Make WordPress Core

Opened 17 years ago

Closed 14 years ago

#4723 closed defect (bug) (duplicate)

kses removes last attribute in empty xhtml elements

Reported by: whoismanu's profile whoismanu Owned by: markjaquith's profile markjaquith
Milestone: Priority: normal
Severity: normal Version: 2.2.1
Component: Formatting Keywords: kses posting verification formatting
Focuses: Cc:


wp_filter_post_kses removes the last attribute from an empty xhtml tag (even if it is an allowed one) if there is no whitespace between the last attribute and the closing />. Now, according to my understanding of the xhtml specification there
doesn't have to be a whitespace.

Here's an example with an img tag (especially annoying because it kills the src attribute and you are left with no clue as to why your image doesn't show up):

$texttest = '<img width="700" height="525" alt="Wrecked I" src=""/>';

And here's what goes into kses and what comes out:

data in: <img width="700" height="525" alt="Wrecked I" src=""/>

data out: <img width="700" height="525" alt="Wrecked I">

Here's an example where there is whitespace, kses handles it correctly:

$texttest = '<img width="700" height="525" alt="Wrecked I" src="" />';

Here's the result:

data in: <img width="700" height="525" alt="Wrecked I" src="" />

data out: <img width="700" height="525" alt="Wrecked I" src="" />

Attachments (1)

4723.patch (533 bytes) - added by xknown 16 years ago.
patch against trunk

Download all attachments as: .zip

Change History (7)

#1 @JeremyVisser
17 years ago

Confirmed on latest trunk (r5859).

16 years ago

patch against trunk

#2 @ryan
16 years ago

  • Owner changed from anonymous to ryan

#3 @Denis-de-Bernardy
15 years ago

  • Component changed from General to Formatting

still current?

#4 @hakre
15 years ago

confirmed, this is still current. Even more worse, that function now addslashes:

in: string '<img width="700" height="525" alt="Wrecked I" src=""/>' (length=114)

out: string '<img width=\"700\" height=\"525\" alt=\"Wrecked I\">' (length=52)

looks like the faulty stripslashes mis-concept in wordpress breaks necks again.

  • [2902] ryan 2005.09.21 18:35:35 stripslashes before running kses. Props donncha. fixes #1697

#5 @markjaquith
14 years ago

  • Milestone changed from 2.9 to 3.0
  • Owner changed from ryan to markjaquith
  • Status changed from new to accepted

Flagging this for a look in early 3.0

#6 @nacin
14 years ago

  • Milestone 3.0 deleted
  • Resolution set to duplicate
  • Status changed from accepted to closed
Note: See TracTickets for help on using tickets.