WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#29998 closed defect (bug) (invalid)

kses.php fails to sanitize Outlook HTML content correctly

Reported by: hmoore71 Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.0
Component: Formatting Keywords: reporter-feedback
Focuses: Cc:

Description (last modified by SergeyBiryukov)

WordPress 4.0
attempt to post the contents of an email from Outlook with embedded image(s). The post will have artifacts showing of the MS HTML that is tossed into Outlook's email.

If I comment out //add_filter('content_save_pre', 'wp_filter_post_kses'); in kses.php
everything is fine.

If I do the wp_insert_post in admin I suspect kses.php is not loaded as the issue does not occur.

MS HTML has a lot of conditional HTML which is throwing kses.php off.

Change History (7)

#1 @nacin
7 years ago

kses is about filtering for security purposes, not for cleaning it up. If you use something like the "Paste from Word" TinyMCE button, you should be in much better shape.

Also, editors and administrators have the ability to post HTML unfiltered. If commenting out this line helps you (note: major security concerns!) then it means that unfiltered HTML is fine.

If we're actually breaking the HTML somehow, could you screenshot/upload/post an example?

#2 @DrewAPicture
7 years ago

  • Component changed from General to Formatting

#3 @miqrogroove
7 years ago

  • Keywords reporter-feedback added

#4 @SergeyBiryukov
7 years ago

  • Description modified (diff)

#5 @miqrogroove
7 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Ticket was vague/abandoned.

#6 @SergeyBiryukov
7 years ago

  • Milestone Awaiting Review deleted

#7 @hmoore71
7 years ago

the issue arose developing a email processing plugin where HTML emails were being posted outside of admin and kses was leaving artifacts in its attempt to clean the post.

I've since abandoned the plugin development but still believe that kses has some issue with html email content.

Note: See TracTickets for help on using tickets.