Ticket #12394 (closed defect (bug): fixed)

Opened 2 years ago

Last modified 2 years ago

kses removes valid attribute from xhtml elements

Reported by: dougal Owned by:
Priority: normal Milestone: 3.0
Component: Formatting Version: 2.9.2
Severity: normal Keywords: has-patch, tested, kses, xhtml, html
Cc: dougal

Description

There is an edge-case which can cause kses to discard the last attribute of an empty XHTML element, if the closing slash is not preceded by a space.

Example:

input = <img src='foo.jpg' bogus='disallowed attr' alt='my image'/> output = <img src='foo.jpg'/> expected = <img src='foo.jpg' alt='my image'/>

The problem is that kses assumes that the closing slash on an XHTML element will always be preceded by a space. While the space is recommended for backwards compatibility with HTML4, it is not strictly required.

Attachments

kses.php.diff Download (1.0 KB) - added by dougal 2 years ago.
Patch to improve XHTML compatibility on empty elements like img
test_post_filtering.php.diff Download (1.2 KB) - added by dougal 2 years ago.
A couple of kses testcases, including one for this bug.

Change History

dougal2 years ago

Patch to improve XHTML compatibility on empty elements like img

comment:1   dougal2 years ago

For reference, here is the XHTML 1.0 spec section discussing empty elements. Note that in the examples, there is no space:  http://www.w3.org/TR/xhtml1/#h-4.6

It is only in the HTML Compatibility Guidelines that they recommend adding the space, for compatibility with HTML4:  http://www.w3.org/TR/xhtml1/#guidelines

comment:2   nacin2 years ago

I was able to both verify the bug and verify the fix. Looks sane to me.

Just don't test with a title attribute, as that one isn't whitelisted. 

<img src="blah"> // works
<img src="blah" > // works
img src="blah" /> // works
<img src="blah"/> // patch fixes this scenario

comment:3   ryan2 years ago

Looks good. We need to add test cases (test_post_filtering.php).

dougal2 years ago

A couple of kses testcases, including one for this bug.

comment:4   dougal2 years ago

  • Version set to 2.9.2

Attached a diff for test_post_filtering.php for a couple of minor kses checks, including the one mentioned in this bug.

Really, as mentioned in the wordpress-dev IRC chat the other day, we should probably work on a whole suite of security-related kses checks.

This reminded me that a while back, there was a suggestion of replacing kses with HTML Purifier. However, I see that HTML Purifier is PHP 5 only, so that decision will have to wait until the PHP version requirement for WordPress is updated in the future.

However, this might be a good resource to look at for formulating unit tests:  http://htmlpurifier.org/live/smoketests/xssAttacks.php

comment:5   westi2 years ago

Test cases committed thank you.

comment:6   westi2 years ago

Looks good to me as well.

Committing.

comment:7   westi2 years ago

  • Status changed from new to closed
  • Resolution set to fixed

(In [13561]) Improve kses handling of attributes in valid XHTML self closed img tags. Fixes #12394 props dougal.

Note: See TracTickets for help on using tickets.