Opened 4 years ago

Last modified 17 months ago

#10151 new enhancement

HTML5 <video> elements stripped in kses.php

Reported by: GChriss Owned by: ryan
Priority: normal Milestone: Future Release
Component: Security Version: 2.8
Severity: normal Keywords: has-patch needs-refresh
Cc: blizzard@…, robert@…, GeekShadow, taylor@…, GChriss

Description

WordPress currently strips the new HTML5 <video> element as it is unrecognized. The attached patch allows <video> passthrough in postings and comments.

Hopefully this patch (or a derivative) could be incorporated into WordPress proper.

Attachments (1)

wordpress_html5_video_patch.txt (1.4 KB) - added by GChriss 4 years ago.
Patch to kses.php to enable HTML5 <video> passthrough

Download all attachments as: .zip

Change History (16)

GChriss4 years ago

Patch to kses.php to enable HTML5 <video> passthrough

  • Component changed from Comments to Security
  • Keywords needs-patch added
  • Milestone changed from Unassigned to 2.9
  • Owner set to ryan
  • Type changed from defect (bug) to enhancement

I'm 100% certain we don't wan't porn and spamercials in comments.

  • Keywords <video> video HTML5 removed

<video> should be preserved only in postings IMO... allow posting videos in comment is dangerous.

No <audio>? No <source>?

  • Milestone changed from 2.9 to Future Release
  • Cc blizzard@… added

This probably needs to support the source elements as well, so we can build in fallbacks for safari, firefox, IE, etc. You need the source element to be able to do that.

Our biggest problem is that the wysiwyg editor strips out <video> tags which makes it hard for people to edit posts without a lot of technical experience. Will this bug help with that? (I'm not sure what role kses.php plays in that.)

It's not hard to stop TinyMCE stripping <video>, <audio> and other new HTML 5.0 tags. The problem is what would the browsers show in the contentEditable iframe and would that bring any security problems. KSES is the backend HTML safety filter.

  • Cc robert@… added

#12048 closed as duplicate of this

  • Cc GeekShadow added

What's up on this bug ? It would be good to be able to put both <audio> and <video> without them to be removed in TinyMCE !

  • Cc taylor@… added
  • Keywords has-patch added
  • Cc GChriss added

comment:2 raises the issue of trusted repositories, especially when an externally–hosted, already–reviewed video is replaced with something else.

Two options that come to mind are automatic upload to the Media Library (via Firefogg) or whitelisting of community–monitored media repositories (e.g., the Internet Archive and Wikimedia Commons). In both cases, WP admins should be able to set the same type of moderation options as are in place for text–based comments.

I think the potential for video comments is huge. Maybe this would be a good GSoC project?

  • Keywords needs-refresh added; needs-patch removed

What steps are needed to push this forward? Is there consensus that <video> support should become part of the default WP installation?

Note: See TracTickets for help on using tickets.