Make WordPress Core

Opened 12 years ago

Closed 10 years ago

Last modified 8 years ago

#20421 closed enhancement (invalid)

Remove support for Netscape 4 from kses.php (because it's 2012)

Reported by: ipstenu's profile Ipstenu Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:


Futzing around, I ran into this in kses.php

Removes the HTML JavaScript entities found in early versions of Netscape 4.

Reading it, if that's really true and the only reason it's needed, I think we're pretty safe in removing it now.

Patch added.

Attachments (2)

20421.diff (1.0 KB) - added by Ipstenu 12 years ago.
Removing netscape 4 stuff
20421.2.diff (1.0 KB) - added by Ipstenu 10 years ago.
Refreshing patch because it's now 2014.

Download all attachments as: .zip

Change History (9)

12 years ago

Removing netscape 4 stuff

#1 @mbijon
12 years ago

  • Keywords has-patch dev-feedback added

I shouldn't, but...

+1 on pulling this without a deprecation step

#2 @mbijon
12 years ago

  • Cc mike@… added

10 years ago

Refreshing patch because it's now 2014.

#3 @Ipstenu
10 years ago

Refreshing patch because it's now 2014.

#4 @nacin
10 years ago

As this is there for security reasons, its age may not be enough to remove these. What do these HTML entities look like? Do any other browsers also recognize them? Is this still a concern in the security community?

Applying this patch specifically breaks one of our unit tests based on (The first one, in fact.) Sounds like "invalid" to me.

#5 @Ipstenu
10 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Well if it breaks that then yeah :)

#6 @bpetty
10 years ago

  • Component changed from General to Security
  • Keywords has-patch dev-feedback removed
  • Milestone Awaiting Review deleted

#7 @dmsnell
8 years ago

Recreated in #33848 because I did not find this ticket when I opened the new one.

@nacin: It has been difficult for me to find out definitely if this impacts any browser within the past ten years, but the initial answer appears to be that it does not.

The thing that I'm most uncertain of is how to verify that, but I believe that if we constructed a white hat XSS vulnerability and tested it across the varying platforms we could have a definitive answer.

Note: See TracTickets for help on using tickets.