[wp-trac] [WordPress Trac] #61246: wp_kses makes HTML comment HTML uncommented
WordPress Trac
noreply at wordpress.org
Sun May 19 09:04:45 UTC 2024
#61246: wp_kses makes HTML comment HTML uncommented
--------------------------+-----------------------------
Reporter: kkmuffme | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
{{{
asd <!-- <a href="other-page.com" class="hello">world</a> --> asd
}}}
when calling wp_kses(_post) on it, this commented HTML gets uncommented
and you get a link displayed on the page.
{{{
asd <!-- <a href="other-page.com" class="hello">world</a> --> asd
}}}
If that commented code contains some unsanitized stuff (as is often the
case since people assume it's commented and thus can be ignored -
including phpcs won't report errors for commented stuff afaik) this could
be a security issue.
Generally though, it's just an unexpected display issue.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61246>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list