Make WordPress Core

Opened 13 years ago

Closed 11 years ago

Last modified 2 years ago

#19877 closed defect (bug) (wontfix)

wp_kses_stripslashes() should account for single quotes too

Reported by: ethitter's profile ethitter Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3.1
Component: Formatting Keywords: has-patch close
Focuses: Cc:

Description

Right now, wp_kses_stripslashes() only removes slashes before double quotes, but should do the same for single quotes.

For example, if wp_kses() is applied to the following string (assuming <script> tags are permitted), the <script> tag's attributes are removed:

<script type='text/javascript' src='foo.js'></script>

If the single quotes are switched to double quotes, the attributes are properly sanitized against the list of allowed tags passed to wp_kses(). Updating wp_kses_stripslashes() to account for both types of quotes eliminates the need to strip slashes before applying wp_kses().

Attachments (2)

19877.patch (893 bytes) - added by ethitter 13 years ago.
19877.2.diff (929 bytes) - added by MikeHansenMe 12 years ago.
Updated patch path relative from wp folder

Download all attachments as: .zip

Change History (6)

@ethitter
13 years ago

#1 follow-up: @duck_
13 years ago

  • Keywords close added

wp_kses_stripslashes is a legacy function that had to be used to deal with addslashes() run when using preg_replace() and the eval modifier. The double quotes remained slashed because the backreference in the PHP string to be evaluated was in single quotes, so a custom slash removal function was used to remove slashes from in front of double quotes.

I would prefer to actually remove the call as it's no longer necessary. If you're passing slashed data to kses it should be stripped first -- which is why we do stripslashes in wp_filter_kses(). Unfortunately removing the call would cause breakage for those passing in slashed data containing double quoted attributes as this happens to work at the moment.

#2 @nacin
12 years ago

  • Component changed from Validation to Formatting

@MikeHansenMe
12 years ago

Updated patch path relative from wp folder

#3 @MikeHansenMe
12 years ago

  • Cc mdhansen@… added

Patch works for me, updated it to use relative path in patch.

#4 in reply to: ↑ 1 @nacin
11 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Replying to duck_:

wp_kses_stripslashes is a legacy function that had to be used to deal with addslashes() run when using preg_replace() and the eval modifier. The double quotes remained slashed because the backreference in the PHP string to be evaluated was in single quotes, so a custom slash removal function was used to remove slashes from in front of double quotes.

I would prefer to actually remove the call as it's no longer necessary. If you're passing slashed data to kses it should be stripped first -- which is why we do stripslashes in wp_filter_kses(). Unfortunately removing the call would cause breakage for those passing in slashed data containing double quoted attributes as this happens to work at the moment.

Seems like closing this (after two years) is in order.

Note: See TracTickets for help on using tickets.