Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#29998 closed defect (bug) (invalid)

kses.php fails to sanitize Outlook HTML content correctly

Reported by: hmoore71's profile hmoore71 Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.0
Component: Formatting Keywords: reporter-feedback
Focuses: Cc:

Description (last modified by SergeyBiryukov)

WordPress 4.0
attempt to post the contents of an email from Outlook with embedded image(s). The post will have artifacts showing of the MS HTML that is tossed into Outlook's email.

If I comment out //add_filter('content_save_pre', 'wp_filter_post_kses'); in kses.php
everything is fine.

If I do the wp_insert_post in admin I suspect kses.php is not loaded as the issue does not occur.

MS HTML has a lot of conditional HTML which is throwing kses.php off.

Change History (7)

#1 @nacin
10 years ago

kses is about filtering for security purposes, not for cleaning it up. If you use something like the "Paste from Word" TinyMCE button, you should be in much better shape.

Also, editors and administrators have the ability to post HTML unfiltered. If commenting out this line helps you (note: major security concerns!) then it means that unfiltered HTML is fine.

If we're actually breaking the HTML somehow, could you screenshot/upload/post an example?

#2 @DrewAPicture
10 years ago

  • Component changed from General to Formatting

#3 @miqrogroove
10 years ago

  • Keywords reporter-feedback added

#4 @SergeyBiryukov
10 years ago

  • Description modified (diff)

#5 @miqrogroove
10 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Ticket was vague/abandoned.

#6 @SergeyBiryukov
10 years ago

  • Milestone Awaiting Review deleted

#7 @hmoore71
10 years ago

the issue arose developing a email processing plugin where HTML emails were being posted outside of admin and kses was leaving artifacts in its attempt to clean the post.

I've since abandoned the plugin development but still believe that kses has some issue with html email content.

Note: See TracTickets for help on using tickets.