Make WordPress Core

Opened 10 months ago

Closed 3 months ago

#60243 closed defect (bug) (duplicate)

KSES: Allow encoded images

Reported by: chouby's profile Chouby Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Formatting Keywords: has-patch
Focuses: Cc:

Description

According to RFC 2397, it is possible to include directly some small media instead of using an external source.
For example:

<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAALCAMAAABBPP0LAAAAh1BMVEXpTFTwNj7rHiTz8/Pv7u7XAgLuKTP4o6f0l5n9/f327e36+vv39/fnaGvtbnPIAAD1jpPwgIPoe4H19fXhPUDwdXfy0NHtY2XoXmLowcLsvr/fREu+AADwiIzy8vLeLzT1mp/qWFjcJSrgUVeyAADs4+PYGx7kBgjprazr6+umAADPz8/ExMQoJmQzAAAAiElEQVR4ASWJRULDUBCGv5l4gm9wVtj9jwNt37LuEveM/Cq0K/TTs7hDMBT9u4EkqNunq2u1AZtrpJ35/Wtpq9M6jev4XGevUQqiH/uyfLDj4JjGH6UtyoyA9Wpmbp+wAf3ybZEg/v1V84WVoFyngbd7KcvWGxtXwVoBxvDPyzlFHAjfAAEqoAEThSiV/9sl/gAAAABJRU5ErkJggg==" alt="" width="16" height="11" style="width: 16px;height: 11px">

When passing this small piece of html through wp_kses_post(), the data: part is stripped out like this:

<img src="image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAALCAMAAABBPP0LAAAAh1BMVEXpTFTwNj7rHiTz8/Pv7u7XAgLuKTP4o6f0l5n9/f327e36+vv39/fnaGvtbnPIAAD1jpPwgIPoe4H19fXhPUDwdXfy0NHtY2XoXmLowcLsvr/fREu+AADwiIzy8vLeLzT1mp/qWFjcJSrgUVeyAADs4+PYGx7kBgjprazr6+umAADPz8/ExMQoJmQzAAAAiElEQVR4ASWJRULDUBCGv5l4gm9wVtj9jwNt37LuEveM/Cq0K/TTs7hDMBT9u4EkqNunq2u1AZtrpJ35/Wtpq9M6jev4XGevUQqiH/uyfLDj4JjGH6UtyoyA9Wpmbp+wAf3ybZEg/v1V84WVoFyngbd7KcvWGxtXwVoBxvDPyzlFHAjfAAEqoAEThSiV/9sl/gAAAABJRU5ErkJggg==" alt="" width="16" height="11" style="width: 16px;height: 11px">

This is resulting in a 404 error for the image source.

NB: #25851 also refers to encoded images but the reported issue is more about large contents and not this specific issue.

Attachments (1)

60243.patch (1.7 KB) - added by iflairwebtechnologies 3 months ago.

Download all attachments as: .zip

Change History (6)

This ticket was mentioned in PR #7201 on WordPress/wordpress-develop by @iflairwebtechnologies.


3 months ago
#1

  • Keywords has-patch added

#2 @iflairwebtechnologies
3 months ago

@Chouby
You can review the added 60243.patch and generated PR request

#3 follow-up: @samiamnot
3 months ago

I believe that this is a duplicate of #19354 and that was closed 10 years ago as being a security risk.

#4 @iflairwebtechnologies
3 months ago

@samiamnot
Sorry but here, a ticket was generated, not any mention of closing

#5 in reply to: ↑ 3 @SergeyBiryukov
3 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Replying to samiamnot:

I believe that this is a duplicate of #19354 and that was closed 10 years ago as being a security risk.

Indeed, let's continue the discussion there.

Note: See TracTickets for help on using tickets.