WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/13/2016 10:24:27 PM (21 months ago)
Author:
pento
Message:

KSES: Deprecate wp_kses_js_entities().

This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.

I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.

Props dmsnell, desrosj.
Fixes #33848.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/kses.php

    r38511 r38785  
    196196            switch ( $attack->name ) {
    197197                case 'XSS Locator':
    198                     $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=', $result);
     198                    $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=&{}', $result);
    199199                    break;
    200200                case 'XSS Quick Test':
    201                     $this->assertEquals('\'\';!--"=', $result);
     201                    $this->assertEquals('\'\';!--"=&{()}', $result);
    202202                    break;
    203203                case 'SCRIPT w/Alert()':
Note: See TracChangeset for help on using the changeset viewer.