#2241 closed defect (bug) (duplicate)
<a>, <ul>, <div> items are stripped when posting via XML-RPC
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | highest omg bbq | |
| Severity: | blocker | Version: | 2.0 |
| Component: | XML-RPC | Keywords: | bg|reporter-feedback |
| Focuses: | Cc: |
Description
If you post link via XML-RPC interface with target attribute then this attribute is removed by WP in the posted content. But if you edit post via web editor then attribute is not removed.
For example we post via XML-RPC:
<a href="http://cnn.com" target="_blank"/>
Final post content if you edit added post via web editor:
<a href="http://cnn.com"/>
Change History (8)
#1
@
20 years ago
- Component changed from Administration to XML-RPC
- Priority changed from normal to highest
- Severity changed from normal to critical
- Summary changed from <a> link attributes are changed when posting via XML-RPC to <a>, <ul>, <div> items are stripped when posting via XML-RPC
#2
@
20 years ago
A quick clarification: this is definitely a problem with the code. I have reproduced this after disabling all my plugins, and it is not related to theme -- this shows up in the actual entry brought up through the admin interface, not via a 'view source' on the page.
#3
@
20 years ago
- Severity changed from critical to blocker
This should be a blocker, we shouldn't release 2.0.1 until major problems with XMLRPC are fixed.
#4
@
20 years ago
It looks to me like the fix for this is in kses.php, which defines what attribute are legal. When posting <a href="http://www.google.com/" title="google" target="blank"> using XML-RPC, it becomes <a href="http://www.google.com/" title="google">. This is because in kses.php, line 21 $allowedposttags is set to:
'a' => array ('href' => array (), 'title' => array (), 'rel' => array (), 'rev' => array (), 'name' => array ())
This is the same issue as Ticket 2130. I'm not sure where else this is used (I'm new to the WP code) so don't know what effects just adding 'target' => array () to the definition would have or if it needs further refinement.
#7
@
20 years ago
- Resolution set to duplicate
- Status changed from new to closed
This is caused by a bug in xmlrpc.php, which doesn't authenticate the user until after the init hook calls kses_init. This causes KSES filters to be added regardless of the author's unfiltered_html cap. I'm working on the patch now on #2273, same issue.
The fix is NOT to modify the allowedposttags array in kses.php. You may do this using the plugin API.
If you want authors and contributors to be able to post with those attributes, use a plugin or submit a ticket.
This does not just apply to <a>. If you post anything that involves additional tags through XML-RPC, it strips the tags, i.e., [ul class="class"] becomes [ul], [div class="fake"] becomes [div], and so on.