#10751 closed defect (bug) (fixed)
kses filter fields when displaying
Reported by: | ryan | Owned by: | ryan |
---|---|---|---|
Milestone: | 2.9 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | has-patch |
Focuses: | Cc: |
Description
Currently, some DB fields are trusted when being displayed. Usually this is fine since everything is run through kses upon save. However, some recent attacks have manipulated DB values to cover their tracks, making DB information untrustworthy. Where possible, we should run values through kses not just upon save, but upon display as well. This would thwart the recent example where the first_name field was modified to contain JS that hid a bogus admin user.
Attachments (2)
Change History (10)
#2
@
15 years ago
Added wp_strip_all_tags() that removes all parts of the <script> and <style> tags and sanitize_text_field() that can check text input both on save and retrieve from the db (it can be used in filters instead of 'trim' and 'strip_tags').
#4
@
15 years ago
One thing with the full tag stripping on display is that you can't see that there is naughty stuff in the DB.
#5
@
15 years ago
Yes, was wondering if we should strip the naughty stuff or return an empty string instead. The empty string could potentially break something but on the other hand if somebody is trying an exploit the filtered string won't be any good either. Another option would be to return some kind of warning, perhaps [content filtered]
or something when we are in the admin.
Add kses to display filters. Add sanitize_user_object() and sanitize_user_field(). First cut.