WordPress.org
Get WordPress

Make WordPress Core

Opened 14 months ago

Last modified 4 weeks ago

#60347 new defect (bug)

wp_kses breaking text fragments links

Reported by: asafm7's profile asafm7 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Formatting Keywords: good-first-bug has-patch has-unit-tests needs-testing
Focuses: Cc:

Description

Hello.

It seems that wp_kses() (probably wp_kses_bad_protocol()) is breaking text fragments links (https://developer.mozilla.org/en-US/docs/Web/Text_fragments).

For example:
<a href="#:~:text=highlight>Link</a>

This issue became more prominent as recently ACF started escaping HTML using the wp_kses() function (https://www.advancedcustomfields.com/blog/acf-6-2-5-security-release/).

I confirmed the issue with ACF's support.

Attachments (1)

60347-kses-text-fragments.patch (1.9 KB) - added by shanemuir 4 months ago.
This patch fixes the issue where kses removes text fragment links (e.g., #:~:text) as invalid protocols. The fix adds a check in wp_kses_bad_protocol to allow such fragments. The patch also includes unit tests to verify the behavior.

Download all attachments as: .zip

Change History (9)

#1 @asafm7
14 months ago

I forgot to mention that it only happens to relative links, without a protocol.

Like in the example I provided:

<a href="#:~:text=highlight>Link</a>

#2 @asafm7
9 months ago

Hi, is there any way to promote a fix for this issue?

#3 @johnbillion
4 months ago

  • Component changed from Security to Formatting
  • Keywords needs-patch needs-unit-tests good-first-bug added

@shanemuir
4 months ago

This patch fixes the issue where kses removes text fragment links (e.g., #:~:text) as invalid protocols. The fix adds a check in wp_kses_bad_protocol to allow such fragments. The patch also includes unit tests to verify the behavior.

#4 follow-up: @asafm7
4 months ago

That's great. Thanks, @shanemuir.

Will this be a part of the next release?

#5 in reply to: ↑ 4 @shanemuir
4 months ago

Replying to asafm7:

That's great. Thanks, @shanemuir.

Will this be a part of the next release?

The patch will first need to undergo a review. If no issues are identified, it will then be assigned to a milestone, which will determine the future release in which this patch will be included.

#6 @shanemuir
4 months ago

  • Keywords has-patch has-unit-tests added; needs-patch needs-unit-tests removed

This ticket was mentioned in PR #7890 on WordPress/wordpress-develop by @shanemuir.
4 months ago #7

This PR addresses the issue in Trac ticket #60347, where wp_kses() removes valid text fragment links (e.g., #:~:text=highlight) by treating them as invalid protocols.

Changes:

  • Updated wp_kses_bad_protocol() in kses.php to explicitly allow text fragments (#:~:text).
  • Added a unit test to verify that text fragments are preserved in the href attribute.

Testing:

  1. Run npm run test:php to confirm all tests pass.
  2. Apply the patch and manually test with an anchor tag containing #:~:text in the href attribute.
  • Example: <a href="#:~:text=highlight">Link</a> should pass validation.

Impact:

This change ensures that text fragment links are correctly preserved by wp_kses(), aligning with modern URL standards and avoiding unnecessary sanitization.

Trac ticket: https://core.trac.wordpress.org/ticket/60347

#8 @shanemuir
4 weeks ago

  • Keywords needs-testing added
Note: See TracTickets for help on using tickets.