Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#40317 closed defect (bug) (duplicate)

Change to wp_allowed_protocols to allow modification by plugins

Reported by: krishardy's profile krishardy Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7.3
Component: Security Keywords:
Focuses: Cc:


wp_allowed_protocols() in wp-includes/functions.php works by holding a static variable that is populated upon the first call to wp_allowed_protocols() and then allows modification of the static $protocols variable by plugins that have registered a callable as a 'kses_allowed_protocol' filter.

In the event where wp_allowed_protocols() has been called (perhaps by another plugin) before a plugin is loaded and issues an add_filter('kses_allowed_protocol', ...) call, it becomes impossible to modify the protocol array returned by wp_allowed_protocols() when the plugin is loaded.

In my specific situation, the Member Mouse plugin has an issue with any UI objects which rely upon <a href="javascript:doSomething();"> attributes get "sanitized" by wp_kses_one_attr(), resulting in the removal of the "javascript:" protocol, resulting in <a href="doSomething();">. This causes the browser to redirect to http://mydomain.tld/doSomething();, creating an HTTP 404 Not Found response. This issue is being reported to Member Mouse as well for them to possibly develop a work-around.

Given that this issue is not unique to Member Mouse, and may be an issue with any plugin which uses the 'kses_allowed_protocols' filter, I recommend the following change:

function wp_allowed_protocols() {
        static $protocols = array();

        if ( empty( $protocols ) ) {
                $protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn', 'tel', 'fax', 'xmpp', 'webcal', 'urn' );
        $protocols = apply_filters( 'kses_allowed_protocols', $protocols );
        $protocols = array_unique($protocols);  // Remove any duplicates if the plugin added them
        return $protocols;

There are other approaches to this that would have better performance, but I'll leave the details of the implementation up to the best developer for this task.

Change History (1)

#1 @SergeyBiryukov
7 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi @krishardy, welcome to WordPress Trac!

Thanks for the report, we're already tracking this issue in #36033.

Note: See TracTickets for help on using tickets.