[wp-trac] [WordPress Trac] #33121: wp_kses_attr_check fails to process html data-* attributes

WordPress Trac noreply at wordpress.org
Thu Oct 11 13:50:38 UTC 2018 

#33121: wp_kses_attr_check fails to process html data-* attributes
--------------------------------------+-----------------------
 Reporter:  isoftware                 |       Owner:  (none)
     Type:  defect (bug)              |      Status:  reopened
 Priority:  normal                    |   Milestone:  5.0
Component:  Editor                    |     Version:  4.2.3
 Severity:  major                     |  Resolution:
 Keywords:  has-patch has-unit-tests  |     Focuses:
--------------------------------------+-----------------------

Comment (by azaozz):

 Looking at 33121.3.diff, don't think it is a good idea to allow adding
 attributes with a wildcard. That would mean --somebody-- can add `on-*` or
 even `o-*` and allow all `onerror`, `onclick`, `onmouseover`, etc.
 attributes.

 What's worse there is no way to sanitize the values of these wildcard
 attributes (this part in the patch `$allowed_attr[$name_low] = true;`), so
 things like `onerror="alert(document.cookie)"` become very possible and
 not immediately recognizable.

 KSES already has support for allowing any attribute on any tag: adding it
 by full name. So if somebody wants to add `onerror` for images, they can
 easily do that and specify a list of acceptable values. Why would we need
 to bypass that with a wildcard and reduce functionality (not possible to
 check/sanitize attribute values)?

 The only exception to the above are attributes with variable names, and
 the only HTML 5.0 attribute with a variable name is `data-*`. Thinking we
 should extend KSES to allow data attributes, but hardcode the `data-`
 part. This is inline with the existing logic in KSES.

 Uh, sorry for the longer comment :) The TL;DR: don't think allowing
 wildcard attributes in KSES is a good thing. It brings us in a pretty
 dangerous place and at the same time reduces some of the existing
 functionality, i.e. sanitizing attribute values.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/33121#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list