WordPress.org

Make WordPress Core

#48549 closed defect (bug) (fixed)

wp_kses_attr_check: add isset before accessing array key

Reported by: tristanleboss Owned by: SergeyBiryukov
Milestone: 5.4 Priority: normal
Severity: normal Version: 5.2.4
Component: Formatting Keywords: has-patch
Focuses: Cc:

Description

In file wp-includes/kses.php, the first line of the function wp_kses_attr_check tries to use a function argument directly as an array key without any check if it exists. This throws a notice in PHP if the key doesn't exists.

As this function is publicly available, I think it would be a cool idea to do some check before using the variable as an array key.

<?php
function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) {
        $allowed_attr = $allowed_html[ strtolower( $element ) ];

Attachments (1)

48549.diff (648 bytes) - added by krynes 13 months ago.

Download all attachments as: .zip

Change History (4)

@krynes
13 months ago

#1 @krynes
13 months ago

  • Keywords has-patch added; needs-patch removed

#2 @SergeyBiryukov
13 months ago

  • Component changed from General to Formatting
  • Milestone changed from Awaiting Review to 5.4
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#3 @SergeyBiryukov
12 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 46959:

Formatting: Return early from wp_kses_attr_check() if the element is not in the list of allowed elements and attributes.

Props krynes, tristanleboss.
Fixes #48549.

Note: See TracTickets for help on using tickets.