Links added in RTE with double-quotes fail to validate

[irayo]

If I add a hyperlink that has a link description that contains quotes, then the following invalid HTML is generated:

<a title=" a "quote" in the description " href...>

This fails to validate, and furthermore could theoretically (I haven't tried) be used as a security exploit to gain access to other HTML elements:

<a title=" "><othertag><a title=" " href...>

This has been tested in WordPress 2.0.7.

[Otto42]

Where are you adding this hyperlink? In the Write Post screen? Or in comments? or what?

[foolswisdom]

ENV: WP 2.0.7

I could not reproduce either with RTE enabled or not

Entering {{{ <a title=" a "quote" in the description " href="​http://example.com">}}

When published, resulted in:

RTE image adding box:
<a title=" a "quote" in the description " href="http://example.com">

Pasted with RTE disabled:
<a title=" a "quote" in the description " xhref="http://example.com">

[charleshooper]

I have managed to duplicate this bug (Env 2.1-beta4)

Steps to duplicate
1) Go to write post (wp-admin/post-new.php)
2) Enter some text using the RTE
3) Highlight the next and click hyperlink
4) Enter description with quotes in it, ie: Who's your "daddy?"

Alternatively:
1) Go to write post (wp-admin/post-new.php)
2) In the RTE, click "code"
3) Add the link as described in the top of this page, ie: <a href="​http://google.com/" title="Who's your "daddy?"">Google!</a>

Quotes should be escaped to "&quot;" strip_tags() still works /however/ there still exists a XSS vulnerability due to a "author" being able to add Javascript to the links via events (such as onClick, onMouseOver, etc)

[foolswisdom]

charleshooper, great work!

I wrote I failed to reproduce because I got distracted and focused by the claim of a vulnability. Although I was able to reproduce invalid html, I could not find an exploit.

MarkJaquith emailed wp-hackers "Authors without the unfiltered_html capability have their posts
filtered by KSES, eliminating the XSS risk. This is just an issue of XHTML validation."

[markjaquith]

Note that XSS exploits that require access to an account with unfiltered_html capabilities are not considered valid exploits. That's just an abuse of trust by a privileged user. In order to properly test for a vulnerability, use an "Author" account to attempt the exploit.

The fix needed here is to entity-encode the href and title fields when inserted via the RTE, to prevent unfiltered_html-capable RTE users from generating invalid HTML.

This is also valid for trunk. Possible candidate for 2.1 inclusion, but let's see the patch first (I'll take a stab now).

[markjaquith]

This is a bit over my head... I only dabble in JS.

Line 57 in wp-includes/js/tinymce/themes/advanced/jscripts/link.js looks to be the place where the magic should happen.

[thee17]

Fixed in trunk by TinyMCE 3.0