WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 4 years ago

#4755 closed enhancement (wontfix)

WordPress should use code from the modified kses at Sourceforge.net

Reported by: alpha2zee Owned by: ryan
Milestone: Priority: low
Severity: minor Version:
Component: Security Keywords: close
Focuses: Cc:

Description

A modified and better version of the kses HTML filter has been developed by Labware for their next LabWiki release. It is currently available at Sourceforge.

Wordpress should think of using its code -- the kses.php it uses still has some bugs that can be thus fixed. Also, there are new features in the modified version, and its use is compatible with the current kses() calls.

Bug-fixes (compared to oirignal kses 0.2.2):

  • Lone < characters are taken care of
  • Takes care of single-tag elements like img and br that do not have a space before their closing tag (e.g., <hr/>)
  • Output is more XHTML standard-compliant. E.g., attributes are declared only once, tags and attributes are lowercased, check for named XHTML entities, etc.

Extra features

  • Inline styling is now possible. Earlier, CSS properties like background-color: yellow were removed because of the so-called 'colon bug.'
  • Option to balance tags for well-formedness of (X)HTML
  • Option to 'entitify' unallowed tags instead of removing them. Currently, kses always strips them.
  • Option for unique ID attribute values, with option to remove or with a chosen prefix
  • Option to allow HTML comments and CDATA sections.

The download has some test-results.

(The upcoming release makes it easier to specify allowed tags (string instead of multi-dimensional array), specify element and attribute specific protocols and class properties, etc.)

Change History (10)

comment:1 @foolswisdom8 years ago

alpha2zee, this looks good. Thanks for both submitting it upstream and sharing it w/ us.

comment:2 @JeremyVisser8 years ago

In particular, I like the sound of the "Option to balance tags for well-formedness of (X)HTML".

comment:3 @matt8 years ago

I'd be comfortable with this, but only if it's reviewed by someone with a lot of HTML security experience. KSES has had bugs, but never anything that caused us a security problem, I'm hesitant to rock that boat without lots of review.

comment:4 @matt8 years ago

It should also be compared to our existing functions like balancetags, too see if we can reduce any code.

comment:5 @alpha2zee7 years ago

This kses mod has evolved into htmLawed.

  • highly and easily customizable
  • ~45 kb single-file, non-OOP code with peak basal memory usage of ~0.5 MB
  • improved tag balancing, entity checks and conversions
  • remains kses-compatible
  • NEW: transformation of deprecated tags/attributes
  • NEW: anti-email/link spam measures
  • NEW: absolute/relative URL conversions
  • NEW: filtering/conversion of bad characters introduced by Microsoft Word, etc.

A testing script is in the download; htmLawed can also be tried online.

comment:6 @darkdragon7 years ago

  • Milestone changed from 2.5 to 2.6

No patch, sending to 2.6

comment:7 @Denis-de-Bernardy6 years ago

  • Component changed from Optimization to Security
  • Keywords needs-patch added
  • Owner changed from anonymous to ryan

comment:8 @Denis-de-Bernardy6 years ago

  • Milestone changed from 2.9 to Future Release
  • Priority changed from normal to low
  • Severity changed from normal to minor

there is a better option than kses nowadays: HTML Purifier.

comment:9 @solarissmoke4 years ago

  • Keywords close added; needs-patch removed

This ticket has been idle for years. Given how heavily modified wp-kses is from the original, I don't see this happening?

comment:10 @nacin4 years ago

  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.