#1674 closed defect (bug) (fixed)
Use different kses rules for posts and comments for users who can't "unfiltered_html"
Reported by: | donncha | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 1.6 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
The following patch feeds post content through kses, but with it's own set of allowed tags. The tags need to be pruned. I didn't filter on "content_save_pre" because that's destructive of the actual post. On the other hand, the post writer might wonder why his wacky javascript is being deleted when it's displayed...
diff -u /home/donncha/dev/wordpress/trunk/wp-includes/default-filters.php ./default-filters.php --- /home/donncha/dev/wordpress/trunk/wp-includes/default-filters.php 2005-07-04 06:21:42.000000000 -0400 +++ ./default-filters.php 2005-09-14 07:50:33.000000000 -0400 @@ -25,7 +25,6 @@ add_filter('pre_comment_author_url', 'clean_url'); add_filter('pre_comment_content', 'stripslashes', 1); -add_filter('pre_comment_content', 'wp_filter_kses'); add_filter('pre_comment_content', 'wp_rel_nofollow', 15); add_filter('pre_comment_content', 'balanceTags', 30); add_filter('pre_comment_content', 'addslashes', 50); @@ -85,4 +84,4 @@ // Actions add_action('publish_post', 'generic_ping'); diff -u /home/donncha/dev/wordpress/trunk/wp-includes/kses.php ./kses.php --- /home/donncha/dev/wordpress/trunk/wp-includes/kses.php 2005-07-04 06:21:43.000000000 -0400 +++ ./kses.php 2005-09-14 07:50:47.000000000 -0400 @@ -6,14 +6,289 @@ # # E-mail: metaur at users dot sourceforge dot net # Web page: http://sourceforge.net/projects/kses -# Paper mail: (not at the moment) +# Paper mail: Ulf Harnhammar +# Ymergatan 17 C +# 753 25 Uppsala +# SWEDEN # # [kses strips evil scripts!] if (!defined('CUSTOM_TAGS')) define('CUSTOM_TAGS', false); - + // You can override this in your my-hacks.php file if (!CUSTOM_TAGS) { +$allowedposttags = array( + 'address' => array(), + 'applet' => array( + 'codebase' => array(), + 'code' => array(), + 'name' => array(), + 'alt' => array()), + 'area' => array( + 'shape' => array(), + 'coords' => array(), + 'href' => array(), + 'alt' => array()), + 'a' => array( + 'href' => array(), + 'title' => array(), + 'rel' => array(), + 'rev' => array(), + 'name' => array()), + 'abbr' => array('title' => array()), + 'acronym' => array('title' => array()), + 'b' => array(), + 'base' => array('href' => array()), + 'basefont' => array('size' => array()), + 'bdo' => array('dir' => array()), + 'big' => array(), + 'blockquote' => array('cite' => array()), + 'body' => array( + 'alink' => array(), + 'background' => array(), + 'bgcolor' => array(), + 'link' => array(), + 'text' => array(), + 'vlink' => array()), + 'br' => array(), + 'button' => array( + 'disabled' => array(), + 'name' => array(), + 'type' => array(), + 'value' => array()), + 'caption' => array('align' => array()), + 'code' => array(), + 'col' => array( + 'align' => array(), + 'char' => array(), + 'charoff' => array(), + 'span' => array(), + 'valign' => array(), + 'width' => array()), + 'del' => array('datetime' => array()), + 'dd' => array(), + 'div' => array('align' => array()), + 'dl' => array(), + 'dt' => array(), + 'em' => array(), + 'fieldset' => array(), + 'font' => array( + 'color' => array(), + 'face' => array(), + 'size' => array()), + 'form' => array( + 'action' => array(), + 'accept' => array(), + 'accept-charset' => array(), + 'enctype' => array(), + 'method' => array(), + 'name' => array(), + 'target' => array()), + 'frame' => array( + 'frameborder' => array(), + 'longsesc' => array(), + 'marginheight' => array(), + 'marginwidth' => array(), + 'name' => array(), + 'noresize' => array(), + 'scrolling' => array(), + 'src' => array()), + 