WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#9823 closed defect (bug) (fixed)

Allow 0xAD in URI attributes

Reported by: nbachiyski Owned by:
Milestone: 2.9 Priority: low
Severity: normal Version: 2.8
Component: Validation Keywords: kses
Focuses: Cc:

Description

kses strips 0xAD from URI attributes (see #4379 and #5917).

Given the more frequent use of unicode in addresses and the fact that this byte appears in a lot of the UTF-8 representations, stripping it causes many broken URLs.

I researched the issue and found only one security problem caused by this byte: Mozilla <= 1.7.11/Firefox <= 1.5 Beta 1 didn't escape this byte properly in Internationalized Domain Names.

The bug was fixed almost 4 years ago and everybody now is using newer versions of Firefox, so I think we can safely remove the check.

Attachments (1)

no-0xad-strip.diff (738 bytes) - added by nbachiyski 5 years ago.

Download all attachments as: .zip

Change History (2)

nbachiyski5 years ago

comment:1 ryan4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12199]) Allow 0xAD in URI attributes. Props nbachiyski. fixes #9823 #10859

Note: See TracTickets for help on using tickets.