WordPress.org

Make WordPress Core

Opened 9 months ago

#52333 new defect (bug)

Lack of the : entity on the list of allowed entity names in kses.php

Reported by: dziudek Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 5.6
Component: Security Keywords: has-patch
Focuses: Cc:

Description

Hi,

Today I have discovered that the : entity is escaped by wp_kses_post function.

After analysis I have discovered that this entity is missed on the $allowedentitynames in wp-includes/kses.php file.

The only thing which can be considered is a fact that the named colon entity caused some security issues in WP 5.3: https://wpscan.com/vulnerability/8fac612b-95d2-477a-a7d6-e5ec0bb9ca52

Attachments (1)

patch.diff (530 bytes) - added by dziudek 9 months ago.
Patch which adds the colon entity to the allowed entities list

Download all attachments as: .zip

Change History (1)

@dziudek
9 months ago

Patch which adds the colon entity to the allowed entities list

Note: See TracTickets for help on using tickets.