#2130 closed defect (bug) (fixed)
wp_kses kills < !-- more --> from xmlrpc posted entries
Reported by: | tsimmons | Owned by: | ryan |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | 2.0 |
Component: | XML-RPC | Keywords: | bg|has-patch bg|commit |
Focuses: | Cc: |
Description
I couldn't find the exact point where it happens, but somewhere when XMLRPC posted entries are being processed, the
<!--more-->
tags are being stripped which gets rid of the "more..." link and instead displays the entire post on the indexes. I tracked it down to somewhere in the nested functions called in kses.php, somewhere after line 55:
return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);
Attachments (4)
Change History (20)
#2
@
19 years ago
I can't take credit for this, but how does the fix from http://mu.wordpress.org/forums/topic/450 sound? Add three lines to the function at line 101:
if (preg_match('%^<!--[^>-]+-->$%', $string)) return $string; # Allow HTML comments
#3
@
19 years ago
No, this expression will miss valid comments such as this:
<!--my-awesome-comment-->
#4
@
19 years ago
I have attached a new proposed fix, based on Owen's suggestion in wp-testers. It works for me !!
#7
@
19 years ago
Based on the patch above (untested), the following would pass right through.
<!--something--><script>malicious code</script><!--somethingelse-->
#8
@
19 years ago
Er, pretend that didn't get mangled
<!--something--><script>malicious code</script><!--somethingelse-->
#9
@
19 years ago
Can you fix this by adding a ? to the regex in the first replacement block? Like:
return preg_replace('%(<!--.*?-->)|(<'.# EITHER: <
#13
@
19 years ago
- Keywords bg|commit added; kses wp_kses xmlrpc more removed
- Resolution fixed deleted
- Status changed from closed to reopened
That last patch is broken: the first regex is missing a () so the eval never gets the right string.
perfect-comments.diff fixes that and more carefully filters the contents of the comment. Now, if a comment is left unclosed, it will be closed at the end of the string. Also, nested comments and uneven open/close markers are fixed. Comments are rock-solid.
Okay, after more digging, I found it is in wp_kses_split2() on line 101:
This always strips the <!--more--> tags. My regular expression skillz are way down right now (mighty tired after long night ...)
Sorry I can't offer a fix right off ...