I/O Sanity Failures With Invalid HTML Entity References
|Reported by:||miqrogroove||Owned by:||ryan|
|Priority:||highest omg bbq||Milestone:||3.0|
While testing moderation and sanitize functions for blog comments in #11833 and related tickets, I discovered this inline comment:
# Change back the allowed entities in our entity whitelist
There is actually no whitelist in the existing kses function. After discussing this on the security mailing list with slow progress, permission was given by IRC to make this public on Trac for speedy attention and resolution.
Anonymous users can break comment feed validation by injecting invalid character entity references.
Authors can break front page and primary feed validation by injecting invalid character entity references.
These are self-mitigating risks in and of themselves. However...
While trying to patch this bug, I also discovered that the html_esc function in WordPress decodes phrases in the form of &phrase; That bug may have further security implications, and was resolved by calling the patched kses function from inside the html_esc function.