Make WordPress Core

Opened 17 years ago

Closed 17 years ago

Last modified 16 years ago

#1674 closed defect (bug) (fixed)

Use different kses rules for posts and comments for users who can't "unfiltered_html"

Reported by: donncha's profile donncha Owned by:
Milestone: Priority: normal
Severity: normal Version: 1.6
Component: Security Keywords:
Focuses: Cc:

Description

The following patch feeds post content through kses, but with it's own set of allowed tags. The tags need to be pruned. I didn't filter on "content_save_pre" because that's destructive of the actual post. On the other hand, the post writer might wonder why his wacky javascript is being deleted when it's displayed...

diff -u /home/donncha/dev/wordpress/trunk/wp-includes/default-filters.php ./default-filters.php
--- /home/donncha/dev/wordpress/trunk/wp-includes/default-filters.php	2005-07-04 06:21:42.000000000 -0400
+++ ./default-filters.php	2005-09-14 07:50:33.000000000 -0400
@@ -25,7 +25,6 @@
 add_filter('pre_comment_author_url', 'clean_url');
 
 add_filter('pre_comment_content', 'stripslashes', 1);
-add_filter('pre_comment_content', 'wp_filter_kses');
 add_filter('pre_comment_content', 'wp_rel_nofollow', 15);
 add_filter('pre_comment_content', 'balanceTags', 30);
 add_filter('pre_comment_content', 'addslashes', 50);
@@ -85,4 +84,4 @@
 // Actions
 add_action('publish_post', 'generic_ping');
 
