Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#10751 closed defect (bug) (fixed)

kses filter fields when displaying

Reported by: ryan Owned by: ryan
Milestone: 2.9 Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch
Focuses: Cc:


Currently, some DB fields are trusted when being displayed. Usually this is fine since everything is run through kses upon save. However, some recent attacks have manipulated DB values to cover their tracks, making DB information untrustworthy. Where possible, we should run values through kses not just upon save, but upon display as well. This would thwart the recent example where the first_name field was modified to contain JS that hid a bogus admin user.

Attachments (2)

10751.diff (9.0 KB) - added by ryan 6 years ago.
Add kses to display filters. Add sanitize_user_object() and sanitize_user_field(). First cut.
10751-2.patch (21.7 KB) - added by azaozz 6 years ago.

Download all attachments as: .zip

Change History (9)

6 years ago

Add kses to display filters. Add sanitize_user_object() and sanitize_user_field(). First cut.

#1 @scribu
6 years ago

  • Keywords has-patch added

6 years ago

#2 @azaozz
6 years ago

Added wp_strip_all_tags() that removes all parts of the <script> and <style> tags and sanitize_text_field() that can check text input both on save and retrieve from the db (it can be used in filters instead of 'trim' and 'strip_tags').

#3 @ryan
6 years ago

Nice. Working well for me so far.

#4 @ryan
6 years ago

One thing with the full tag stripping on display is that you can't see that there is naughty stuff in the DB.

#5 @azaozz
6 years ago

Yes, was wondering if we should strip the naughty stuff or return an empty string instead. The empty string could potentially break something but on the other hand if somebody is trying an exploit the filtered string won't be any good either. Another option would be to return some kind of warning, perhaps [content filtered] or something when we are in the admin.

#6 @ryan
6 years ago

(In [11929]) Filter fields through kses upon display. Introduce sanitize_user_object() and sanitize_user_field(). see #10751

#7 @ryan
6 years ago

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.