Kses should apply bad-protocol check only to URI typed attributes
|Reported by:||takayukister||Owned by:||anonymous|
Kses HTML filter (wp-includes/kses.php) applies "bad protocol" check to all attribute values now. It treats string including a colon (:) as URI, and if the string doesn't have an allowed protocol (http, https, ftp, ...), it delete the letters before colon as a bad protocol.
But this rule is too strict in many cases. For example, if you want to write
<img src="C-3PO.png" alt="Star Wars Episode IV: A New Hope" />
"Star Wars Episode IV:" will be deleted as a bad protocol.
<img src="R2-D2.png" alt="Fig 1: R2-D2" />
"Fig 1:" will be deleted as a bad protocol.
Alt attribute values are not URI. So bad protocol checking shouldn't be needed.
I wrote a patch which makes kses apply bad-protocol check only to URI typed attributes. I referred to HTML spec for attribute types.
Change History (12)
- Milestone changed from 2.7 to 2.6.2
- Resolution fixed deleted
- Status changed from closed to reopened