'frameset' => array( + 'cols' => array(), + 'rows' => array()), + 'head' => array('profile' => array()), + 'h1' => array('align' => array()), + 'h2' => array('align' => array()), + 'h3' => array('align' => array()), + 'h4' => array('align' => array()), + 'h5' => array('align' => array()), + 'h6' => array('align' => array()), + 'hr' => array( + 'align' => array(), + 'noshade' => array(), + 'size' => array(), + 'width' => array()), + 'html' => array('xmlns' => array()), + 'i' => array(), + 'iframe' => array( + 'align' => array(), + 'frameborder' => array(), + 'height' => array(), + 'londesc' => array(), + 'marginheight' => array(), + 'marginwidth' => array(), + 'name' => array(), + 'scrolling' => array(), + 'src' => array(), + 'width' => array()), + 'img' => array( + 'alt' => array(), + 'align' => array(), + 'border' => array(), + 'height' => array(), + 'hspace' => array(), + 'ismap' => array(), + 'longdesc' => array(), + 'usemap' => array(), + 'vspace' => array(), + 'src' => array(), + 'width' => array()), + 'input' => array( + 'accept' => array(), + 'align' => array(), + 'alt' => array(), + 'checked' => array(), + 'disabled' => array(), + 'maxlength' => array(), + 'name' => array(), + 'readonly' => array(), + 'size' => array(), + 'src' => array(), + 'type' => array(), + 'value' => array()), + 'ins' => array('datetime' => array(), 'cite' => array()), + 'kbd' => array(), + 'label' => array('for' => array()), + 'legend' => array('align' => array()), + 'li' => array(), + 'link' => array( + 'charset' => array(), + 'href' => array(), + 'hreflang' => array(), + 'media' => array(), + 'rel' => array(), + 'rev' => array(), + 'target' => array(), + 'type' => array()), + 'map' => array( + 'id' => array(), + 'name' => array()), + 'menu' => array(), + 'meta' => array( + 'content' => array(), + 'http-equiv' => array(), + 'name' => array(), + 'scheme' => array()), + 'noframes' => array(), + 'noscript' => array(), + 'object' => array( + 'align' => array(), + 'archive' => array(), + 'border' => array(), + 'classid' => array(), + 'codebase' => array(), + 'codetype' => array(), + 'data' => array(), + 'declare' => array(), + 'height' => array(), + 'hspace' => array(), + 'name' => array(), + 'standby' => array(), + 'type' => array(), + 'usemap' => array(), + 'vspace' => array(), + 'width' => array()), + 'ol' => array( + 'compact' => array(), + 'start' => array(), + 'type' => array()), + 'optgroup' => array( + 'label' => array(), + 'disabled' => array()), + 'option' => array( + 'disabled' => array(), + 'label' => array(), + 'selected' => array(), + 'value' => array()), + 'p' => array('align' => array()), + 'param' => array( + 'name' => array(), + 'type' => array(), + 'value' => array(), + 'valuetype' => array()), + 'pre' => array('width' => array()), + 'q' => array('cite' => array()), + 's' => array(), + 'strike' => array(), + 'strong' => array(), + 'style' => array( + 'type' => array(), + 'media' => array()), + 'sub' => array(), + 'sup' => array(), + 'table' => array( + 'align' => array(), + 'bgcolor' => array(), + 'border' => array(), + 'cellpadding' => array(), + 'cellspacing' => array(), + 'frame' => array(), + 'rules' => array(), + 'summary' => array(), + 'width' => array()), + 'tbody' => array( + 'align' => array(), + 'char' => array(), + 'charoff' => array(), + 'valign' => array()), + 'td' => array( + 'abbr' => array(), + 'align' => array(), + 'axis' => array(), + 'bgcolor' => array(), + 'char' => array(), + 'charoff' => array(), + 'colspan' => array(), + 'headers' => array(), + 'height' => array(), + 'nowrap' => array(), + 'rowspan' => array(), + 'scope' => array(), + 'valign' => array(), + 'width' => array()), + 'textarea' => array( + 'cols' => array(), + 'rows' => array(), + 