_one_attr(), resulting in the removal of the
 "javascript:" protocol, resulting in <a href="doSomething();">.  This
 causes the browser to redirect to http://mydomain.tld/doSomething();,
 creating an HTTP 404 Not Found response.  This issue is being reported to
 Member Mouse as well for them to possibly develop a work-around.

 Given that this issue is not unique to Member Mouse, and may be an issue
 with any plugin which uses the 'kses_allowed_protocols' filter, I
 recommend the following change:

 {{{#!php
 function wp_allowed_protocols() {
         static $protocols = array();

         if ( empty( $protocols ) ) {
                 $protocols = array( 'http', 'https', 'ftp', 'ftps',
 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms',
 'rtsp', 'svn', 'tel', 'fax', 'xmpp', 'webcal', 'urn' );
         }
         $protocols = apply_filters( 'kses_allowed_protocols', $protocols
 );
         $protocols = array_unique($protocols);  // Remove any duplicates
 if the plugin added them
         return $protocols;
 }
 }}}

 There are other approaches to this that would have better performance, but
 I'll leave the details of the implementation up to the best developer for
 this task.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40317>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list