Make WordPress Core

Opened 5 weeks ago

Last modified 5 weeks ago

#60347 new defect (bug)

wp_kses breaking text fragments links

Reported by: asafm7's profile asafm7 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Hello.

It seems that wp_kses() (probably wp_kses_bad_protocol()) is breaking text fragments links (https://developer.mozilla.org/en-US/docs/Web/Text_fragments).

For example:
<a href="#:~:text=highlight>Link</a>

This issue became more prominent as recently ACF started escaping HTML using the wp_kses() function (https://www.advancedcustomfields.com/blog/acf-6-2-5-security-release/).

I confirmed the issue with ACF's support.

Change History (1)

#1 @asafm7
5 weeks ago

I forgot to mention that it only happens to relative links, without a protocol.

Like in the example I provided:

<a href="#:~:text=highlight>Link</a>

Note: See TracTickets for help on using tickets.