'disabled' => array(), + 'name' => array(), + 'readonly' => array()), + 'tfoot' => array( + 'align' => array(), + 'char' => array(), + 'charoff' => array(), + 'valign' => array()), + 'th' => array( + 'abbr' => array(), + 'align' => array(), + 'axis' => array(), + 'bgcolor' => array(), + 'char' => array(), + 'charoff' => array(), + 'colspan' => array(), + 'headers' => array(), + 'height' => array(), + 'nowrap' => array(), + 'rowspan' => array(), + 'scope' => array(), + 'valign' => array(), + 'width' => array()), + 'thead' => array( + 'align' => array(), + 'char' => array(), + 'charoff' => array(), + 'valign' => array()), + 'title' => array(), + 'tr' => array( + 'align' => array(), + 'bgcolor' => array(), + 'char' => array(), + 'charoff' => array(), + 'valign' => array()), + 'tt' => array(), + 'u' => array(), + 'ul' => array(), + 'var' => array() +); $allowedtags = array( 'a' => array( 'href' => array(), @@ -45,7 +320,7 @@ ); } function wp_kses($string, $allowed_html, $allowed_protocols = - array('http', 'https', 'ftp', 'news', 'nntp', 'feed', 'gopher', 'mailto')) + array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'feed', 'gopher', 'mailto')) ############################################################################### # This function makes sure that only the allowed HTML element names, attribute # names and attribute values plus only sane HTML entities will occur in @@ -76,7 +351,7 @@ # This function returns kses' version number. ############################################################################### { - return '0.2.1'; + return '0.2.2'; } # function wp_kses_version @@ -118,10 +393,14 @@ $elem = $matches[2]; $attrlist = $matches[3]; - if (!is_array($allowed_html[strtolower($elem)])) + if (!@is_array($allowed_html[strtolower($elem)])) return ''; # They are using a not allowed HTML element + if ($slash != '') + return "<$slash$elem>"; + # No attributes are allowed for closing elements + return wp_kses_attr("$slash$elem", $attrlist, $allowed_html, $allowed_protocols); } # function wp_kses_split2 @@ -145,7 +424,7 @@ # Are any attributes allowed at all for this element? - if (count($allowed_html[strtolower($element)]) == 0) + if (@count($allowed_html[strtolower($element)]) == 0) return "<$element$xhtml_slash>"; # Split it @@ -159,6 +438,9 @@ foreach ($attrarr as $arreach) { + if (!@isset($allowed_html[strtolower($element)] [strtolower($arreach['name'])])) + continue; # the attribute is not allowed + $current = $allowed_html[strtolower($element)] [strtolower($arreach['name'])]; if ($current == '') @@ -410,6 +692,8 @@ $string = preg_replace('/\0+/', '', $string); $string = preg_replace('/(\\\\0)+/', '', $string); + $string = preg_replace('/\xad+/', '', $string); # deals with Opera "feature" + return $string; } # function wp_kses_no_null @@ -555,9 +839,28 @@ return $string; } # function wp_kses_decode_entities -function wp_filter_kses( $string ) { +function wp_filter_kses($data) { global $allowedtags; - return wp_kses($string, $allowedtags); + return wp_kses($data, $allowedtags); } -?> \ No newline at end of file +function wp_filter_post_kses($data) { + global $allowedposttags; + return wp_kses($data, $allowedposttags); +} + + + +function kses_init() { + global $current_user; + + get_currentuserinfo(); // set $current_user + if( current_user_can( 'unfiltered_html' ) == false ) { + add_filter('comment_author', 'wp_filter_kses'); + add_filter('comment_text', 'wp_filter_kses'); + add_filter('comment_post', 'wp_filter_kses'); + add_filter('the_content', 'wp_filter_post_kses'); + } +} +add_action( 'init', 'kses_init' ); +?>
Change History (4)
Note: See
TracTickets for help on using
tickets.
I'm having trouble with the patch. Could you attach it as a file?