Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#2241 closed defect (bug) (duplicate)

<a>, <ul>, <div> items are stripped when posting via XML-RPC

Reported by: bytescout Owned by:
Milestone: Priority: highest omg bbq
Severity: blocker Version: 2.0
Component: XML-RPC Keywords: bg|reporter-feedback
Focuses: Cc:


If you post link via XML-RPC interface with target attribute then this attribute is removed by WP in the posted content. But if you edit post via web editor then attribute is not removed.

For example we post via XML-RPC:
<a href="http://cnn.com" target="_blank"/>

Final post content if you edit added post via web editor:
<a href="http://cnn.com"/>

Change History (8)

comment:1 WCityMike8 years ago

  • Component changed from Administration to XML-RPC
  • Priority changed from normal to highest
  • Severity changed from normal to critical
  • Summary changed from <a> link attributes are changed when posting via XML-RPC to <a>, <ul>, <div> items are stripped when posting via XML-RPC

This does not just apply to <a>. If you post anything that involves additional tags through XML-RPC, it strips the tags, i.e., [ul class="class"] becomes [ul], [div class="fake"] becomes [div], and so on.

comment:2 WCityMike8 years ago

A quick clarification: this is definitely a problem with the code. I have reproduced this after disabling all my plugins, and it is not related to theme -- this shows up in the actual entry brought up through the admin interface, not via a 'view source' on the page.

comment:3 davidhouse8 years ago

  • Severity changed from critical to blocker

This should be a blocker, we shouldn't release 2.0.1 until major problems with XMLRPC are fixed.

comment:4 fncll8 years ago

It looks to me like the fix for this is in kses.php, which defines what attribute are legal. When posting <a href="http://www.google.com/" title="google" target="blank"> using XML-RPC, it becomes <a href="http://www.google.com/" title="google">. This is because in kses.php, line 21 $allowedposttags is set to:

'a' => array ('href' => array (), 'title' => array (), 'rel' => array (), 'rev' => array (), 'name' => array ())

This is the same issue as Ticket 2130. I'm not sure where else this is used (I'm new to the WP code) so don't know what effects just adding 'target' => array () to the definition would have or if it needs further refinement.

comment:5 davidhouse8 years ago

  • Keywords bg|reporter-feedback added

Which XMLRPC tool are you using?

comment:6 davidhouse8 years ago

Which XMLRPC tool are you using?

comment:7 skeltoac8 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

This is caused by a bug in xmlrpc.php, which doesn't authenticate the user until after the init hook calls kses_init. This causes KSES filters to be added regardless of the author's unfiltered_html cap. I'm working on the patch now on #2273, same issue.

The fix is NOT to modify the allowedposttags array in kses.php. You may do this using the plugin API.

If you want authors and contributors to be able to post with those attributes, use a plugin or submit a ticket.

comment:8 anonymous7 years ago

  • Milestone 2.0.1 deleted

Milestone 2.0.1 deleted

Note: See TracTickets for help on using tickets.