WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 3 months ago

#19877 closed defect (bug) (wontfix)

wp_kses_stripslashes() should account for single quotes too

Reported by: ethitter Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3.1
Component: Formatting Keywords: has-patch close
Focuses: Cc:

Description

Right now, wp_kses_stripslashes() only removes slashes before double quotes, but should do the same for single quotes.

For example, if wp_kses() is applied to the following string (assuming <script> tags are permitted), the <script> tag's attributes are removed:

<script type='text/javascript' src='foo.js'></script>

If the single quotes are switched to double quotes, the attributes are properly sanitized against the list of allowed tags passed to wp_kses(). Updating wp_kses_stripslashes() to account for both types of quotes eliminates the need to strip slashes before applying wp_kses().

Attachments (2)

19877.patch (893 bytes) - added by ethitter 2 years ago.
19877.2.diff (929 bytes) - added by MikeHansenMe 18 months ago.
Updated patch path relative from wp folder

Download all attachments as: .zip

Change History (6)

ethitter2 years ago

comment:1 follow-up: duck_2 years ago

  • Keywords close added

wp_kses_stripslashes is a legacy function that had to be used to deal with addslashes() run when using preg_replace() and the eval modifier. The double quotes remained slashed because the backreference in the PHP string to be evaluated was in single quotes, so a custom slash removal function was used to remove slashes from in front of double quotes.

I would prefer to actually remove the call as it's no longer necessary. If you're passing slashed data to kses it should be stripped first -- which is why we do stripslashes in wp_filter_kses(). Unfortunately removing the call would cause breakage for those passing in slashed data containing double quoted attributes as this happens to work at the moment.

comment:2 nacin19 months ago

  • Component changed from Validation to Formatting

MikeHansenMe18 months ago

Updated patch path relative from wp folder

comment:3 MikeHansenMe18 months ago

  • Cc mdhansen@… added

Patch works for me, updated it to use relative path in patch.

comment:4 in reply to: ↑ 1 nacin3 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Replying to duck_:

wp_kses_stripslashes is a legacy function that had to be used to deal with addslashes() run when using preg_replace() and the eval modifier. The double quotes remained slashed because the backreference in the PHP string to be evaluated was in single quotes, so a custom slash removal function was used to remove slashes from in front of double quotes.

I would prefer to actually remove the call as it's no longer necessary. If you're passing slashed data to kses it should be stripped first -- which is why we do stripslashes in wp_filter_kses(). Unfortunately removing the call would cause breakage for those passing in slashed data containing double quoted attributes as this happens to work at the moment.

Seems like closing this (after two years) is in order.

Note: See TracTickets for help on using tickets.