[wp-trac] [WordPress Trac] #48955: WP 5.3.1 changes cause potential backwards compatibility breakage with kses
WordPress Trac
noreply at wordpress.org
Thu Dec 19 07:45:00 UTC 2019
#48955: WP 5.3.1 changes cause potential backwards compatibility breakage with kses
--------------------------+---------------------
Reporter: iCaleb | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.3.3
Component: Security | Version: 5.3.1
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
--------------------------+---------------------
Comment (by RyanNovotny):
https://github.com/WordPress/WordPress/blob/317465e2feb965ea7d86529e54908b3fbea539a8
/wp-includes/default-filters.php#L246
add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 );
This filter that was added to apparently fix some stored XSS exploit in
the editor now hooks in to every call of wp_kses and does block parsing on
it (bad). Pretty please fix it to remove that hook so we can filter HTML
w/o running it through the block parser
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48955#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list