Ticket #6583 (closed defect: fixed)

Opened 8 months ago

Last modified 4 months ago

kses Allows Invalid Unicode Numeric Entities

Reported by: schiller Assigned to: anonymous
Priority: normal Milestone: 2.7
Component: General Version:
Severity: normal Keywords: has-patch 2nd-opinion
Cc: rubys@intertwingly.net

Description

wp_kses_normalize_entities() allows a user to type "" in a comment. This is not properly escaped as "". For bloggers outputting true XHTML, this is disastrous. kses should be modified to escape the ampersand in any numeric entity reference that is not a valid Unicode character.

Attachments

report.txt (1.2 kB) - added by schiller on 04/04/08 06:47:49.
Unix diff patch from WP 2.5.0 kses.php
bug6583.patch (2.2 kB) - added by schiller on 04/05/08 13:30:05.
Patch against SVN

Change History

04/04/08 06:47:49 changed by schiller

  • attachment report.txt added.

Unix diff patch from WP 2.5.0 kses.php

04/04/08 06:51:09 changed by schiller

  • cc set to rubys@intertwingly.net.

04/05/08 13:30:05 changed by schiller

  • attachment bug6583.patch added.

Patch against SVN

04/10/08 01:30:56 changed by schiller

  • keywords set to has-patch 2nd-opinion.
  • milestone changed from 2.7 to 2.6.

07/21/08 03:18:30 changed by azaozz

  • milestone changed from 2.9 to 2.7.

07/21/08 03:21:09 changed by azaozz

  • status changed from new to closed.
  • resolution set to fixed.

(In [8386]) kses - properly escape non-Unicode entities. Fixes #6583. Props schiller.