Make WordPress Core

Opened 4 years ago

Closed 22 months ago

Last modified 2 months ago

#20421 closed enhancement (invalid)

Remove support for Netscape 4 from kses.php (because it's 2012)

Reported by: Ipstenu Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:


Futzing around, I ran into this in kses.php


Removes the HTML JavaScript entities found in early versions of Netscape 4.

Reading it, if that's really true and the only reason it's needed, I think we're pretty safe in removing it now.

Patch added.

Attachments (2)

20421.diff (1.0 KB) - added by Ipstenu 4 years ago.
Removing netscape 4 stuff
20421.2.diff (1.0 KB) - added by Ipstenu 22 months ago.
Refreshing patch because it's now 2014.

Download all attachments as: .zip

Change History (9)

4 years ago

Removing netscape 4 stuff

#1 @mbijon
4 years ago

  • Keywords has-patch dev-feedback added

I shouldn't, but...

+1 on pulling this without a deprecation step

#2 @mbijon
4 years ago

  • Cc mike@… added

22 months ago

Refreshing patch because it's now 2014.

#3 @Ipstenu
22 months ago

Refreshing patch because it's now 2014.

#4 @nacin
22 months ago

As this is there for security reasons, its age may not be enough to remove these. What do these HTML entities look like? Do any other browsers also recognize them? Is this still a concern in the security community?

Applying this patch specifically breaks one of our unit tests based on http://ha.ckers.org/xssAttacks.xml. (The first one, in fact.) Sounds like "invalid" to me.

#5 @Ipstenu
22 months ago

  • Resolution set to invalid
  • Status changed from new to closed

Well if it breaks that then yeah :)

#6 @bpetty
21 months ago

  • Component changed from General to Security
  • Keywords has-patch dev-feedback removed
  • Milestone Awaiting Review deleted

#7 @dmsnell
2 months ago

Recreated in #33848 because I did not find this ticket when I opened the new one.

@nacin: It has been difficult for me to find out definitely if this impacts any browser within the past ten years, but the initial answer appears to be that it does not.

The thing that I'm most uncertain of is how to verify that, but I believe that if we constructed a white hat XSS vulnerability and tested it across the varying platforms we could have a definitive answer.

Note: See TracTickets for help on using tickets.