Ticket #2241 (closed defect: duplicate)

Opened 3 years ago

Last modified 2 years ago

<a>, <ul>, <div> items are stripped when posting via XML-RPC

Reported by: bytescout Assigned to: anonymous
Priority: highest omg bbq Milestone:
Component: XML-RPC Version: 2.0
Severity: blocker Keywords: bg|reporter-feedback
Cc:

Description

If you post link via XML-RPC interface with target attribute then this attribute is removed by WP in the posted content. But if you edit post via web editor then attribute is not removed.

For example we post via XML-RPC: <a href="http://cnn.com" target="_blank"/>

Final post content if you edit added post via web editor: <a href="http://cnn.com"/>

Change History

01/08/06 07:55:43 changed by WCityMike

  • priority changed from normal to highest.
  • component changed from Administration to XML-RPC.
  • severity changed from normal to critical.
  • summary changed from <a> link attributes are changed when posting via XML-RPC to <a>, <ul>, <div> items are stripped when posting via XML-RPC.

This does not just apply to <a>. If you post anything that involves additional tags through XML-RPC, it strips the tags, i.e., [ul class="class"] becomes [ul], [div class="fake"] becomes [div], and so on.

01/08/06 07:59:11 changed by WCityMike

A quick clarification: this is definitely a problem with the code. I have reproduced this after disabling all my plugins, and it is not related to theme -- this shows up in the actual entry brought up through the admin interface, not via a 'view source' on the page.

01/08/06 14:55:52 changed by davidhouse

  • severity changed from critical to blocker.

This should be a blocker, we shouldn't release 2.0.1 until major problems with XMLRPC are fixed.

01/09/06 07:05:49 changed by fncll

It looks to me like the fix for this is in kses.php, which defines what attribute are legal. When posting <a href="http://www.google.com/" title="google" target="blank"> using XML-RPC, it becomes <a href="http://www.google.com/" title="google">. This is because in kses.php, line 21 $allowedposttags is set to:

'a' => array ('href' => array (), 'title' => array (), 'rel' => array (), 'rev' => array (), 'name' => array ())

This is the same issue as Ticket 2130. I'm not sure where else this is used (I'm new to the WP code) so don't know what effects just adding 'target' => array () to the definition would have or if it needs further refinement.

01/10/06 21:49:42 changed by davidhouse

  • keywords set to bg|reporter-feedback.

Which XMLRPC tool are you using?

01/10/06 21:54:51 changed by davidhouse

Which XMLRPC tool are you using?

01/12/06 22:56:44 changed by skeltoac

  • status changed from new to closed.
  • resolution set to duplicate.

This is caused by a bug in xmlrpc.php, which doesn't authenticate the user until after the init hook calls kses_init. This causes KSES filters to be added regardless of the author's unfiltered_html cap. I'm working on the patch now on #2273, same issue.

The fix is NOT to modify the allowedposttags array in kses.php. You may do this using the plugin API.

If you want authors and contributors to be able to post with those attributes, use a plugin or submit a ticket.

11/30/06 19:41:49 changed by

  • milestone deleted.

Milestone 2.0.1 deleted