Make WordPress Core

Opened 12 years ago

Closed 7 years ago

#10151 closed enhancement (fixed)

HTML5 <video> elements stripped in kses.php

Reported by: GChriss Owned by: ryan
Milestone: 3.6 Priority: normal
Severity: normal Version: 2.8
Component: Security Keywords: has-patch
Focuses: Cc:


WordPress currently strips the new HTML5 <video> element as it is unrecognized. The attached patch allows <video> passthrough in postings and comments.

Hopefully this patch (or a derivative) could be incorporated into WordPress proper.

Attachments (1)

wordpress_html5_video_patch.txt (1.4 KB) - added by GChriss 12 years ago.
Patch to kses.php to enable HTML5 <video> passthrough

Download all attachments as: .zip

Change History (17)

12 years ago

Patch to kses.php to enable HTML5 <video> passthrough

#1 @Denis-de-Bernardy
12 years ago

  • Component changed from Comments to Security
  • Keywords needs-patch added
  • Milestone changed from Unassigned to 2.9
  • Owner set to ryan
  • Type changed from defect (bug) to enhancement

I'm 100% certain we don't wan't porn and spamercials in comments.

#2 @peaceablewhale
12 years ago

  • Keywords <video> video HTML5 removed

<video> should be preserved only in postings IMO... allow posting videos in comment is dangerous.

#3 @zcorpan
12 years ago

No <audio>? No <source>?

#6 @nacin
11 years ago

  • Milestone changed from 2.9 to Future Release

#7 @blizzard@…
11 years ago

  • Cc blizzard@… added

This probably needs to support the source elements as well, so we can build in fallbacks for safari, firefox, IE, etc. You need the source element to be able to do that.

Our biggest problem is that the wysiwyg editor strips out <video> tags which makes it hard for people to edit posts without a lot of technical experience. Will this bug help with that? (I'm not sure what role kses.php plays in that.)

#8 @azaozz
11 years ago

It's not hard to stop TinyMCE stripping <video>, <audio> and other new HTML 5.0 tags. The problem is what would the browsers show in the contentEditable iframe and would that bring any security problems. KSES is the backend HTML safety filter.

#9 @robertaccettura
11 years ago

  • Cc robert@… added

#10 @ninjaWR
11 years ago

#12048 closed as duplicate of this

#11 @GeekShadow
10 years ago

  • Cc GeekShadow added

What's up on this bug ? It would be good to be able to put both <audio> and <video> without them to be removed in TinyMCE !

#12 @nocnokneo
10 years ago

  • Cc taylor@… added
  • Keywords has-patch added

#13 @GChriss
10 years ago

  • Cc GChriss added

comment:2 raises the issue of trusted repositories, especially when an externally–hosted, already–reviewed video is replaced with something else.

Two options that come to mind are automatic upload to the Media Library (via Firefogg) or whitelisting of community–monitored media repositories (e.g., the Internet Archive and Wikimedia Commons). In both cases, WP admins should be able to set the same type of moderation options as are in place for text–based comments.

I think the potential for video comments is huge. Maybe this would be a good GSoC project?

#14 @SergeyBiryukov
10 years ago

  • Keywords needs-refresh added; needs-patch removed

#15 @GChriss
9 years ago

What steps are needed to push this forward? Is there consensus that <video> support should become part of the default WP installation?

#16 @wonderboymusic
7 years ago

  • Keywords needs-refresh removed
  • Milestone changed from Future Release to 3.6
  • Resolution set to fixed
  • Status changed from new to closed

Only gets stripped from Contributors, who don't even have access to media. Admin and Editors can paste the HTML that is produced by the shortcode, and it all remains intact, even the inline <script>

Note: See TracTickets for help on using tickets.