WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#6910 closed feature request (wontfix)

kses should be applied to some kind of diff so as to not filter out post content that previously existed

Reported by: niedzielski Owned by:
Milestone: Priority: low
Severity: normal Version: 2.7.1
Component: Template Keywords: needs-patch
Focuses: Cc:

Description

As an administrator user, I have no difficulties using HTML in my entries. However, an author user on my blog recently reported a problem. He attempted to center text using the alignment button in visual editor, or even typing in the code manually. This produced code like this:
<p style="text-align: center;">foo</p>

Unfortunately, any time he saves, the system reduces the code to this:
<p style="center;">foo</p>

Which doesn't work. When I try it as an administrator user, it works fine. When I log in under his username, I have the same problem.

I am using WordPress version 2.5.1.

Change History (11)

comment:1 mrmist6 years ago

Just confirming this is in 2.6.

Also affects "contributer" level.

comment:2 ryan6 years ago

Probably the same problem as in #6888 and #5917

comment:3 ryan6 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [8671]) Apply kses bad-protocol checks only to URI typed attributes. Props takayukister. fixes #5917 #6888 #6910 #7512

comment:4 niedzielski5 years ago

  • Cc niedzielski added
  • Resolution fixed deleted
  • Status changed from closed to reopened
  • Version set to 2.7.1

I am having this same issue with embedded flash.

Reproduction:
1: Set a user to author level.
2: Login as this user.
3: Make a new post.
4: Click insert / edit embedded media.
5: Enter http://www.youtube.com/watch?v=vda2RAEuW_g in the file / URL field.
6: Click ok.
7: A yellow box for the video appears in the post, but doesn't show on preview or update. If you leave and then edit the post, the yellow box will be stripped.

Note: The above procedure works fine when the user is raised from author to editor status.

comment:5 Denis-de-Bernardy5 years ago

switching from kses, to html purifier (http://htmlpurifier.org/) would almost certainly fix this.

comment:6 Denis-de-Bernardy5 years ago

  • Milestone changed from 2.7 to 2.8

comment:8 Denis-de-Bernardy5 years ago

  • Keywords needs-patch added
  • Milestone changed from 2.8 to Future Release
  • Summary changed from Users with author role privelages have some HTML stripped from posts. to kses should be applied to a diff so as to not filter out post content that previously existed
  • Type changed from defect (bug) to feature request

itching to close this one as invalid. the real issue is that kses should filter only newly inserted content. but that might be opening pandora's box.

comment:9 Denis-de-Bernardy5 years ago

  • Summary changed from kses should be applied to a diff so as to not filter out post content that previously existed to kses should be applied to some kind of diff so as to not filter out post content that previously existed

comment:10 Denis-de-Bernardy5 years ago

  • Component changed from General to Template

comment:11 Denis-de-Bernardy5 years ago

  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.