diff -u /home/donncha/dev/wordpress/trunk/wp-includes/kses.php ./kses.php
--- /home/donncha/dev/wordpress/trunk/wp-includes/kses.php	2005-07-04 06:21:43.000000000 -0400
+++ ./kses.php	2005-09-14 07:50:47.000000000 -0400
@@ -6,14 +6,289 @@
 #
 # E-mail:      metaur at users dot sourceforge dot net
 # Web page:    http://sourceforge.net/projects/kses
-# Paper mail:  (not at the moment)
+# Paper mail:  Ulf Harnhammar
+#              Ymergatan 17 C
+#              753 25  Uppsala
+#              SWEDEN
 #
 # [kses strips evil scripts!]
 if (!defined('CUSTOM_TAGS'))
 	define('CUSTOM_TAGS', false);
-	
+
 // You can override this in your my-hacks.php file
 if (!CUSTOM_TAGS) {
+$allowedposttags = array(
+				'address' => array(),
+				'applet' => array(
+					'codebase' => array(),
+					'code' => array(),
+					'name' => array(),
+					'alt' => array()),
+				'area' => array(
+					'shape' => array(),
+					'coords' => array(),
+					'href' => array(),
+					'alt' => array()),
+				'a' => array(
+					'href' => array(),
+					'title' => array(),
+					'rel' => array(),
+					'rev' => array(),
+					'name' => array()),
+				'abbr' => array('title' => array()),
+				'acronym' => array('title' => array()),
+				'b' => array(),
+				'base' => array('href' => array()),
+				'basefont' => array('size' => array()),
+				'bdo' => array('dir' => array()),
+				'big' => array(),
+				'blockquote' => array('cite' => array()),
+				'body' => array(
+					'alink' => array(),
+					'background' => array(),
+					'bgcolor' => array(),
+					'link' => array(),
+					'text' => array(),
+					'vlink' => array()),
+				'br' => array(),
+				'button' => array(
+					'disabled' => array(),
+					'name' => array(),
+					'type' => array(),
+					'value' => array()),
+				'caption' => array('align' => array()),
+				'code' => array(),
+				'col' => array(
+					'align' => array(),
+					'char' => array(),
+					'charoff' => array(),
+					'span' => array(),
+					'valign' => array(),
+					'width' => array()),
+				'del' => array('datetime' => array()),
+				'dd' => array(),
+				'div' => array('align' => array()),
+				'dl' => array(),
+				'dt' => array(),
+				'em' => array(),
+				'fieldset' => array(),
+				'font' => array(
+					'color' => array(),
+					'face' => array(),
+					'size' => array()),
+				'form' => array(
+					'action' => array(),
+					'accept' => array(),
+					'accept-charset' => array(),
+					'enctype' => array(),
+					'method' => array(),
+					'name' => array(),
+					'target' => array()),
+				'frame' => array(
+					'frameborder' => array(),
+					'longsesc' => array(),
+					'marginheight' => array(),
+					'marginwidth' => array(),
+					'name' => array(),
+					'noresize' => array(),
+					'scrolling' => array(),
+					'src' => array()),
+				'frameset' => array(
+					'cols' => array(),
+					'rows' => array()),
+				'head' => array('profile' => array()),
+				'h1' => array('align' => array()),
+				'h2' => array('align' => array()),
+				'h3' => array('align' => array()),
+				'h4' => array('align' => array()),
+				'h5' => array('align' => array()),
+				'h6' => array('align' => array()),
+				'hr' => array(
+					'align' => array(),
+					'noshade' => array(),
+					'size' => array(),
+					'width' => array()),
+				'html' => array('xmlns' => array()),
+				'i' => array(),
+				'iframe' => array(
+					'align' => array(),
+					'frameborder' => array(),
+					'height' => array(),
+					'londesc' => array(),
+					'marginheight' => array(),
+					'marginwidth' => array(),
+					'name' => array(),
+					'scrolling' => array(),
+					'src' => array(),
+					'width' => array()),
+				'img' => array(
+					'alt' => array(),
+					'align' => array(),
+					'border' => array(),
+					'height' => array(),
+					'hspace' => array(),
+					'ismap' => array(),
+					'longdesc' => array(),
+					'usemap' => array(),
+					'vspace' => array(),
+					'src' => array(),
+					'width' => array()),
+				'input' => array(
+					'accept' => array(),
+					'align' => array(),
+					'alt' => array(),
+					'checked' => array(),
+					'disabled' => array(),
+					'maxlength' => array(),
+					'name' => array(),
+					'readonly' => array(),
+					'size' => array(),
+					'src' => array(),
+					'type' => array(),
+					'value' => array()),
+				'ins' => array('datetime' => array(), 'cite' => array()),
+				'kbd' => array(),
+				'label' => array('for' => array()),
+				'legend' => array('align' => array()),
+				'li' => array(),
+				'link' => array(
+					'charset' => array(),
+					'href' => array(),
+					'hreflang' => array(),
+					'media' => array(),
+					'rel' => array(),
+					'rev' => array(),
+					'target' => array(),
+					'type' => array()),
+				'map' => array(
+					'id' => array(),
+					'name' => array()),
+				'menu' => array(),
+				'meta' => array(
+					'content' => array(),
+					'http-equiv' => array(),
+					'name' => array(),
+					'scheme' => array()),
+				'noframes' => array(),
+				'noscript' => array(),
+				'object' => array(
+					'align' => array(),
+					'archive' => array(),
+					'border' => array(),
+					'classid' => array(),
+					'codebase' => array(),
+					'codetype' => array(),
+					'data' => array(),
+					'declare' => array(),
+					'height' => array(),
+					'hspace' => array(),
+					'name' => array(),
+					'standby' => array(),
+					'type' => array(),
+					'usemap' => array(),
+					'vspace' => array(),
+					'width' => array()),
+				'ol' => array(
+					'compact' => array(),
+					'start' => array(),
+					'type' => array()),
+				'optgroup' => array(
+					'label' => array(),
+					'disabled' => array()),
+				'option' => array(
+					'disabled' => array(),
+					'label' => array(),
+					'selected' => array(),
+					'value' => array()),
+				'p' => array('align' => array()),
+				'param' => array(
+					'name' => array(),
+					'type' => array(),
+					'value' => array(),
+					'valuetype' => array()),
+				'pre' => array('width' => array()),
+				'q' => array('cite' => array()),
+				's' => array(),
+				'strike' => array(),
+				'strong' => array(),
+				'style' => array(
+					'type' => array(),
+					'media' => array()),
+				'sub' => array(),
+				'sup' => array(),
+				'table' => array(
+					'align' => array(),
+					'bgcolor' => array(),
+					'border' => array(),
+					'cellpadding' => array(),
+					'cellspacing' => array(),
+					'frame' => array(),
+					'rules' => array(),
+					'summary' => array(),
+					'width' => array()),
+				'tbody' => array(
+					'align' => array(),
+					'char' => array(),
+					'charoff' => array(),
+					'valign' => array()),
+				'td' => array(
+					'abbr' => array(),
+					'align' => array(),
+					'axis' => array(),
+					'bgcolor' => array(),
+					'char' => array(),
+					'charoff' => array(),
+					'colspan' => array(),
+					'headers' => array(),
+					'height' => array(),
+					'nowrap' => array(),
+					'rowspan' => array(),
+					'scope' => array(),
+					'valign' => array(),
+					'width' => array()),
+				'textarea' => array(
+					'cols' => array(),
+					'rows' => array(),
+					'disabled' => array(),
+					'name' => array(),
+					'readonly' => array()),
+				'tfoot' => array(
+					'align' => array(),
+					'char' => array(),
+					'charoff' => array(),
+					'valign' => array()),
+				'th' => array(
+					'abbr' => array(),
+					'align' => array(),
+					'axis' => array(),
+					'bgcolor' => array(),
+					'char' => array(),
+					'charoff' => array(),
+					'colspan' => array(),
+					'headers' => array(),
+					'height' => array(),
+					'nowrap' => array(),
+					'rowspan' => array(),
+					'scope' => array(),
+					'valign' => array(),
+					'width' => array()),
+				'thead' => array(
+					'align' => array(),
+					'char' => array(),
+					'charoff' => array(),
+					'valign' => array()),
+				'title' => array(),
+				'tr' => array(
+					'align' => array(),
+					'bgcolor' => array(),
+					'char' => array(),
+					'charoff' => array(),
+					'valign' => array()),
+				'tt' => array(),
+				'u' => array(),
+				'ul' => array(),
+				'var' => array()
+);
 $allowedtags = array(
 	'a' => array(
 		'href' => array(),
@@ -45,7 +320,7 @@
 	);
 }
 function wp_kses($string, $allowed_html, $allowed_protocols =
-               array('http', 'https', 'ftp', 'news', 'nntp', 'feed', 'gopher', 'mailto'))
+               array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'feed', 'gopher', 'mailto'))
 ###############################################################################
 # This function makes sure that only the allowed HTML element names, attribute
 # names and attribute values plus only sane HTML entities will occur in
@@ -76,7 +351,7 @@
 # This function returns kses' version number.
 ###############################################################################
 {
-  return '0.2.1';
+  return '0.2.2';
 } # function wp_kses_version
 
