#19354 closed defect (bug) (wontfix)
wp_allowed_protocols() does not allow data URI scheme
Reported by: | hardy101 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.2.1 |
Component: | General | Keywords: | dev-feedback has-patch |
Focuses: | Cc: |
Description
When inserting images into a post via copy-paste, Firefox will paste a base64 text string (using the Data URI scheme) into the post editor. The result will look something like:
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA
AAAFCAYAAACNbyblAAAAHElEQVQI12P48/w38GIAXDIBKE0DHxgljNBAAO
9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot">
When the post is saved, the "data:" portion of the src attribute is stripped away by wp_kses_hair() via the line:
if ( in_array(strtolower($attrname), $uris) )
$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
"data:" is treated as a protocol prefix, and is not seen as part of the src attribute.
To reproduce this error, try the following in Firefox:
1) Do a Google image search for a rendom image.
2) Right-click -> "Copy Image"
3) Paste into rich text editor
4) Save post
5) View HTML tab of the editor and notice that the "data:" scheme has been removed.
A side effect of this issue is that the image src is treated as a relative image path on the server (in subdirectory "image/png" with long string of characters as the "file name." The server will typically report an error in its log file about the request length of the URI being too long.
Attachments (2)
Change History (17)
#1
@
13 years ago
- Summary changed from wMulti-site wp_kses_hair() strips "data:" from base64-encoded images pasted into rich editior with Data URI scheme to Multi-site wp_kses_hair() strips "data:" from base64-encoded images pasted into rich editior with Data URI scheme
#2
@
13 years ago
- Keywords has-patch added; needs-patch removed
- Summary changed from Multi-site wp_kses_hair() strips "data:" from base64-encoded images pasted into rich editior with Data URI scheme to wp_allowed_protocols() does not allow data URI scheme
Happens in single-site too. wp_allowed_protocols()
doesn't currently allow data:
as a protocol.
#3
follow-up:
↓ 4
@
13 years ago
- Cc kpayne@… added
I was not able to duplicate your results in 3.3 RC1 (single and multisite).
I used FF 8. The pasted image was interpreted as a data uri, but "data:" portion was not stripped when the post was saved.
Can you still reproduce this on 3.3?
#4
in reply to:
↑ 3
@
13 years ago
Replying to kurtpayne:
Can you still reproduce this on 3.3?
Yes. You need to test as a user without unfiltered HTML capability - i.e., not an administrator/editor.
#5
@
13 years ago
In my testing, I encountered an image string that was too large for the regex to handle. I was getting a PREG_BACKTRACK_LIMIT_ERROR
from a 26K string. The php documentation states that the default value for pcre.backtrack_limit is 100000 (1 million), but the stock installs of php I've tested show it to be 100000 (one-hundred thousand). Raising the backtrack limit via ini_set()
allow the code to work on the test string.
I was able to duplicate the original problem. After applying patch 19354.diff, I was able to embed an image as an unprivileged author that survived saving.
#8
@
13 years ago
#19886 was closed as a dupe, as this ticket has patches, but it was assigned to the 3.4 milestone. May want to move this one if it's still a candidate, but I'll leave that to somebody else.
#9
@
11 years ago
- Component changed from Editor to General
- Milestone changed from Awaiting Review to 3.7
Related: #25147
#10
follow-up:
↓ 11
@
11 years ago
I'm not sure we can trust the contents of the data
URI scheme. Anyone have any links/white papers arguing either way?
#11
in reply to:
↑ 10
@
11 years ago
- Milestone 3.7 deleted
- Resolution set to wontfix
- Status changed from new to closed
Replying to nacin:
I'm not sure we can trust the contents of the
data
URI scheme. Anyone have any links/white papers arguing either way?
Nope, we cannot trust data URIs.
Backup evidence: "several pseudo-schemes exist specifically to enable scripting or URL-contained data rendering in the security context inherited from the caller" from https://code.google.com/p/browsersec/wiki/Part1#Pseudo_URL_schemes
#13
@
8 years ago
Looks like data
was removed and now if you try and add bas64 image data URI data
with WP REST API it gets ignored.
I had to add it through the filter.
<?php /** * Allow data protocol.. * * @since 1.1.0 */ if ( ! function_exists( 'aa_allow_data_protocol' ) ) { add_filter( 'kses_allowed_protocols' , 'aa_allow_data_protocol' ); /** * aa_allow_data_protocol * * @param array $protocols * @return array * @since 1.1.0 */ function aa_allow_data_protocol( $protocols ) { $protocols[] = 'data'; return $protocols; } }
If I am allowed to manually add base64 images in the WP editor, I suppose I should be allowed to add it via REST API.
Any feedback on this would be appreciated.
Allow data: protocol