KSES removes text after a non-tag less than sign

[mdawaffe]

Write a comment or a post with the following content while logged out or logged in as a user without the unfiltered_html cap.

This is a < less than sign.

The output will be the following.

This is a

[mdawaffe]

possibility

[mdawaffe]

4409.diff: a possible solution.

1. Tweaks a kses regex.
2. Converts

   This is a < less than sign.
   

   to

   This is a < less than sign.
   

3. Converts

   foo > br
   

   to

   foo <br>
   

   (and similar for any allowed tag). This is KSES' original behavior.

This will need some serious testing to ensure it doesn't open any security holes.

[mdawaffe]

I mean

foo < br

[westi]

Replying to mdawaffe:

4409.diff: a possible solution.

1. Tweaks a kses regex.
2. Converts

This will need some serious testing to ensure it doesn't open any security holes.

Is it worth taking an alternative approach to this and adding a new filter to post/comment content before the kses filter which converts lone < and > to &gt; and &lt; so as to not deviate from the stand kses code and preserve the current level of security?

[mdawaffe]

Westi, Fine by me. KSES is already breaking the text up in a convenient way for looking for lone less than signs, is all.

[markjaquith]

If you can do it outside of KSES without too much fuss or processing overhead, then we should go that route.

Note for posterity: HTML Purifier ​doesn't handle this any better than KSES, even though it does offer XHTML well-formedness and validity plus XSS filtering all in one package.

[AmbushCommander]

Hi, this is the lead developer for HTML Purifier. The upcoming, newest version of HTML Purifier does in fact handle this case gracefully by changing the unescaped < into a literal. For your case, however, with one simple regex:

$html = preg_replace('/<([^{A-Za-z0-9])/', '&lt;$1', $html);}

No mucking around kses necessary. This, however, will turn < br> into &lt; br&gt;

[AmbushCommander]

Oops, I didn't wrap the code properly. It's really:

$html = preg_replace('/<([^A-Za-z0-9])/', '&lt;$1', $html);

[mdawaffe]

A filter

[mdawaffe]

Replying to AmbushCommander:

$html = preg_replace('/<([^A-Za-z0-9])/', '&lt;$1', $html);

I don't think that regex is robust enough. "bob<sue" or "<3" would still get caught. Kids say the darndest things.

4409b.diff

1. Add pre_kses filter to kses (right where it says we should), but rearrange the order slightly (in a way that does not effect kses' efficacy at all).
2. Add regex to that filter to find and wp_specialchars()ize any lone less than signs.

Kses is not modified in any problematic way. Any strings that might have gotten stripped before but now aren't are run through both wp_specialchars and kses, so I don't believe there are any security issues.

[mdawaffe]

better than b

[mdawaffe]

4409c.diff

1. Use strpos() instead. substr_count() was needed for some debugging.

[westi]

+1

Not tested but patch looks good to me

[markjaquith]

(In [5783]) Entitize lone less-than characters. Props mdawaffe. fixes #4409

[mdawaffe]

Oops. The filter was supposed to have extra args.

$string = apply_filters( 'pre_kses', $string, $allowed_html, $allowed_protocols );

Sorry.

[markjaquith]

(In [5787]) Pass extra args to pre_kses hook. Props mdawaffe. see #4409