[wp-trac] [WordPress Trac] #48955: WP 5.3.1 changes cause potential backwards compatibility breakage with kses
WordPress Trac
noreply at wordpress.org
Thu Dec 12 22:49:12 UTC 2019
#48955: WP 5.3.1 changes cause potential backwards compatibility breakage with kses
--------------------------+-----------------------------
Reporter: iCaleb | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Kses used to allow an array to be (incorrectly) passed in, and would just
return the same array. Now it will return an empty string.
Before:
{{{#!php
$test = ['this', 'is', 'an', 'array', 'but', 'shouldnt', 'be'];
// Returns the above array
wp_kses_post( $test );
}}}
After 5.3.1:
{{{#!php
$test = ['this', 'is', 'an', 'array', 'but', 'shouldnt', 'be'];
// Returns empty string
wp_kses_post( $test );
}}}
Now to be clear, passing an array and not a string into wp_kses is wrong
and in the past wouldn't do anything for you. But this kind of just
"worked by accident" I guess. So while it is incorrect usage, this release
does change behavior.
This stems from the changes with the new `wp_pre_kses_block_attributes`
filter I believe that is hooked onto `pre_kses`. Looking at the changes, I
don't think it technically needed to cause this break, was more of a side
effect.
At a minimum, I'm thinking maybe we should add some tests around this
behavior to catch this sort of change in the future?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48955>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list