WordPress.org

Make WordPress Core

#47283 closed enhancement (fixed)

Strip inline JS and CSS while trying to figure out the pingback context

Reported by: david.binda Owned by: SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: normal Version:
Component: Pings/Trackbacks Keywords: has-patch needs-unit-tests
Focuses: Cc:

Description

When testing the pingbacks on PHP 7.3, we run into a backward compatibility issue with strip_tags ( see https://bugs.php.net/bug.php?id=78003 ) which made me look into the implementation of the context lookup for the pingback link.

When using the strip_tags with whitelisted <a> element ( see https://core.trac.wordpress.org/browser/trunk/src/wp-includes/class-wp-xmlrpc-server.php?rev=45310#L6805 ), we are still getting a lot of inline CSS and JS in the output which needs to be checked. I believe that it would make the implementation more reliable (and it would have actually prevented the PHP bug mentioned above from breaking the stuff) if the inline CSS and JS content would be removed.

Attachments (1)

47283.diff (646 bytes) - added by david.binda 15 months ago.

Download all attachments as: .zip

Change History (3)

@david.binda
15 months ago

#1 @SergeyBiryukov
15 months ago

  • Keywords has-patch needs-unit-tests added
  • Milestone changed from Awaiting Review to 5.3

#2 @SergeyBiryukov
12 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 45823:

Pings/Trackbacks: In wp_xmlrpc_server::pingback_ping(), strip inline JS and CSS while trying to figure out the pingback context.

Props david.binda.
Fixes #47283.

Note: See TracTickets for help on using tickets.