WordPress.org

Make WordPress Core

Opened 15 years ago

Closed 14 years ago

#3290 closed defect (bug) (fixed)

Importer strips img class and style

Reported by: foolswisdom Owned by: foolswisdom
Milestone: 2.1 Priority: highest omg bbq
Severity: major Version: 2.1
Component: Administration Keywords: import has-patch commit
Focuses: Cc:

Description

Importer strips img class and style

ENV: WP trunk r4428

REPRO: always

STEPS

  1. Created a single blog post of <img class="bordered" style="float: none; margin-left: 0;" src="image.png" />
  1. Used the Exporter, confirmed that the post was as entered in the produced xml file
  1. Used the Importer selecting WordPress and mapping to the existing 'admin' user

ACTUAL RESULT

Blog post has become <img src="image.png" />

ADDITIONAL DETAILS

Problem described at http://nslog.com/2006/10/25/wordpress_204_import_removes_img_tag_formatting/

Attachments (1)

unfiltered-imports.diff (9.1 KB) - added by andy 14 years ago.

Download all attachments as: .zip

Change History (13)

#1 @foolswisdom
14 years ago

Slowly learning. The class and style are being removed during $post_content = apply_filters('content_save_pre', $post_content); in wp_insert_post

#2 @filosofo
14 years ago

I think the real problem is that wp-admin/admin.php calls kses_init_filters() for *every* import, even for those with admin permissions, and there's no easy way--that I've yet found--for a plugin to disable it.

#3 @foolswisdom
14 years ago

filosofo, my generous teacher!

All imports are done with "author" privileges. Thank you for describing the design limitation.

ENV: WP trunk r6949

I duplicated that as an "author" posting those img tags are stripped

I now see that those tags for img are not allowed because they are not included in in $allowedposttags . I found an old wp-testers thread that says this is for security reasons:
http://comox.textdrive.com/pipermail/wp-testers/2005-September/000461.html

I found at least one popular theme is very heavy on its use of img class tags, http://cutline.tubetorial.com/image-handling-with-cutline/#comment-481

PREVIOUS WORKAROUND

my-hacks.php file, CUSTOM_TAGS
[resolved] Can Wordpress Support Pictures Inside Comments?
http://wordpress.org/support/topic/43139?replies=17

QUESTIONS

I am left with the following questions:

  1. I would like to better understand the security issues with the class tag, and so far have not found anything on the web. ?
  1. How about style, is it safe? Can it be added to $allowedposttags?

POSSIBLE SOLUTIONS

It seem this bug has exposed two independent issues:

  • Possibly additional $allowedposttags values
  • Import with filtering appropriate to the user (if exists) or establish if new

Code changes for r3430 (Make the xmlrpc user the current user) seems possibly useful

#4 @foolswisdom
14 years ago

  1. 2. Yeah neither class nor style are safe. A friend 'anotherjesse' explained to me how how class could be used to make ~ login prompt, and style can have javascript within it.

It seems that the possible solution is limited to allowing importing as filtering appropriate to the user.

#5 @matt
14 years ago

  • Priority changed from high to highest

We shouldn't be doing any stripping for admins.

#6 @matt
14 years ago

  • Owner changed from anonymous to andy

#7 @andy
14 years ago

  • Status changed from new to assigned

#8 @andy
14 years ago

attachment unfiltered-imports.diff checks the unfiltered_html capability of the post_author and sets up kses filtering appropriately for that user.

#9 @andy
14 years ago

  • Keywords has-patch needs-testing added; importer removed
  • Owner changed from andy to foolswisdom
  • Status changed from assigned to new

#10 @foolswisdom
14 years ago

Verified fixed
Over the last two days I have done ad hoc testing across:

  • single vs multiple authors
  • explicit vs implicit mapping
  • default admin, other user with admin role
  • user with author role, created by import user (with author)

#11 @foolswisdom
14 years ago

  • Keywords commit added; needs-testing removed

#12 @ryan
14 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [4645]) Don't force kses filtering of imports. fixes #3290

Note: See TracTickets for help on using tickets.