Make WordPress Core

Context Navigation

← Previous Ticket
Next Ticket →

Opened 6 years ago

Closed 6 years ago

#6583 closed defect (bug) (fixed)

kses Allows Invalid Unicode Numeric Entities

Reported by:	schiller	Owned by:
Milestone:	2.7	Priority:	normal
Severity:	normal	Version:
Component:	General	Keywords:	has-patch 2nd-opinion
Focuses:		Cc:

Description

wp_kses_normalize_entities() allows a user to type "" in a comment. This is not properly escaped as "&#xfffe;". For bloggers outputting true XHTML, this is disastrous. kses should be modified to escape the ampersand in any numeric entity reference that is not a valid Unicode character.

Attachments (2)

report.txt (1.2 KB) - added by schiller 6 years ago.: Unix diff patch from WP 2.5.0 kses.php
bug6583.patch (2.2 KB) - added by schiller 6 years ago.: Patch against SVN

Download all attachments as: .zip

Change History (6)

schiller — 6 years ago

Attachment report.txt added

Unix diff patch from WP 2.5.0 kses.php

comment:1 schiller — 6 years ago

Cc rubys@… added

schiller — 6 years ago

Attachment bug6583.patch added

Patch against SVN

comment:2 schiller — 6 years ago

Keywords has-patch 2nd-opinion added
Milestone changed from 2.7 to 2.6

comment:3 azaozz — 6 years ago

Milestone changed from 2.9 to 2.7

comment:4 azaozz — 6 years ago

Resolution set to fixed
Status changed from new to closed

(In [8386]) kses - properly escape non-Unicode entities. Fixes #6583. Props schiller.

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats: