WordPress.org

Make WordPress Core

Changes between Version 1 and Version 2 of Ticket #33121, comment 15


Ignore:
Timestamp:
10/11/2018 04:05:40 PM (12 months ago)
Author:
azaozz
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #33121, comment 15

    v1 v2  
    1 Looking at 33121.3.diff, don't think it is a good idea to allow adding attributes with a wildcard. That would mean --somebody-- can add `on-*` or even `o-*` and allow all `onerror`, `onclick`, `onmouseover`, etc. attributes.
     1Looking at 33121.3.diff, don't think it is a good idea to allow adding attributes with a wildcard. (Note that `_wp_add_global_attributes()` is just a convenience function to add some attribute names to all tags. There is no way to check how an attribute name was added. So plugins will also be able to add the `data-*` attribute name which is the expected behavior.)
     2
     3That would mean --somebody-- can add `on-*` or even `o-*` and allow all `onerror`, `onclick`, `onmouseover`, etc. attributes.
    24
    35What's worse there is no way to sanitize the values of these wildcard attributes (this part in the patch `$allowed_attr[$name_low] = true;`), so things like `onerror="alert(document.cookie)"` become very possible and not immediately recognizable.