Opened 8 years ago
Closed 8 years ago
#40317 closed defect (bug) (duplicate)
Change to wp_allowed_protocols to allow modification by plugins
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.7.3 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
wp_allowed_protocols() in wp-includes/functions.php works by holding a static variable that is populated upon the first call to wp_allowed_protocols() and then allows modification of the static $protocols variable by plugins that have registered a callable as a 'kses_allowed_protocol' filter.
In the event where wp_allowed_protocols() has been called (perhaps by another plugin) before a plugin is loaded and issues an add_filter('kses_allowed_protocol', ...) call, it becomes impossible to modify the protocol array returned by wp_allowed_protocols() when the plugin is loaded.
In my specific situation, the Member Mouse plugin has an issue with any UI objects which rely upon <a href="javascript:doSomething();"> attributes get "sanitized" by wp_kses_one_attr(), resulting in the removal of the "javascript:" protocol, resulting in <a href="doSomething();">. This causes the browser to redirect to http://mydomain.tld/doSomething();, creating an HTTP 404 Not Found response. This issue is being reported to Member Mouse as well for them to possibly develop a work-around.
Given that this issue is not unique to Member Mouse, and may be an issue with any plugin which uses the 'kses_allowed_protocols' filter, I recommend the following change:
function wp_allowed_protocols() {
static $protocols = array();
if ( empty( $protocols ) ) {
$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn', 'tel', 'fax', 'xmpp', 'webcal', 'urn' );
}
$protocols = apply_filters( 'kses_allowed_protocols', $protocols );
$protocols = array_unique($protocols); // Remove any duplicates if the plugin added them
return $protocols;
}
There are other approaches to this that would have better performance, but I'll leave the details of the implementation up to the best developer for this task.
Hi @krishardy, welcome to WordPress Trac!
Thanks for the report, we're already tracking this issue in #36033.