Make WordPress Core

Opened 3 years ago

Closed 19 months ago

Last modified 19 months ago

#20421 closed enhancement (invalid)

Remove support for Netscape 4 from kses.php (because it's 2012)

Reported by: Ipstenu Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:


Futzing around, I ran into this in kses.php


Removes the HTML JavaScript entities found in early versions of Netscape 4.

Reading it, if that's really true and the only reason it's needed, I think we're pretty safe in removing it now.

Patch added.

Attachments (2)

20421.diff (1.0 KB) - added by Ipstenu 3 years ago.
Removing netscape 4 stuff
20421.2.diff (1.0 KB) - added by Ipstenu 19 months ago.
Refreshing patch because it's now 2014.

Download all attachments as: .zip

Change History (8)

@Ipstenu3 years ago

Removing netscape 4 stuff

comment:1 @mbijon3 years ago

  • Keywords has-patch dev-feedback added

I shouldn't, but...

+1 on pulling this without a deprecation step

comment:2 @mbijon3 years ago

  • Cc mike@… added

@Ipstenu19 months ago

Refreshing patch because it's now 2014.

comment:3 @Ipstenu19 months ago

Refreshing patch because it's now 2014.

comment:4 @nacin19 months ago

As this is there for security reasons, its age may not be enough to remove these. What do these HTML entities look like? Do any other browsers also recognize them? Is this still a concern in the security community?

Applying this patch specifically breaks one of our unit tests based on http://ha.ckers.org/xssAttacks.xml. (The first one, in fact.) Sounds like "invalid" to me.

comment:5 @Ipstenu19 months ago

  • Resolution set to invalid
  • Status changed from new to closed

Well if it breaks that then yeah :)

comment:6 @bpetty19 months ago

  • Component changed from General to Security
  • Keywords has-patch dev-feedback removed
  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.