Make WordPress Core

Opened 8 years ago

Closed 7 years ago

#6583 closed defect (bug) (fixed)

kses Allows Invalid Unicode Numeric Entities

Reported by: schiller Owned by:
Milestone: 2.7 Priority: normal
Severity: normal Version:
Component: General Keywords: has-patch 2nd-opinion
Focuses: Cc:


wp_kses_normalize_entities() allows a user to type "" in a comment. This is not properly escaped as "". For bloggers outputting true XHTML, this is disastrous. kses should be modified to escape the ampersand in any numeric entity reference that is not a valid Unicode character.

Attachments (2)

report.txt (1.2 KB) - added by schiller 8 years ago.
Unix diff patch from WP 2.5.0 kses.php
bug6583.patch (2.2 KB) - added by schiller 8 years ago.
Patch against SVN

Download all attachments as: .zip

Change History (6)

8 years ago

Unix diff patch from WP 2.5.0 kses.php

#1 @schiller
8 years ago

  • Cc rubys@… added

8 years ago

Patch against SVN

#2 @schiller
8 years ago

  • Keywords has-patch 2nd-opinion added
  • Milestone changed from 2.7 to 2.6

#3 @azaozz
7 years ago

  • Milestone changed from 2.9 to 2.7

#4 @azaozz
7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [8386]) kses - properly escape non-Unicode entities. Fixes #6583. Props schiller.

Note: See TracTickets for help on using tickets.