Ticket Navigation

Ticket #2130 (closed defect: fixed)

Opened 3 years ago

Last modified 2 years ago

wp_kses kills < !-- more --> from xmlrpc posted entries

Reported by:	tsimmons	Assigned to:	ryan
Priority:	normal	Milestone:
Component:	XML-RPC	Version:	2.0
Severity:	major	Keywords:	bg\|has-patch bg\|commit
Cc:

Description

I couldn't find the exact point where it happens, but somewhere when XMLRPC posted entries are being processed, the

tags are being stripped which gets rid of the "more..." link and instead displays the entire post on the indexes. I tracked it down to somewhere in the nested functions called in kses.php, somewhere after line 55:

	return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);

Attachments

kses.php.diff (468 bytes) - added by tsimmons on 12/22/05 22:52:15.: Proposed patch
kses.php.2.diff (0.8 kB) - added by tsimmons on 12/27/05 20:07:39.: New version of suggested patch
kses-comments.diff (0.7 kB) - added by skeltoac on 01/10/06 01:23:33.
perfect-comments.diff (1.1 kB) - added by skeltoac on 01/12/06 08:50:19.

Change History

12/22/05 19:34:35 changed by tsimmons

Okay, after more digging, I found it is in wp_kses_split2() on line 101:

if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches))

This always strips the  tags. My regular expression skillz are way down right now (mighty tired after long night ...)

Sorry I can't offer a fix right off ...

12/22/05 22:28:48 changed by tsimmons

I can't take credit for this, but how does the fix from http://mu.wordpress.org/forums/topic/450 sound? Add three lines to the function at line 101:

	if (preg_match('%^<!--[^>-]+-->$%', $string))
		return $string;
	# Allow HTML comments

12/22/05 22:52:15 changed by tsimmons

attachment kses.php.diff added.

Proposed patch

12/23/05 01:31:12 changed by skeltoac

No, this expression will miss valid comments such as this:

12/27/05 20:07:39 changed by tsimmons

attachment kses.php.2.diff added.

New version of suggested patch

12/27/05 20:08:53 changed by tsimmons

I have attached a new proposed fix, based on Owen's suggestion in wp-testers. It works for me !!

12/28/05 10:18:40 changed by davidhouse

keywords changed from kses wp_kses xmlrpc more to kses wp_kses xmlrpc more bg|has-patch.

12/29/05 21:38:46 changed by ryan

owner changed from anonymous to ryan.

12/29/05 23:28:19 changed by masquerade

Based on the patch above (untested), the following would pass right through.

<script>malicious code</script>

12/29/05 23:34:33 changed by masquerade

Er, pretend that didn't get mangled

<script>malicious code</script>

12/30/05 15:36:32 changed by ringmaster

Can you fix this by adding a ? to the regex in the first replacement block? Like:

return preg_replace('%()|(<'.# EITHER: <

01/06/06 01:37:56 changed by ryan

milestone set to 2.0.1.

01/09/06 23:49:58 changed by ryan

status changed from new to closed.
resolution set to fixed.

(In [3417]) Pass comments through kses. Props tsimmons. fixes #2130 #2167

01/10/06 01:23:33 changed by skeltoac

attachment kses-comments.diff added.

01/10/06 01:28:17 changed by ryan

[3418]

01/12/06 08:50:10 changed by skeltoac

keywords changed from kses wp_kses xmlrpc more bg|has-patch to bg|has-patch bg|commit.
status changed from closed to reopened.
resolution deleted.

That last patch is broken: the first regex is missing a () so the eval never gets the right string.

perfect-comments.diff fixes that and more carefully filters the contents of the comment. Now, if a comment is left unclosed, it will be closed at the end of the string. Also, nested comments and uneven open/close markers are fixed. Comments are rock-solid.

01/12/06 08:50:19 changed by skeltoac

attachment perfect-comments.diff added.

01/13/06 07:28:50 changed by ryan

status changed from reopened to closed.
resolution set to fixed.

(In [3429]) kses regex tweakage for better comment filtering. fixes #2130

11/30/06 19:41:49 changed by

milestone deleted.

Milestone 2.0.1 deleted

Download in other formats:

Comma-delimited Text
Tab-delimited Text
RSS Feed