Ticket #10151 (new enhancement)

Opened 3 years ago

Last modified 5 weeks ago

HTML5 <video> elements stripped in kses.php

Reported by: GChriss Owned by: ryan
Priority: normal Milestone: Future Release
Component: Security Version: 2.8
Severity: normal Keywords: has-patch needs-refresh
Cc: blizzard@…, robert@…, GeekShadow, taylor@…, GChriss

Description

WordPress currently strips the  new HTML5 <video> element as it is unrecognized. The attached patch allows <video> passthrough in postings and comments.

Hopefully this patch (or a derivative) could be incorporated into WordPress proper.

Attachments

wordpress_html5_video_patch.txt Download (1.4 KB) - added by GChriss 3 years ago.
Patch to kses.php to enable HTML5 <video> passthrough

Change History

GChriss3 years ago

Patch to kses.php to enable HTML5 <video> passthrough

comment:1   Denis-de-Bernardy3 years ago

  • Keywords needs-patch added
  • Owner set to ryan
  • Type changed from defect (bug) to enhancement
  • Component changed from Comments to Security
  • Milestone changed from Unassigned to 2.9

I'm 100% certain we don't wan't porn and spamercials in comments.

comment:2   peaceablewhale3 years ago

  • Keywords <video>, video, HTML5 removed

<video> should be preserved only in postings IMO... allow posting videos in comment is dangerous.

comment:3   zcorpan3 years ago

No <audio>? No <source>?

comment:6   nacin2 years ago

  • Milestone changed from 2.9 to Future Release

comment:7   blizzard@…2 years ago

  • Cc blizzard@… added

This probably needs to support the source elements as well, so we can build in fallbacks for safari, firefox, IE, etc. You need the source element to be able to do that.

Our biggest problem is that the wysiwyg editor strips out <video> tags which makes it hard for people to edit posts without a lot of technical experience. Will this bug help with that? (I'm not sure what role kses.php plays in that.)

comment:8   azaozz2 years ago

It's not hard to stop TinyMCE stripping <video>, <audio> and other new HTML 5.0 tags. The problem is what would the browsers show in the contentEditable iframe and would that bring any security problems. KSES is the backend HTML safety filter.

comment:9   robertaccettura2 years ago

  • Cc robert@… added

comment:10   ninjaWR2 years ago

#12048 closed as duplicate of this

comment:11   GeekShadow12 months ago

  • Cc GeekShadow added

What's up on this bug ? It would be good to be able to put both <audio> and <video> without them to be removed in TinyMCE !

comment:12   nocnokneo11 months ago

  • Cc taylor@… added
  • Keywords has-patch added

comment:13   GChriss11 months ago

  • Cc GChriss added

comment:2 raises the issue of trusted repositories, especially when an externally–hosted, already–reviewed video is replaced with something else.

Two options that come to mind are automatic upload to the Media Library (via  Firefogg) or whitelisting of community–monitored media repositories (e.g., the  Internet Archive and  Wikimedia Commons). In both cases, WP admins should be able to set the same type of moderation options as are in place for text–based comments.

I think the potential for video comments is huge. Maybe this would be a good  GSoC project?

comment:14   SergeyBiryukov7 months ago

  • Keywords needs-refresh added; needs-patch removed

comment:15   GChriss5 weeks ago

What steps are needed to push this forward? Is there consensus that <video> support should become part of the default WP installation?

Note: See TracTickets for help on using tickets.