pecl-filter, both RTE and plain editor stripping tags

[morpheu5]

Hi you all. I'm running WP 2.0.4 on a server with PHP Version 5.1.4-pl4-gentoo with Hardening-Patch 0.4.11.

The problem is that the tags are being stripped by WP and gets replaced with <p> and <br />. The problem may reside in the hardening patch - as stated by the owner of the server - which cleans up potentially malicious content for security issues. He said that this behaviour will be integrated in PHP 5.2.x as the standard behaviour. He also said that this is a per-server setting, not a per-directory one.

I'm pretty new the WP code for making a patch on it (and honestly I found that code to be a real damn big mess) so I'm just suggesting you to encode the html content got from the form with htmlentities() before working on it and decode it with html_decode_entity() before sending it back to the user. I actually don't know much about how the hardening patch works for this issue but I guess that this would be enough.

[westi]

Can you give examples of the before and after results you are seeing so as to help us understand and reproduce this issue.

I am running "PHP 5.1.4-pl4-gentoo with Hardening-Patch 0.4.11" and have not noticed any issues with either the WYSIWYG or plain text editor stripping tags.

Could you also specify what user role you are using when posting.

[morpheu5]

I'm the user admin with its full access rights.

I've set up a test-kit for my host and I've noticed that sending the textarea content via method="post" results in the content being stripped down of all HTML tags. Talking to my host about this isseu, he said that he already had this problem with some software of his own which is using TinyMCE and he's been able to fix this behaviour. I actually don't know who but me may have configured TinyMCE to convert all ascii chars into the corresponding HTML entity when one exists (ie: < into &lt;, & into &amp; and so on...)

Maybe your installation of the hardening patch is configured to behave in some other way, my host said this is configurable by the user.

[morpheu5]

I actually don't know who but me may have configured

Err... mistyping. It was: "I actually don't know how but he may have configured". Sorry.

[westi]

Reading through the functionality of the hardending patch I cannot find any reference to any functionality (default or enabled by configuration) which would lead to the POST data having all the tags stripped.

I don't think that the hardening patch is what is causing the issue here.

Are there any other security features enabled on the server such as mod_security?

[masquerade]

Or, even more likely, the new pecl/filter which is going into PHP 5.2?

[morpheu5]

Or, even more likely, the new pecl/filter which is going into PHP 5.2?

That's possible, though. Just like it's possible that mod_security is installed. Anyway, I guess this isn't a motive for ignoring this fact, moreover if these things are going into a future release of PHP or if this concerns security: I'm not in any case taking down security policies from my server to run WP, I'd prefer to switch to another platform.

Will this be corrected soon? I guess this is a one-minute-patch for one experienced with the code, not for me. If it was, you'd be sure that I'd have provided a patch days ago.

[foolswisdom]

morpheu5, It sounds like it would help move the problem forward if you can answer the questions of what is installed on the server:

• are there any other security features enabled on the server such as mod_security
• pecl/filter which is going into PHP 5.2?

Changing component to General and severity to normal until problem is more understand.

[morpheu5]

Yes, it seems that it is a pecl-filter issue which would be solved by putting a .htaccess in the directory setting filter.default to something more appropriate such as "special_chars".

In my case, my host have AllowOverride set to None (or sthg...) so I can't check if this works. Anyway, if this is the cause, pecl-filter as you stated is going into php-5.2 and my host admin seems determined to upgrade whenever it becomes stable enough. So, a fix to WP would be appreciated.

[masquerade]

​http://php.net/filter#AEN49212

As you can see, UNSAFE_RAW will be the default flag when it is actually in PHP 5.2. The pecl extension version has a different default, but there is little that WP can do about it. There is another ticket for WP replacing the contents of the $_POST array with the unsafe raw settings to emulate filter not existing, so I will mark this as a duplicate of that. #3093

.htaccess hacks are still unacceptable because many people do not use Apache or do not have write permission to the .htaccess file, no AllowOverride, etc.