Make WordPress Core

Opened 10 years ago

Closed 8 years ago

#17847 closed defect (bug) (fixed)

wp_kses_hair is too stringent

Reported by: jorbin Owned by: nacin
Milestone: 3.9 Priority: normal
Severity: normal Version: 1.5
Component: Formatting Keywords: has-patch
Focuses: Cc:


attributes from custom xml name spaces may use colons, but the regex used inside wp_kses_hair doesn't allow them through.

Attachments (1)

18320.diff (577 bytes) - added by jorbin 10 years ago.

Download all attachments as: .zip

Change History (7)

10 years ago

#1 @nacin
10 years ago

  • Component changed from Security to Formatting

Can you provide some test cases as to what these attributes look like?

#2 @jorbin
10 years ago

addthis:url is one example

#3 @johnbillion
10 years ago

Google Products is one too, using g:* for many attributes in their product data feeds.

#4 @kurtpayne
10 years ago

  • Version set to 1.5

#5 @nacin
8 years ago

  • Milestone changed from Awaiting Review to 3.9

Appears safe to me. Will want to get some eyes on this before proceeding.

#6 @nacin
8 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 27707:

Allow XML attributes with colons to be read by kses.

The attribute would still need to be whitelisted to get through the filters.

props jorbin.
fixes #17847.

Note: See TracTickets for help on using tickets.