Ticket #3290 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

Importer strips img class and style

Reported by: foolswisdom Assigned to: foolswisdom
Priority: highest omg bbq Milestone: 2.1
Component: Administration Version: 2.1
Severity: major Keywords: import has-patch commit
Cc:

Description

Importer strips img class and style

ENV: WP trunk r4428

REPRO: always

STEPS

1. Created a single blog post of <img class="bordered" style="float: none; margin-left: 0;" src="image.png" />

2. Used the Exporter, confirmed that the post was as entered in the produced xml file

3. Used the Importer selecting WordPress and mapping to the existing 'admin' user

ACTUAL RESULT

Blog post has become <img src="image.png" />

ADDITIONAL DETAILS

Problem described at http://nslog.com/2006/10/25/wordpress_204_import_removes_img_tag_formatting/

Attachments

unfiltered-imports.diff (9.1 kB) - added by andy on 12/06/06 23:51:40.

Change History

11/25/06 02:01:15 changed by foolswisdom

Slowly learning. The class and style are being removed during $post_content = apply_filters('content_save_pre', $post_content); in wp_insert_post

11/25/06 12:56:17 changed by filosofo

I think the real problem is that wp-admin/admin.php calls kses_init_filters() for *every* import, even for those with admin permissions, and there's no easy way--that I've yet found--for a plugin to disable it.

11/28/06 01:08:36 changed by foolswisdom

filosofo, my generous teacher!

All imports are done with "author" privileges. Thank you for describing the design limitation.

ENV: WP trunk r6949

I duplicated that as an "author" posting those img tags are stripped

I now see that those tags for img are not allowed because they are not included in in $allowedposttags . I found an old wp-testers thread that says this is for security reasons: http://comox.textdrive.com/pipermail/wp-testers/2005-September/000461.html

I found at least one popular theme is very heavy on its use of img class tags, http://cutline.tubetorial.com/image-handling-with-cutline/#comment-481

PREVIOUS WORKAROUND

my-hacks.php file, CUSTOM_TAGS
[resolved] Can Wordpress Support Pictures Inside Comments?
http://wordpress.org/support/topic/43139?replies=17

QUESTIONS

I am left with the following questions:

1. I would like to better understand the security issues with the class tag, and so far have not found anything on the web. ?

2. How about style, is it safe? Can it be added to $allowedposttags?

POSSIBLE SOLUTIONS

It seem this bug has exposed two independent issues:

* Possibly additional $allowedposttags values

* Import with filtering appropriate to the user (if exists) or establish if new
Code changes for r3430 (Make the xmlrpc user the current user) seems possibly useful

11/28/06 23:55:06 changed by foolswisdom

1. 2. Yeah neither class nor style are safe. A friend 'anotherjesse' explained to me how how class could be used to make ~ login prompt, and style can have javascript within it.

It seems that the possible solution is limited to allowing importing as filtering appropriate to the user.

11/29/06 23:54:07 changed by matt

  • priority changed from high to highest.

We shouldn't be doing any stripping for admins.

12/03/06 22:04:13 changed by matt

  • owner changed from anonymous to andy.

12/06/06 03:35:38 changed by andy

  • status changed from new to assigned.

12/06/06 23:51:40 changed by andy

  • attachment unfiltered-imports.diff added.

12/06/06 23:53:50 changed by andy

attachment unfiltered-imports.diff checks the unfiltered_html capability of the post_author and sets up kses filtering appropriately for that user.

12/06/06 23:54:23 changed by andy

  • keywords changed from import importer to import has-patch needs-testing.
  • owner changed from andy to foolswisdom.
  • status changed from assigned to new.

12/13/06 19:16:05 changed by foolswisdom

Verified fixed
Over the last two days I have done ad hoc testing across:

  • single vs multiple authors
  • explicit vs implicit mapping
  • default admin, other user with admin role
  • user with author role, created by import user (with author)

12/13/06 19:16:28 changed by foolswisdom

  • keywords changed from import has-patch needs-testing to import has-patch commit.

12/13/06 19:21:16 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [4645]) Don't force kses filtering of imports. fixes #3290