Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#54753 new defect (bug)

Wrong post content when uploading raw post data via REST API when html data url is used

Reported by: nicohood's profile nicohood Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.8.2
Component: REST API Keywords:
Focuses: rest-api Cc:

Description

I want to make use of data URLs in my post:
https://en.wikipedia.org/wiki/Data_URI_scheme
https://napuzba.com/data-url/

So I've added the following html to a post:
<a href="data:text/plain,I am text file" download="a2.txt">Download text file 2</a>

Now I want to upload this html via REST API, and the rest API just filters out the "data:" part and the "download="a2.txt":
<a href="text/plain,I am text file">Download text file 2</a>

I made sure, that I am also uploading the post with the edit context, but that does not help. I also tried to url encode all content, so my test case is also not faulty. No luck. This is my curl:

curl -X POST https://example.com/wp-json/wp/v2/posts/ -u 'user:password' -d 'title=test&status=draft&context=edit&content=<a href="data:text/plain,I am text file" download="a2.txt">Download text file 2</a>'

curl -X POST https://example.com/wp-json/wp/v2/posts/ -u 'user:password' -d 'title=test&status=draft&context=edit&content=%3Ca%20href%3D%22data%3Atext%2Fplain%2CI%20am%20text%20file%22%20download%3D%22a2.txt%22%3EDownload%20text%20file%202%3C%2Fa%3E'

Is there a way to disable this filtering of my html? If not, it might be a bug?

Change History (1)

#1 @nicohood
2 years ago

The reason for this issue is the privileges of the uploading user. He must be at least a "Redakteur" (the role below admin).

It would be nice to set those permissions more fine grained.

Note: See TracTickets for help on using tickets.