Opened 10 months ago
Closed 3 months ago
#60243 closed defect (bug) (duplicate)
KSES: Allow encoded images
Reported by: | Chouby | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Formatting | Keywords: | has-patch |
Focuses: | Cc: |
Description
According to RFC 2397, it is possible to include directly some small media instead of using an external source.
For example:
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAALCAMAAABBPP0LAAAAh1BMVEXpTFTwNj7rHiTz8/Pv7u7XAgLuKTP4o6f0l5n9/f327e36+vv39/fnaGvtbnPIAAD1jpPwgIPoe4H19fXhPUDwdXfy0NHtY2XoXmLowcLsvr/fREu+AADwiIzy8vLeLzT1mp/qWFjcJSrgUVeyAADs4+PYGx7kBgjprazr6+umAADPz8/ExMQoJmQzAAAAiElEQVR4ASWJRULDUBCGv5l4gm9wVtj9jwNt37LuEveM/Cq0K/TTs7hDMBT9u4EkqNunq2u1AZtrpJ35/Wtpq9M6jev4XGevUQqiH/uyfLDj4JjGH6UtyoyA9Wpmbp+wAf3ybZEg/v1V84WVoFyngbd7KcvWGxtXwVoBxvDPyzlFHAjfAAEqoAEThSiV/9sl/gAAAABJRU5ErkJggg==" alt="" width="16" height="11" style="width: 16px;height: 11px">
When passing this small piece of html through wp_kses_post()
, the data:
part is stripped out like this:
<img src="image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAALCAMAAABBPP0LAAAAh1BMVEXpTFTwNj7rHiTz8/Pv7u7XAgLuKTP4o6f0l5n9/f327e36+vv39/fnaGvtbnPIAAD1jpPwgIPoe4H19fXhPUDwdXfy0NHtY2XoXmLowcLsvr/fREu+AADwiIzy8vLeLzT1mp/qWFjcJSrgUVeyAADs4+PYGx7kBgjprazr6+umAADPz8/ExMQoJmQzAAAAiElEQVR4ASWJRULDUBCGv5l4gm9wVtj9jwNt37LuEveM/Cq0K/TTs7hDMBT9u4EkqNunq2u1AZtrpJ35/Wtpq9M6jev4XGevUQqiH/uyfLDj4JjGH6UtyoyA9Wpmbp+wAf3ybZEg/v1V84WVoFyngbd7KcvWGxtXwVoBxvDPyzlFHAjfAAEqoAEThSiV/9sl/gAAAABJRU5ErkJggg==" alt="" width="16" height="11" style="width: 16px;height: 11px">
This is resulting in a 404 error for the image source.
NB: #25851 also refers to encoded images but the reported issue is more about large contents and not this specific issue.
Attachments (1)
Change History (6)
This ticket was mentioned in PR #7201 on WordPress/wordpress-develop by @iflairwebtechnologies.
3 months ago
#1
- Keywords has-patch added
#3
follow-up:
↓ 5
@
3 months ago
I believe that this is a duplicate of #19354 and that was closed 10 years ago as being a security risk.
Note: See
TracTickets for help on using
tickets.
@Chouby
You can review the added 60243.patch and generated PR request