[wp-trac] [WordPress Trac] #52333: Lack of the : entity on the list of allowed entity names in kses.php
WordPress Trac
noreply at wordpress.org
Wed Jan 20 20:37:55 UTC 2021
#52333: Lack of the : entity on the list of allowed entity names in kses.php
--------------------------+-----------------------------
Reporter: dziudek | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 5.6
Severity: minor | Keywords: has-patch
Focuses: |
--------------------------+-----------------------------
Hi,
Today I have discovered that the {{{ :}}} entity is escaped by {{{
wp_kses_post}}} function.
After analysis I have discovered that this entity is missed on the {{{
$allowedentitynames}}} in {{{wp-includes/kses.php}}} file.
The only thing which can be considered is a fact that the named colon
entity caused some security issues in WP 5.3:
https://wpscan.com/vulnerability/8fac612b-95d2-477a-a7d6-e5ec0bb9ca52
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52333>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list