WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 2 years ago

#30597 new defect (bug)

wp_filter_post_kses mangles URLs with colons in them

Reported by: rkaiser0324 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.0
Component: Formatting Keywords: kses needs-unit-tests
Focuses: Cc:

Description (last modified by SergeyBiryukov)

Try to save this entirely valid post content:

<a href="/this/is/a/valid:link">watch what happens</a>

The KSES logic is overly aggressive and strips the URL. It's getting confused by the colon.

Might be related to #24663

Change History (7)

#1 @SergeyBiryukov
3 years ago

  • Description modified (diff)

#3 @miqrogroove
3 years ago

  • Keywords 2nd-opinion added

I disagree. Colons are reserved characters in the specification for URLs and we have important reasons for never allowing them. This ticket will need a 2nd opinion.

#4 @rkaiser0324
3 years ago

That's interesting, I didn't know the colon was a reserved character. Why this comes up is the CakePHP MVC framework (http://book.cakephp.org/2.0/en/development/routing.html), which I used for plugin development, is prominently supporting these "named parameters" of key-value pairs in URLs, so I end up wanting to use them in links inside posts. Given the large size of the CakePHP community, I'm surprised to find that using them is bad practice.

#5 @miqrogroove
3 years ago

Yeah /this/is/a/valid:link is technically invalid and should be represented as /this/is/a/valid%3Alink until processed by the responding server. However, most servers will allow both representations unless properly firewalled, so it's a somewhat gray area.

#6 @miqrogroove
3 years ago

  • Keywords kses close added

#7 @wonderboymusic
2 years ago

  • Keywords needs-unit-tests added; 2nd-opinion close removed

wouldn't mind this being unit tested

Note: See TracTickets for help on using tickets.