#19877 closed defect (bug) (wontfix)
wp_kses_stripslashes() should account for single quotes too
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.3.1 |
Component: | Formatting | Keywords: | has-patch close |
Focuses: | Cc: |
Description
Right now, wp_kses_stripslashes() only removes slashes before double quotes, but should do the same for single quotes.
For example, if wp_kses() is applied to the following string (assuming <script> tags are permitted), the <script> tag's attributes are removed:
<script type='text/javascript' src='foo.js'></script>
If the single quotes are switched to double quotes, the attributes are properly sanitized against the list of allowed tags passed to wp_kses(). Updating wp_kses_stripslashes() to account for both types of quotes eliminates the need to strip slashes before applying wp_kses().
Attachments (2)
Change History (6)
#4
in reply to:
↑ 1
@
11 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
Replying to duck_:
wp_kses_stripslashes is a legacy function that had to be used to deal with addslashes() run when using preg_replace() and the eval modifier. The double quotes remained slashed because the backreference in the PHP string to be evaluated was in single quotes, so a custom slash removal function was used to remove slashes from in front of double quotes.
I would prefer to actually remove the call as it's no longer necessary. If you're passing slashed data to kses it should be stripped first -- which is why we do stripslashes in wp_filter_kses(). Unfortunately removing the call would cause breakage for those passing in slashed data containing double quoted attributes as this happens to work at the moment.
Seems like closing this (after two years) is in order.
wp_kses_stripslashes is a legacy function that had to be used to deal with addslashes() run when using preg_replace() and the eval modifier. The double quotes remained slashed because the backreference in the PHP string to be evaluated was in single quotes, so a custom slash removal function was used to remove slashes from in front of double quotes.
I would prefer to actually remove the call as it's no longer necessary. If you're passing slashed data to kses it should be stripped first -- which is why we do stripslashes in wp_filter_kses(). Unfortunately removing the call would cause breakage for those passing in slashed data containing double quoted attributes as this happens to work at the moment.