WordPress.org
Get WordPress

Make WordPress Core

Opened 18 years ago

Closed 18 years ago

Last modified 7 months ago

#6583 closed defect (bug) (fixed)

kses Allows Invalid Unicode Numeric Entities

Reported by: schiller's profile schiller Owned by:
Milestone: 2.7 Priority: normal
Severity: normal Version:
Component: General Keywords: has-patch 2nd-opinion
Focuses: Cc:

Description

wp_kses_normalize_entities() allows a user to type "" in a comment. This is not properly escaped as "". For bloggers outputting true XHTML, this is disastrous. kses should be modified to escape the ampersand in any numeric entity reference that is not a valid Unicode character.

Attachments (2)

report.txt (1.2 KB) - added by schiller 18 years ago.
Unix diff patch from WP 2.5.0 kses.php
bug6583.patch (2.2 KB) - added by schiller 18 years ago.
Patch against SVN

Download all attachments as: .zip

Change History (7)

@schiller
18 years ago

Unix diff patch from WP 2.5.0 kses.php

#1 @schiller
18 years ago

  • Cc rubys@… added

@schiller
18 years ago

Patch against SVN

#2 @schiller
18 years ago

  • Keywords has-patch 2nd-opinion added
  • Milestone changed from 2.7 to 2.6

#3 @azaozz
18 years ago

  • Milestone changed from 2.9 to 2.7

#4 @azaozz
18 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [8386]) kses - properly escape non-Unicode entities. Fixes #6583. Props schiller.

#5 @jonsurrell
7 months ago

In 60405:

Docs: Expand valid_unicode function documentation.

The valid_unicode() function accepts a limited set of codepoints according to the XML specification. Document the allowed codepoints and link to relevant documentation.

Developed in https://github.com/WordPress/wordpress-develop/pull/9100.

Props jonsurrell, dmsnell.
See #6583, #63166.

Note: See TracTickets for help on using tickets.