Make WordPress Core

Opened 6 months ago

Closed 3 months ago

#47283 closed enhancement (fixed)

Strip inline JS and CSS while trying to figure out the pingback context

Reported by: david.binda Owned by: SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: normal Version:
Component: Pings/Trackbacks Keywords: has-patch needs-unit-tests
Focuses: Cc:
PR Number:


When testing the pingbacks on PHP 7.3, we run into a backward compatibility issue with strip_tags ( see https://bugs.php.net/bug.php?id=78003 ) which made me look into the implementation of the context lookup for the pingback link.

When using the strip_tags with whitelisted <a> element ( see https://core.trac.wordpress.org/browser/trunk/src/wp-includes/class-wp-xmlrpc-server.php?rev=45310#L6805 ), we are still getting a lot of inline CSS and JS in the output which needs to be checked. I believe that it would make the implementation more reliable (and it would have actually prevented the PHP bug mentioned above from breaking the stuff) if the inline CSS and JS content would be removed.

Attachments (1)

47283.diff (646 bytes) - added by david.binda 6 months ago.

Download all attachments as: .zip

Change History (3)

6 months ago

#1 @SergeyBiryukov
6 months ago

  • Keywords has-patch needs-unit-tests added
  • Milestone changed from Awaiting Review to 5.3

#2 @SergeyBiryukov
3 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 45823:

Pings/Trackbacks: In wp_xmlrpc_server::pingback_ping(), strip inline JS and CSS while trying to figure out the pingback context.

Props david.binda.
Fixes #47283.

Note: See TracTickets for help on using tickets.