WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 2 years ago

Last modified 10 months ago

#20421 closed enhancement (invalid)

Remove support for Netscape 4 from kses.php (because it's 2012)

Reported by: Ipstenu Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Futzing around, I ran into this in kses.php

http://core.trac.wordpress.org/browser/tags/3.3.1/wp-includes/kses.php#L995

Removes the HTML JavaScript entities found in early versions of Netscape 4.

Reading it, if that's really true and the only reason it's needed, I think we're pretty safe in removing it now.

Patch added.

Attachments (2)

20421.diff (1.0 KB) - added by Ipstenu 4 years ago.
Removing netscape 4 stuff
20421.2.diff (1.0 KB) - added by Ipstenu 2 years ago.
Refreshing patch because it's now 2014.

Download all attachments as: .zip

Change History (9)

@Ipstenu
4 years ago

Removing netscape 4 stuff

#1 @mbijon
4 years ago

  • Keywords has-patch dev-feedback added

I shouldn't, but...

+1 on pulling this without a deprecation step

#2 @mbijon
4 years ago

  • Cc mike@… added

@Ipstenu
2 years ago

Refreshing patch because it's now 2014.

#3 @Ipstenu
2 years ago

Refreshing patch because it's now 2014.

#4 @nacin
2 years ago

As this is there for security reasons, its age may not be enough to remove these. What do these HTML entities look like? Do any other browsers also recognize them? Is this still a concern in the security community?

Applying this patch specifically breaks one of our unit tests based on http://ha.ckers.org/xssAttacks.xml. (The first one, in fact.) Sounds like "invalid" to me.

#5 @Ipstenu
2 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Well if it breaks that then yeah :)

#6 @bpetty
2 years ago

  • Component changed from General to Security
  • Keywords has-patch dev-feedback removed
  • Milestone Awaiting Review deleted

#7 @dmsnell
10 months ago

Recreated in #33848 because I did not find this ticket when I opened the new one.

@nacin: It has been difficult for me to find out definitely if this impacts any browser within the past ten years, but the initial answer appears to be that it does not.

The thing that I'm most uncertain of is how to verify that, but I believe that if we constructed a white hat XSS vulnerability and tested it across the varying platforms we could have a definitive answer.

Note: See TracTickets for help on using tickets.