WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/13/16 22:24:27 (14 months ago)
Author:
pento
Message:

KSES: Deprecate wp_kses_js_entities().

This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.

I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.

Props dmsnell, desrosj.
Fixes #33848.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/kses.php

    r38511 r38785  
    196196            switch ( $attack->name ) { 
    197197                case 'XSS Locator': 
    198                     $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=', $result); 
     198                    $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=&{}', $result); 
    199199                    break; 
    200200                case 'XSS Quick Test': 
    201                     $this->assertEquals('\'\';!--"=', $result); 
     201                    $this->assertEquals('\'\';!--"=&{()}', $result); 
    202202                    break; 
    203203                case 'SCRIPT w/Alert()': 
Note: See TracChangeset for help on using the changeset viewer.