Make WordPress Core

Opened 18 years ago

Closed 18 years ago

#3290 closed defect (bug) (fixed)

Importer strips img class and style

Reported by: foolswisdom's profile foolswisdom Owned by: foolswisdom's profile foolswisdom
Milestone: 2.1 Priority: highest omg bbq
Severity: major Version: 2.1
Component: Administration Keywords: import has-patch commit
Focuses: Cc:


Importer strips img class and style

ENV: WP trunk r4428

REPRO: always


  1. Created a single blog post of <img class="bordered" style="float: none; margin-left: 0;" src="image.png" />
  1. Used the Exporter, confirmed that the post was as entered in the produced xml file
  1. Used the Importer selecting WordPress and mapping to the existing 'admin' user


Blog post has become <img src="image.png" />


Problem described at

Attachments (1)

unfiltered-imports.diff (9.1 KB) - added by andy 18 years ago.

Download all attachments as: .zip

Change History (13)

#1 @foolswisdom
18 years ago

Slowly learning. The class and style are being removed during $post_content = apply_filters('content_save_pre', $post_content); in wp_insert_post

#2 @filosofo
18 years ago

I think the real problem is that wp-admin/admin.php calls kses_init_filters() for *every* import, even for those with admin permissions, and there's no easy way--that I've yet found--for a plugin to disable it.

#3 @foolswisdom
18 years ago

filosofo, my generous teacher!

All imports are done with "author" privileges. Thank you for describing the design limitation.

ENV: WP trunk r6949

I duplicated that as an "author" posting those img tags are stripped

I now see that those tags for img are not allowed because they are not included in in $allowedposttags . I found an old wp-testers thread that says this is for security reasons:

I found at least one popular theme is very heavy on its use of img class tags,


my-hacks.php file, CUSTOM_TAGS
[resolved] Can Wordpress Support Pictures Inside Comments?


I am left with the following questions:

  1. I would like to better understand the security issues with the class tag, and so far have not found anything on the web. ?
  1. How about style, is it safe? Can it be added to $allowedposttags?


It seem this bug has exposed two independent issues:

  • Possibly additional $allowedposttags values
  • Import with filtering appropriate to the user (if exists) or establish if new

Code changes for r3430 (Make the xmlrpc user the current user) seems possibly useful

#4 @foolswisdom
18 years ago

  1. 2. Yeah neither class nor style are safe. A friend 'anotherjesse' explained to me how how class could be used to make ~ login prompt, and style can have javascript within it.

It seems that the possible solution is limited to allowing importing as filtering appropriate to the user.

#5 @matt
18 years ago

  • Priority changed from high to highest

We shouldn't be doing any stripping for admins.

#6 @matt
18 years ago

  • Owner changed from anonymous to andy

#7 @andy
18 years ago

  • Status changed from new to assigned

#8 @andy
18 years ago

attachment unfiltered-imports.diff checks the unfiltered_html capability of the post_author and sets up kses filtering appropriately for that user.

#9 @andy
18 years ago

  • Keywords has-patch needs-testing added; importer removed
  • Owner changed from andy to foolswisdom
  • Status changed from assigned to new

#10 @foolswisdom
18 years ago

Verified fixed
Over the last two days I have done ad hoc testing across:

  • single vs multiple authors
  • explicit vs implicit mapping
  • default admin, other user with admin role
  • user with author role, created by import user (with author)

#11 @foolswisdom
18 years ago

  • Keywords commit added; needs-testing removed

#12 @ryan
18 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [4645]) Don't force kses filtering of imports. fixes #3290

Note: See TracTickets for help on using tickets.