[wp-trac] [WordPress Trac] #56521: wp_kses wp_kses_hair fails to allow a valueless attribute when is follwed by /

WordPress Trac noreply at wordpress.org
Tue Sep 6 10:04:32 UTC 2022 

#56521: wp_kses wp_kses_hair fails to allow a valueless attribute when is follwed
by /
--------------------------+-----------------------------
 Reporter:  luistar15     |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Security      |    Version:  6.0.2
 Severity:  major         |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 I have created a static gutenberg block for managing forms.
 The block generates `<input>` html elements, for example:

 {{{
 <input name="email" required/>
 }}}

 But after saving the post, the `required` attribute is striped in the db:

 {{{
 <input name="email"/>
 }}}

 So the visitors are sendig the form ignoring the validation.

 It only happens when the attribute is the last one and is followerd by `/`
 without spaces:

 {{{
 <input name="email" required>    => OK
 <input name="email" required/>   => ERROR
 <input name="email" required />  => OK
 }}}

 I put togheter a test case:

 {{{#!php
 // theme/functions.php

 add_action( 'init', function () {
         $tests = [
                 '<input name="email" required>',
                 '<input name="email" required/>',
                 '<input name="email" required />',
         ];

         $allowed_html = [
                 'input' => [
                         'name'     => true,
                         'required' => true,
                 ],
         ];

         header('Content-Type: text/plain; charset=UTF-8', true);

         foreach ( $tests as $test ) {
                 $sanitized = wp_kses( $test, $allowed_html );
                 printf( "_in => %s\nout => %s\n\n", $test, $sanitized);
         }

         exit;
 });
 }}}

 I have found where the error could be fixed:

 {{{#!php
 // wp-includes/kses.php:1320

 if ( preg_match( '/^\s+/', $attr ) ) { // Valueless.
 }}}

 Replacing the regex `/^\s+/` with `/^(\s+|\/$)/` fixes the problem.

 I'm hopping it can be fixed for the next release, until then I'm manually
 applying the patch again.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56521>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list