[wp-trac] [WordPress Trac] #54488: wp_filter_nohtml_kses does not remove HTML comments
WordPress Trac
noreply at wordpress.org
Fri Feb 24 19:56:15 UTC 2023
#54488: wp_filter_nohtml_kses does not remove HTML comments
--------------------------------------------------+-----------------------
Reporter: leewillis77 | Owner: audrasjb
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 6.2
Component: Formatting | Version: 2.1
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests 2nd-opinion | Focuses: docs
--------------------------------------------------+-----------------------
Comment (by azaozz):
Replying to [comment:18 leewillis77]:
> is {{{wp_strip_all_tags()}}} functionally equivalent to a (fixed)
{{{wp_filter_nohtml_kses()}}} as modified here?
Yes, think so. `wp_strip_all_tags()` uses PHP's `strip_tags()` and removed
the content from script and style tags.
Seems `wp_filter_nohtml_kses()` was introduced in 2006 (17 years ago!) as
a shortcut to `wp_filter_kses()` with no allowed tags. That should
sanitize the passed HTML, and remove any disallowed tags (KSES is an HTML
sanitization library). Guessing HTML comments were not considered to be
dangerous in KSES.
> deprecate one of them in favour of the preferred option
Yep, thinking `wp_filter_nohtml_kses()` can probably be deprecated. I see
a fair amount of plugins use it. They probably copied the use from
previous versions of WP. My guess is they continue to use it because it
accepts direct input (with slashes). However this function is no longer
used in core.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54488#comment:19>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list