wp_allowed_protocols() does not allow data URI scheme
|Reported by:||hardy101||Owned by:|
When inserting images into a post via copy-paste, Firefox will paste a base64 text string (using the Data URI scheme) into the post editor. The result will look something like:
9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot">
When the post is saved, the "data:" portion of the src attribute is stripped away by wp_kses_hair() via the line:
if ( in_array(strtolower($attrname), $uris) )
$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
"data:" is treated as a protocol prefix, and is not seen as part of the src attribute.
To reproduce this error, try the following in Firefox:
1) Do a Google image search for a rendom image.
2) Right-click -> "Copy Image"
3) Paste into rich text editor
4) Save post
5) View HTML tab of the editor and notice that the "data:" scheme has been removed.
A side effect of this issue is that the image src is treated as a relative image path on the server (in subdirectory "image/png" with long string of characters as the "file name." The server will typically report an error in its log file about the request length of the URI being too long.
Change History (14)
- Summary changed from wMulti-site wp_kses_hair() strips "data:" from base64-encoded images pasted into rich editior with Data URI scheme to Multi-site wp_kses_hair() strips "data:" from base64-encoded images pasted into rich editior with Data URI scheme
comment:2 solarissmoke — 2 years ago
- Keywords has-patch added; needs-patch removed
- Summary changed from Multi-site wp_kses_hair() strips "data:" from base64-encoded images pasted into rich editior with Data URI scheme to wp_allowed_protocols() does not allow data URI scheme
comment:9 SergeyBiryukov — 4 months ago
- Component changed from Editor to General
- Milestone changed from Awaiting Review to 3.7
comment:11 in reply to: ↑ 10 duck_ — 3 months ago
- Milestone 3.7 deleted
- Resolution set to wontfix
- Status changed from new to closed