Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#47283 closed enhancement (fixed)

Strip inline JS and CSS while trying to figure out the pingback context

Reported by: davidbinda's profile david.binda Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: normal Version:
Component: Pings/Trackbacks Keywords: has-patch needs-unit-tests
Focuses: Cc:


When testing the pingbacks on PHP 7.3, we run into a backward compatibility issue with strip_tags ( see ) which made me look into the implementation of the context lookup for the pingback link.

When using the strip_tags with whitelisted <a> element ( see ), we are still getting a lot of inline CSS and JS in the output which needs to be checked. I believe that it would make the implementation more reliable (and it would have actually prevented the PHP bug mentioned above from breaking the stuff) if the inline CSS and JS content would be removed.

Attachments (1)

47283.diff (646 bytes) - added by david.binda 5 years ago.

Download all attachments as: .zip

Change History (3)

5 years ago

#1 @SergeyBiryukov
5 years ago

  • Keywords has-patch needs-unit-tests added
  • Milestone changed from Awaiting Review to 5.3

#2 @SergeyBiryukov
5 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 45823:

Pings/Trackbacks: In wp_xmlrpc_server::pingback_ping(), strip inline JS and CSS while trying to figure out the pingback context.

Props david.binda.
Fixes #47283.

Note: See TracTickets for help on using tickets.