Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 3 years ago

#10751 closed defect (bug) (fixed)

kses filter fields when displaying

Reported by: ryan Owned by: ryan
Milestone: 2.9 Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch
Focuses: Cc:


Currently, some DB fields are trusted when being displayed. Usually this is fine since everything is run through kses upon save. However, some recent attacks have manipulated DB values to cover their tracks, making DB information untrustworthy. Where possible, we should run values through kses not just upon save, but upon display as well. This would thwart the recent example where the first_name field was modified to contain JS that hid a bogus admin user.

Attachments (2)

10751.diff (9.0 KB) - added by ryan 12 years ago.
Add kses to display filters. Add sanitize_user_object() and sanitize_user_field(). First cut.
10751-2.patch (21.7 KB) - added by azaozz 12 years ago.

Download all attachments as: .zip

Change History (10)

12 years ago

Add kses to display filters. Add sanitize_user_object() and sanitize_user_field(). First cut.

#1 @scribu
12 years ago

  • Keywords has-patch added

12 years ago

#2 @azaozz
12 years ago

Added wp_strip_all_tags() that removes all parts of the <script> and <style> tags and sanitize_text_field() that can check text input both on save and retrieve from the db (it can be used in filters instead of 'trim' and 'strip_tags').

#3 @ryan
12 years ago

Nice. Working well for me so far.

#4 @ryan
12 years ago

One thing with the full tag stripping on display is that you can't see that there is naughty stuff in the DB.

#5 @azaozz
12 years ago

Yes, was wondering if we should strip the naughty stuff or return an empty string instead. The empty string could potentially break something but on the other hand if somebody is trying an exploit the filtered string won't be any good either. Another option would be to return some kind of warning, perhaps [content filtered] or something when we are in the admin.

#6 @ryan
12 years ago

(In [11929]) Filter fields through kses upon display. Introduce sanitize_user_object() and sanitize_user_field(). see #10751

#7 @ryan
12 years ago

  • Resolution set to fixed
  • Status changed from new to closed

This ticket was mentioned in Slack in #core-restapi by desrosj. View the logs.

3 years ago

Note: See TracTickets for help on using tickets.