id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
19354,wp_allowed_protocols() does not allow data URI scheme,hardy101,,"When inserting images into a post via copy-paste, Firefox will paste a base64 text string (using the Data URI scheme) into the post editor.  The result will look something like:

<img src=""data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA
AAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO
9TXL0Y4OHwAAAABJRU5ErkJggg=="" alt=""Red dot"">

When the post is saved, the ""data:"" portion of the src attribute is stripped away by wp_kses_hair() via the line:

if ( in_array(strtolower($attrname), $uris) )
   $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);

""data:"" is treated as a protocol prefix, and is not seen as part of the src attribute.

To reproduce this error, try the following in Firefox:

1) Do a Google image search for a rendom image.
2) Right-click -> ""Copy Image""
3) Paste into rich text editor
4) Save post
5) View HTML tab of the editor and notice that the ""data:"" scheme has been removed.

A side effect of this issue is that the image src is treated as a relative image path on the server (in subdirectory ""image/png"" with long string of characters as the ""file name.""  The server will typically report an error in its log file about the request length of the URI being too long.",defect (bug),new,normal,Awaiting Review,Editor,3.2.1,normal,,dev-feedback has-patch,kpayne@… azizur