Make WordPress Core

Opened 15 years ago

Closed 15 years ago

Last modified 14 years ago

#2241 closed defect (bug) (duplicate)

<a>, <ul>, <div> items are stripped when posting via XML-RPC

Reported by: bytescout Owned by:
Milestone: Priority: highest omg bbq
Severity: blocker Version: 2.0
Component: XML-RPC Keywords: bg|reporter-feedback
Focuses: Cc:


If you post link via XML-RPC interface with target attribute then this attribute is removed by WP in the posted content. But if you edit post via web editor then attribute is not removed.

For example we post via XML-RPC:
<a href="http://cnn.com" target="_blank"/>

Final post content if you edit added post via web editor:
<a href="http://cnn.com"/>

Change History (8)

#1 @WCityMike
15 years ago

  • Component changed from Administration to XML-RPC
  • Priority changed from normal to highest
  • Severity changed from normal to critical
  • Summary changed from <a> link attributes are changed when posting via XML-RPC to <a>, <ul>, <div> items are stripped when posting via XML-RPC

This does not just apply to <a>. If you post anything that involves additional tags through XML-RPC, it strips the tags, i.e., [ul class="class"] becomes [ul], [div class="fake"] becomes [div], and so on.

#2 @WCityMike
15 years ago

A quick clarification: this is definitely a problem with the code. I have reproduced this after disabling all my plugins, and it is not related to theme -- this shows up in the actual entry brought up through the admin interface, not via a 'view source' on the page.

#3 @davidhouse
15 years ago

  • Severity changed from critical to blocker

This should be a blocker, we shouldn't release 2.0.1 until major problems with XMLRPC are fixed.

#4 @fncll
15 years ago

It looks to me like the fix for this is in kses.php, which defines what attribute are legal. When posting <a href="http://www.google.com/" title="google" target="blank"> using XML-RPC, it becomes <a href="http://www.google.com/" title="google">. This is because in kses.php, line 21 $allowedposttags is set to:

'a' => array ('href' => array (), 'title' => array (), 'rel' => array (), 'rev' => array (), 'name' => array ())

This is the same issue as Ticket 2130. I'm not sure where else this is used (I'm new to the WP code) so don't know what effects just adding 'target' => array () to the definition would have or if it needs further refinement.

#5 @davidhouse
15 years ago

  • Keywords bg|reporter-feedback added

Which XMLRPC tool are you using?

#6 @davidhouse
15 years ago

Which XMLRPC tool are you using?

#7 @skeltoac
15 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

This is caused by a bug in xmlrpc.php, which doesn't authenticate the user until after the init hook calls kses_init. This causes KSES filters to be added regardless of the author's unfiltered_html cap. I'm working on the patch now on #2273, same issue.

The fix is NOT to modify the allowedposttags array in kses.php. You may do this using the plugin API.

If you want authors and contributors to be able to post with those attributes, use a plugin or submit a ticket.

#8 @(none)
14 years ago

  • Milestone 2.0.1 deleted

Milestone 2.0.1 deleted

Note: See TracTickets for help on using tickets.