Importer strips img class and style

[foolswisdom]

Importer strips img class and style

ENV: WP trunk r4428

REPRO: always

STEPS

1. Created a single blog post of <img class="bordered" style="float: none; margin-left: 0;" src="image.png" />

2. Used the Exporter, confirmed that the post was as entered in the produced xml file

3. Used the Importer selecting WordPress and mapping to the existing 'admin' user

ACTUAL RESULT

Blog post has become <img src="image.png" />

ADDITIONAL DETAILS

Problem described at  http://nslog.com/2006/10/25/wordpress_204_import_removes_img_tag_formatting/

Slowly learning. The class and style are being removed during $post_content = apply_filters('content_save_pre', $post_content); in wp_insert_post

I think the real problem is that wp-admin/admin.php calls kses_init_filters() for *every* import, even for those with admin permissions, and there's no easy way--that I've yet found--for a plugin to disable it.

filosofo, my generous teacher!

All imports are done with "author" privileges. Thank you for describing the design limitation.

ENV: WP trunk r6949

I duplicated that as an "author" posting those img tags are stripped

I now see that those tags for img are not allowed because they are not included in in $allowedposttags . I found an old wp-testers thread that says this is for security reasons:  http://comox.textdrive.com/pipermail/wp-testers/2005-September/000461.html

I found at least one popular theme is very heavy on its use of img class tags,  http://cutline.tubetorial.com/image-handling-with-cutline/#comment-481

PREVIOUS WORKAROUND

my-hacks.php file, CUSTOM_TAGS
[resolved] Can Wordpress Support Pictures Inside Comments?
 http://wordpress.org/support/topic/43139?replies=17

QUESTIONS

I am left with the following questions:

1. I would like to better understand the security issues with the class tag, and so far have not found anything on the web. ?

2. How about style, is it safe? Can it be added to $allowedposttags?

POSSIBLE SOLUTIONS

It seem this bug has exposed two independent issues:

• Possibly additional $allowedposttags values

• Import with filtering appropriate to the user (if exists) or establish if new
  

Code changes for r3430 (Make the xmlrpc user the current user) seems possibly useful

1. 2. Yeah neither class nor style are safe. A friend 'anotherjesse' explained to me how how class could be used to make ~ login prompt, and style can have javascript within it.

It seems that the possible solution is limited to allowing importing as filtering appropriate to the user.

We shouldn't be doing any stripping for admins.

attachment unfiltered-imports.diff checks the unfiltered_html capability of the post_author and sets up kses filtering appropriately for that user.

Verified fixed
Over the last two days I have done ad hoc testing across:

• single vs multiple authors
• explicit vs implicit mapping
• default admin, other user with admin role
• user with author role, created by import user (with author)

(In [4645]) Don't force kses filtering of imports. fixes #3290