WordPress should use code from the modified kses at Sourceforge.net
|Reported by:||alpha2zee||Owned by:||ryan|
Wordpress should think of using its code -- the kses.php it uses still has some bugs that can be thus fixed. Also, there are new features in the modified version, and its use is compatible with the current kses() calls.
Bug-fixes (compared to oirignal kses 0.2.2):
- Lone < characters are taken care of
- Takes care of single-tag elements like img and br that do not have a space before their closing tag (e.g., <hr/>)
- Output is more XHTML standard-compliant. E.g., attributes are declared only once, tags and attributes are lowercased, check for named XHTML entities, etc.
- Inline styling is now possible. Earlier, CSS properties like background-color: yellow were removed because of the so-called 'colon bug.'
- Option to balance tags for well-formedness of (X)HTML
- Option to 'entitify' unallowed tags instead of removing them. Currently, kses always strips them.
- Option for unique ID attribute values, with option to remove or with a chosen prefix
- Option to allow HTML comments and CDATA sections.
The download has some test-results.
(The upcoming release makes it easier to specify allowed tags (string instead of multi-dimensional array), specify element and attribute specific protocols and class properties, etc.)
Change History (10)
- Component changed from Optimization to Security
- Keywords needs-patch added
- Owner changed from anonymous to ryan
- Milestone changed from 2.9 to Future Release
- Priority changed from normal to low
- Severity changed from normal to minor