#20421 closed enhancement (invalid)
Remove support for Netscape 4 from kses.php (because it's 2012)
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description
Futzing around, I ran into this in kses.php
http://core.trac.wordpress.org/browser/tags/3.3.1/wp-includes/kses.php#L995
Removes the HTML JavaScript entities found in early versions of Netscape 4.
Reading it, if that's really true and the only reason it's needed, I think we're pretty safe in removing it now.
Patch added.
Attachments (2)
Change History (9)
#1
@
12 years ago
- Keywords has-patch dev-feedback added
I shouldn't, but...
+1 on pulling this without a deprecation step
#4
@
10 years ago
As this is there for security reasons, its age may not be enough to remove these. What do these HTML entities look like? Do any other browsers also recognize them? Is this still a concern in the security community?
Applying this patch specifically breaks one of our unit tests based on http://ha.ckers.org/xssAttacks.xml. (The first one, in fact.) Sounds like "invalid" to me.
#5
@
10 years ago
- Resolution set to invalid
- Status changed from new to closed
Well if it breaks that then yeah :)
#6
@
10 years ago
- Component changed from General to Security
- Keywords has-patch dev-feedback removed
- Milestone Awaiting Review deleted
#7
@
8 years ago
Recreated in #33848 because I did not find this ticket when I opened the new one.
@nacin: It has been difficult for me to find out definitely if this impacts any browser within the past ten years, but the initial answer appears to be that it does not.
The thing that I'm most uncertain of is how to verify that, but I believe that if we constructed a white hat XSS vulnerability and tested it across the varying platforms we could have a definitive answer.
Removing netscape 4 stuff