Opened 4 years ago

Last modified 17 months ago

#10151 new enhancement

HTML5 <video> elements stripped in kses.php

Reported by: GChriss Owned by: ryan
Priority: normal Milestone: Future Release
Component: Security Version: 2.8
Severity: normal Keywords: has-patch needs-refresh
Cc: blizzard@…, robert@…, GeekShadow, taylor@…, GChriss

Description

WordPress currently strips the new HTML5 <video> element as it is unrecognized. The attached patch allows <video> passthrough in postings and comments.

Hopefully this patch (or a derivative) could be incorporated into WordPress proper.

Attachments (1)

wordpress_html5_video_patch.txt (1.4 KB) - added by GChriss 4 years ago.
Patch to kses.php to enable HTML5 <video> passthrough

Download all attachments as: .zip

Change History (16)

GChriss4 years ago

Patch to kses.php to enable HTML5 <video> passthrough

comment:1   Denis-de-Bernardy4 years ago

  • Component changed from Comments to Security
  • Keywords needs-patch added
  • Milestone changed from Unassigned to 2.9
  • Owner set to ryan
  • Type changed from defect (bug) to enhancement

I'm 100% certain we don't wan't porn and spamercials in comments.

comment:2   peaceablewhale4 years ago

  • Keywords <video> video HTML5 removed

<video> should be preserved only in postings IMO... allow posting videos in comment is dangerous.

comment:3   zcorpan4 years ago

No <audio>? No <source>?

comment:6   nacin4 years ago

  • Milestone changed from 2.9 to Future Release

comment:7   blizzard@…3 years ago

  • Cc blizzard@… added

This probably needs to support the source elements as well, so we can build in fallbacks for safari, firefox, IE, etc. You need the source element to be able to do that.

Our biggest problem is that the wysiwyg editor strips out <video> tags which makes it hard for people to edit posts without a lot of technical experience. Will this bug help with that? (I'm not sure what role kses.php plays in that.)

comment:8   azaozz3 years ago

It's not hard to stop TinyMCE stripping <video>, <audio> and other new HTML 5.0 tags. The problem is what would the browsers show in the contentEditable iframe and would that bring any security problems. KSES is the backend HTML safety filter.

comment:9   robertaccettura3 years ago

  • Cc robert@… added

comment:10   ninjaWR3 years ago

#12048 closed as duplicate of this

comment:11   GeekShadow2 years ago

  • Cc GeekShadow added

What's up on this bug ? It would be good to be able to put both <audio> and <video> without them to be removed in TinyMCE !

comment:12   nocnokneo2 years ago

  • Cc taylor@… added
  • Keywords has-patch added

comment:13   GChriss2 years ago

  • Cc GChriss added

comment:2 raises the issue of trusted repositories, especially when an externally–hosted, already–reviewed video is replaced with something else.

Two options that come to mind are automatic upload to the Media Library (via Firefogg) or whitelisting of community–monitored media repositories (e.g., the Internet Archive and Wikimedia Commons). In both cases, WP admins should be able to set the same type of moderation options as are in place for text–based comments.

I think the potential for video comments is huge. Maybe this would be a good GSoC project?

comment:14   SergeyBiryukov22 months ago

  • Keywords needs-refresh added; needs-patch removed

comment:15   GChriss17 months ago

What steps are needed to push this forward? Is there consensus that <video> support should become part of the default WP installation?

Note: See TracTickets for help on using tickets.