Ticket #6583 (closed defect (bug): fixed)

Opened 4 years ago

Last modified 4 years ago

kses Allows Invalid Unicode Numeric Entities

Reported by: schiller Owned by: anonymous
Priority: normal Milestone: 2.7
Component: General Version:
Severity: normal Keywords: has-patch 2nd-opinion
Cc: rubys@…

Description

wp_kses_normalize_entities() allows a user to type "" in a comment. This is not properly escaped as "". For bloggers outputting true XHTML, this is disastrous. kses should be modified to escape the ampersand in any numeric entity reference that is not a valid Unicode character.

Attachments

report.txt Download (1.2 KB) - added by schiller 4 years ago.
Unix diff patch from WP 2.5.0 kses.php
bug6583.patch Download (2.2 KB) - added by schiller 4 years ago.
Patch against SVN

Change History

schiller4 years ago

Unix diff patch from WP 2.5.0 kses.php

comment:1   schiller4 years ago

  • Cc rubys@… added

schiller4 years ago

Patch against SVN

comment:2   schiller4 years ago

  • Keywords has-patch 2nd-opinion added
  • Milestone changed from 2.7 to 2.6

comment:3   azaozz4 years ago

  • Milestone changed from 2.9 to 2.7

comment:4   azaozz4 years ago

  • Status changed from new to closed
  • Resolution set to fixed

(In [8386]) kses - properly escape non-Unicode entities. Fixes #6583. Props schiller.

Note: See TracTickets for help on using tickets.