 
@@ -118,10 +393,14 @@
   $elem = $matches[2];
   $attrlist = $matches[3];
 
-  if (!is_array($allowed_html[strtolower($elem)]))
+  if (!@is_array($allowed_html[strtolower($elem)]))
     return '';
     # They are using a not allowed HTML element
 
+  if ($slash != '')
+    return "<$slash$elem>";
+  # No attributes are allowed for closing elements
+
   return wp_kses_attr("$slash$elem", $attrlist, $allowed_html,
                    $allowed_protocols);
 } # function wp_kses_split2
@@ -145,7 +424,7 @@
 
 # Are any attributes allowed at all for this element?
 
-  if (count($allowed_html[strtolower($element)]) == 0)
+  if (@count($allowed_html[strtolower($element)]) == 0)
     return "<$element$xhtml_slash>";
 
 # Split it
@@ -159,6 +438,9 @@
 
   foreach ($attrarr as $arreach)
   {
+    if (!@isset($allowed_html[strtolower($element)] [strtolower($arreach['name'])]))
+      continue; # the attribute is not allowed
+
     $current = $allowed_html[strtolower($element)]
                             [strtolower($arreach['name'])];
     if ($current == '')
@@ -410,6 +692,8 @@
   $string = preg_replace('/\0+/', '', $string);
   $string = preg_replace('/(\\\\0)+/', '', $string);
 
+  $string = preg_replace('/\xad+/', '', $string); # deals with Opera "feature"
+
   return $string;
 } # function wp_kses_no_null
 
@@ -555,9 +839,28 @@
   return $string;
 } # function wp_kses_decode_entities
 
-function wp_filter_kses( $string ) {
+function wp_filter_kses($data) {
 	global $allowedtags;
-	return wp_kses($string, $allowedtags);
+	return wp_kses($data, $allowedtags);
 }
 
-?>
\ No newline at end of file
+function wp_filter_post_kses($data) {
+	global $allowedposttags;
+	return wp_kses($data, $allowedposttags);
+}
+
+
+
+function kses_init() {
+	global $current_user;
+
+	get_currentuserinfo(); // set $current_user
+	if( current_user_can( 'unfiltered_html' ) == false ) {
+		add_filter('comment_author', 'wp_filter_kses');
+		add_filter('comment_text', 'wp_filter_kses');
+		add_filter('comment_post', 'wp_filter_kses');
+		add_filter('the_content', 'wp_filter_post_kses');
+	}
+}
+add_action( 'init', 'kses_init' );
+?>

Change History (4)

#1 @ryan
17 years ago

I'm having trouble with the patch. Could you attach it as a file?

#2 @ryan
17 years ago

  • Milestone set to 1.6

Matt suggested running kses on save rather than display due to performance issues, so I changed the patch to use content_save_pre.

#3 @ryan
17 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [2896]) Filter posts with kses for users who do not have the unfiltered_html cap. Props donncha. fixes #1674

#4 @(none)
16 years ago

  • Milestone 2.0 deleted

Milestone 2.0 deleted

Note: See TracTickets for help on using tickets.