When inserting images into a post via copy-paste, Firefox will paste a base64 text string (using the Data URI scheme) into the post editor. The result will look something like:

<img src="
9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot">

When the post is saved, the "data:" portion of the src attribute is stripped away by wp_kses_hair() via the line:

if ( in_array(strtolower($attrname), $uris) )

$thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);

"data:" is treated as a protocol prefix, and is not seen as part of the src attribute.

To reproduce this error, try the following in Firefox:

1) Do a Google image search for a rendom image.
2) Right-click -> "Copy Image"
3) Paste into rich text editor
4) Save post
5) View HTML tab of the editor and notice that the "data:" scheme has been removed.

A side effect of this issue is that the image src is treated as a relative image path on the server (in subdirectory "image/png" with long string of characters as the "file name." The server will typically report an error in its log file about the request length of the URI being too long.

#1 @hardy101
13 years ago

  • Summary changed from wMulti-site wp_kses_hair() strips "data:" from base64-encoded images pasted into rich editior with Data URI scheme to Multi-site wp_kses_hair() strips "data:" from base64-encoded images pasted into rich editior with Data URI scheme

13 years ago

Allow data: protocol

#2 @solarissmoke
13 years ago

  • Keywords has-patch added; needs-patch removed
  • Summary changed from Multi-site wp_kses_hair() strips "data:" from base64-encoded images pasted into rich editior with Data URI scheme to wp_allowed_protocols() does not allow data URI scheme

Happens in single-site too. wp_allowed_protocols() doesn't currently allow data: as a protocol.

#3 follow-up: @kurtpayne
13 years ago

  • Cc kpayne@… added

I was not able to duplicate your results in 3.3 RC1 (single and multisite).

I used FF 8. The pasted image was interpreted as a data uri, but "data:" portion was not stripped when the post was saved.

Can you still reproduce this on 3.3?

#4 in reply to: ↑ 3 @solarissmoke
13 years ago

Replying to kurtpayne:

Can you still reproduce this on 3.3?

Yes. You need to test as a user without unfiltered HTML capability - i.e., not an administrator/editor.

#5 @kurtpayne
13 years ago

In my testing, I encountered an image string that was too large for the regex to handle. I was getting a PREG_BACKTRACK_LIMIT_ERROR from a 26K string. The php documentation states that the default value for pcre.backtrack_limit is 100000 (1 million), but the stock installs of php I've tested show it to be 100000 (one-hundred thousand). Raising the backtrack limit via ini_set() allow the code to work on the test string.

I was able to duplicate the original problem. After applying patch 19354.diff, I was able to embed an image as an unprivileged author that survived saving.

13 years ago

Adding ini_set for pcre backtrack limit

#6 @SergeyBiryukov
13 years ago

Related/duplicate: #19886

#7 @azizur
13 years ago

  • Cc azizur added

#8 @helenyhou
13 years ago

#19886 was closed as a dupe, as this ticket has patches, but it was assigned to the 3.4 milestone. May want to move this one if it's still a candidate, but I'll leave that to somebody else.

Last edited 13 years ago by helenyhou (previous) (diff)

#9 @SergeyBiryukov
11 years ago

  • Component changed from Editor to General
  • Milestone changed from Awaiting Review to 3.7

Related: #25147

#10 follow-up: @nacin
11 years ago

I'm not sure we can trust the contents of the data URI scheme. Anyone have any links/white papers arguing either way?

#11 in reply to: ↑ 10 @duck_
11 years ago

  • Milestone 3.7 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Replying to nacin:

I'm not sure we can trust the contents of the data URI scheme. Anyone have any links/white papers arguing either way?

Nope, we cannot trust data URIs.

Backup evidence: "several pseudo-schemes exist specifically to enable scripting or URL-contained data rendering in the security context inherited from the caller" from

#12 @nacin
11 years ago

In 25301:

wp_allowed_protocols() should not contain 'data', as it is not safe. see #19354.

#13 @mrahmadawais
8 years ago

Looks like data was removed and now if you try and add bas64 image data URI data with WP REST API it gets ignored.

I had to add it through the filter.


 * Allow data protocol..
 * @since 1.1.0
if ( ! function_exists( 'aa_allow_data_protocol' ) ) {
        add_filter( 'kses_allowed_protocols' , 'aa_allow_data_protocol' );
         * aa_allow_data_protocol
         * @param  array $protocols
         * @return array
         * @since  1.1.0
        function aa_allow_data_protocol( $protocols ) {
                $protocols[] = 'data';
                return $protocols;

#14 @SergeyBiryukov
6 years ago

#46889 was marked as a duplicate.

#15 @SergeyBiryukov
6 months ago

#60243 was marked as a duplicate.

