Opened 4 years ago
#52333 new defect (bug)
Lack of the : entity on the list of allowed entity names in kses.php
Reported by: | dziudek | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | minor | Version: | 5.6 |
Component: | Security | Keywords: | has-patch |
Focuses: | Cc: |
Description
Hi,
Today I have discovered that the :
entity is escaped by wp_kses_post
function.
After analysis I have discovered that this entity is missed on the $allowedentitynames
in wp-includes/kses.php
file.
The only thing which can be considered is a fact that the named colon entity caused some security issues in WP 5.3: https://wpscan.com/vulnerability/8fac612b-95d2-477a-a7d6-e5ec0bb9ca52
Attachments (1)
Note: See
TracTickets for help on using
tickets.
Patch which adds the colon entity to the allowed entities list