Opened 3 months ago
Last modified 3 months ago
#61246 new defect (bug)
wp_kses makes HTML comment HTML uncommented
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 6.6 |
Component: | Security | Keywords: | has-patch has-unit-tests |
Focuses: | Cc: |
Description
asd <!-- <a href="other-page.com" class="hello">world</a> --> asd
when calling wp_kses(_post) on it, this commented HTML gets uncommented and you get a link displayed on the page.
asd <!-- <a href="other-page.com" class="hello">world</a> --> asd
If that commented code contains some unsanitized stuff (as is often the case since people assume it's commented and thus can be ignored - including phpcs won't report errors for commented stuff afaik) this could be a security issue.
Generally though, it's just an unexpected display issue.
Change History (2)
This ticket was mentioned in PR #6577 on WordPress/wordpress-develop by @kkmuffme.
3 months ago
#1
- Keywords has-patch has-unit-tests added
Note: See
TracTickets for help on using
tickets.
Trac ticket: https://core.trac.wordpress.org/ticket/61246
I also added tests for the original ticket that introduced the deprecated function https://core.trac.wordpress.org/ticket/4409, since there were none.
Additionally, the fix also improves the existing logic by combining the escaping logic for <> into a single regex (ensuring it cannot be partially broken by removing of a filter and can be relied upon in 100% of cases).
Furthermore, a side effect is that it fixes broken behavior that kses would leave the last single or double quote unescaped, while escaping everything else unnecessarily.
see xssAttacks.xml "Remote Stylesheet 3" it will unnecessarily escape the " but will leave the last " unescaped
This seems to be a general issue that the last ' or " won't be escaped, e.g. also in
jQuery('#abc').append('<iframe src="xyz.com"></iframe>');
you'll end up with
jQuery('#abc').append('');
which itself was unsafe as the '); delimits the string now and can probably somehow abused (not too familiar with that tbf, so feedback welcome)