Make WordPress Core

Opened 4 years ago

#51482 new enhancement

wp_kses_post should filter javascript content as well as the <script> tags

Reported by: janmiddelkoop's profile janmiddelkoop Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 5.5.1
Component: Formatting Keywords:
Focuses: Cc:

Description

Like the title says, wp_kses_post filters javascript <script> and </script> tags, but not the actual javascript itself. If you sanitize some content using wp_kses_post that contains <script> tags, the javascript becomes readable in the browser, you actually end up with very unexpected output.

A real world example where this is rather annoying, is the default Storefront theme for WooCommerce which uses wp_kses_post for sanitizing content for a sticky product header. If that content contains javascript, the sticky is filled with the script content instead of readable content.

While not required from a security standpoint, I would expect it to be more sane for these functions to actually strip the javascript rather than make it visible.

Example:
$str = "hello <script>myvar = 'foobar';</script> world!";
wp_kses_post($str);

Outputs:
hello myvar = 'foobar'; world!

Expected output:
hello world!

Change History (0)

Note: See TracTickets for help on using tickets.