[wp-trac] [WordPress Trac] #48955: WP 5.3.1 changes cause potential backwards compatibility breakage with kses

WordPress Trac noreply at wordpress.org
Thu Dec 12 22:49:12 UTC 2019


#48955: WP 5.3.1 changes cause potential backwards compatibility breakage with kses
--------------------------+-----------------------------
 Reporter:  iCaleb        |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Security      |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Kses used to allow an array to be (incorrectly) passed in, and would just
 return the same array. Now it will return an empty string.

 Before:

 {{{#!php
 $test = ['this', 'is', 'an', 'array', 'but', 'shouldnt', 'be'];

 // Returns the above array
 wp_kses_post( $test );
 }}}

 After 5.3.1:

 {{{#!php
 $test = ['this', 'is', 'an', 'array', 'but', 'shouldnt', 'be'];

 // Returns empty string
 wp_kses_post( $test );
 }}}


 Now to be clear, passing an array and not a string into wp_kses is wrong
 and in the past wouldn't do anything for you. But this kind of just
 "worked by accident" I guess. So while it is incorrect usage, this release
 does change behavior.

 This stems from the changes with the new `wp_pre_kses_block_attributes`
 filter I believe that is hooked onto `pre_kses`. Looking at the changes, I
 don't think it technically needed to cause this break, was more of a side
 effect.

 At a minimum, I'm thinking maybe we should add some tests around this
 behavior to catch this sort of change in the future?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48955>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list