Make WordPress Core

Opened 4 weeks ago

Last modified 4 weeks ago

#61246 new defect (bug)

wp_kses makes HTML comment HTML uncommented

Reported by: kkmuffme's profile kkmuffme Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: trunk
Component: Security Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

asd <!-- <a href="other-page.com" class="hello">world</a> --> asd

when calling wp_kses(_post) on it, this commented HTML gets uncommented and you get a link displayed on the page.

asd &lt;!-- <a href="other-page.com" class="hello">world</a> --&gt; asd

If that commented code contains some unsanitized stuff (as is often the case since people assume it's commented and thus can be ignored - including phpcs won't report errors for commented stuff afaik) this could be a security issue.

Generally though, it's just an unexpected display issue.

Change History (2)

This ticket was mentioned in PR #6577 on WordPress/wordpress-develop by @kkmuffme.


4 weeks ago
#1

  • Keywords has-patch has-unit-tests added

Trac ticket: https://core.trac.wordpress.org/ticket/61246

I also added tests for the original ticket that introduced the deprecated function https://core.trac.wordpress.org/ticket/4409, since there were none.

Additionally, the fix also improves the existing logic by combining the escaping logic for <> into a single regex (ensuring it cannot be partially broken by removing of a filter and can be relied upon in 100% of cases).

Furthermore, a side effect is that it fixes broken behavior that kses would leave the last single or double quote unescaped, while escaping everything else unnecessarily.
see xssAttacks.xml "Remote Stylesheet 3" it will unnecessarily escape the " but will leave the last " unescaped
This seems to be a general issue that the last ' or " won't be escaped, e.g. also in
jQuery('#abc').append('<iframe src="xyz.com"></iframe>');
you'll end up with
jQuery(&#039;#abc&#039;).append(&#039;');

which itself was unsafe as the '); delimits the string now and can probably somehow abused (not too familiar with that tbf, so feedback welcome)

#2 @jamieblomerus
4 weeks ago

I have taken a look at this and can confirm that this is indeed a bug I could reproduce from the trunk. I have also tested the patch and it seems to address this issue accordingly. Good job!

Note: See TracTickets for help on using tickets.