Opened 5 months ago
Last modified 6 weeks ago
#61246 new defect (bug)
wp_kses makes HTML comment HTML uncommented
Reported by: | kkmuffme | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Formatting | Keywords: | has-patch has-unit-tests changes-requested |
Focuses: | Cc: |
Description
asd <!-- <a href="other-page.com" class="hello">world</a> --> asd
when calling wp_kses(_post) on it, this commented HTML gets uncommented and you get a link displayed on the page.
asd <!-- <a href="other-page.com" class="hello">world</a> --> asd
If that commented code contains some unsanitized stuff (as is often the case since people assume it's commented and thus can be ignored - including phpcs won't report errors for commented stuff afaik) this could be a security issue.
Generally though, it's just an unexpected display issue.
Change History (4)
This ticket was mentioned in PR #6577 on WordPress/wordpress-develop by @kkmuffme.
5 months ago
#1
- Keywords has-patch has-unit-tests added
#2
@
5 months ago
I have taken a look at this and can confirm that this is indeed a bug I could reproduce from the trunk. I have also tested the patch and it seems to address this issue accordingly. Good job!
#3
@
6 weeks ago
- Component changed from Security to Formatting
- Keywords changes-requested added
- Version 6.6 deleted
#4
@
6 weeks ago
Thanks @hellofromTonya - the bug is still present in trunk
<?php var_dump( wp_kses_post( 'asd <!-- <a href="other-page.com" class="hello">world</a> --> asd' ) );
string(71) "asd <!-- <a href="other-page.com" class="hello">world</a> --> asd"
It is a very complicated issue though, particularly since comment handling is recursive and a fix in one spot might cascade into others.
One big question to answer is whether fixing this in this function would expose new issues in other places that assume the content coming out of wp_kses()
is a certain way. I'd love to see this entire stack of functions be replaced with a single pass with the Tag Processor, but I don't yet have all the answers to those questions.
Trac ticket: https://core.trac.wordpress.org/ticket/61246
I also added tests for the original ticket that introduced the deprecated function https://core.trac.wordpress.org/ticket/4409, since there were none.
Additionally, the fix also improves the existing logic by combining the escaping logic for <> into a single regex (ensuring it cannot be partially broken by removing of a filter and can be relied upon in 100% of cases).
Furthermore, a side effect is that it fixes broken behavior that kses would leave the last single or double quote unescaped, while escaping everything else unnecessarily.
see xssAttacks.xml "Remote Stylesheet 3" it will unnecessarily escape the " but will leave the last " unescaped
This seems to be a general issue that the last ' or " won't be escaped, e.g. also in
jQuery('#abc').append('<iframe src="xyz.com"></iframe>');
you'll end up with
jQuery('#abc').append('');
which itself was unsafe as the '); delimits the string now and can probably somehow abused (not too familiar with that tbf, so feedback welcome)