Opened 16 months ago
Last modified 8 months ago
#19877 new defect (bug)
wp_kses_stripslashes() should account for single quotes too
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Awaiting Review |
| Component: | Formatting | Version: | 3.3.1 |
| Severity: | normal | Keywords: | has-patch close |
| Cc: | mdhansen@… |
Description
Right now, wp_kses_stripslashes() only removes slashes before double quotes, but should do the same for single quotes.
For example, if wp_kses() is applied to the following string (assuming <script> tags are permitted), the <script> tag's attributes are removed:
<script type='text/javascript' src='foo.js'></script>
If the single quotes are switched to double quotes, the attributes are properly sanitized against the list of allowed tags passed to wp_kses(). Updating wp_kses_stripslashes() to account for both types of quotes eliminates the need to strip slashes before applying wp_kses().
Attachments (2)
Change History (5)
comment:3
MikeHansenMe — 8 months ago
- Cc mdhansen@… added
Patch works for me, updated it to use relative path in patch.
Note: See
TracTickets for help on using
tickets.
wp_kses_stripslashes is a legacy function that had to be used to deal with addslashes() run when using preg_replace() and the eval modifier. The double quotes remained slashed because the backreference in the PHP string to be evaluated was in single quotes, so a custom slash removal function was used to remove slashes from in front of double quotes.
I would prefer to actually remove the call as it's no longer necessary. If you're passing slashed data to kses it should be stripped first -- which is why we do stripslashes in wp_filter_kses(). Unfortunately removing the call would cause breakage for those passing in slashed data containing double quoted attributes as this happens to work at the moment.