Opened 4 years ago
#51482 new enhancement
wp_kses_post should filter javascript content as well as the <script> tags
Reported by: | janmiddelkoop | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | minor | Version: | 5.5.1 |
Component: | Formatting | Keywords: | |
Focuses: | Cc: |
Description
Like the title says, wp_kses_post filters javascript <script> and </script> tags, but not the actual javascript itself. If you sanitize some content using wp_kses_post that contains <script> tags, the javascript becomes readable in the browser, you actually end up with very unexpected output.
A real world example where this is rather annoying, is the default Storefront theme for WooCommerce which uses wp_kses_post for sanitizing content for a sticky product header. If that content contains javascript, the sticky is filled with the script content instead of readable content.
While not required from a security standpoint, I would expect it to be more sane for these functions to actually strip the javascript rather than make it visible.
Example:
$str = "hello <script>myvar = 'foobar';</script> world!";
wp_kses_post($str);
Outputs:
hello myvar = 'foobar'; world!
Expected output:
hello world!