WordPress.org

Ready to get started?Download WordPress

Forums

"HTML allowed" tags in 1.0? (16 posts)

  1. lars
    Member
    Posted 10 years ago #

    Is it just me, or have the "HTML allowed" tags disappeared from 1.0? This applies to both the admin interface and the comments.

  2. scooter
    Member
    Posted 10 years ago #

    I would love to know how to fix this, but this thread seems a bit screwy.

  3. Matt Mullenweg
    Troublemaker
    Posted 10 years ago #

    Okay, to clear this up once and for all. comments_allowed_tags is gone. This is deliberate. We've moved to a new HTML filtering system called KSES which is very robust and should protect use from all XSS attacks. It allows more control than a simple strip_tags, and actually lets you specify attributes you allow on different elements, et cetera. So now instead of a list of tags, we have a nested array of tags and attributes.
    Since this is a security feature, a balance needed to be drawn. Most people should not be editing the allowed tags lightly without knowing the consequences of enabling say, <img>. Changing the allowed tags (and attributes) is now done through the file wp-includes/kses.php. A known (and now fixed) bug in 1.0 is that comment_allowed_tags is still called in some places. 1.0.1 will correct this, as well as the current CVS. Adding the option back into the table is not a solution, and it'll just be removed again next time you run upgrade.php.

  4. scooter
    Member
    Posted 10 years ago #

    Thanks allusion. That clears it up with me.

  5. lars
    Member
    Posted 10 years ago #

    Thanks Matt. This raises a couple of new questions for me though.
    First, the allowed tags, whatever they are, still need to be shown to people leaving comments, yes? Since the obvious thing would be to pull then from the array, is it correct to assume 1.0.1 will fix this in wp-comments.php?
    Second, they way it's working for me right now (again on 1.0) is that all tags are stripped from my comments. I'm not sure if this is intended, but it sure isn't what I want. How do I make sure that whatever tags are posted in the comments also render? I like the idea behind filtering comment markup so that it is well-formed and checked according to allowed tags, etc., but there's no point if it's removed from the output.

  6. Nick Momrik
    Member
    Posted 10 years ago #

    Thanks for the clarification Matt!
    If it was removed from 1.0, why was the code still in the wp-comments.php? What is the proper way to add the "HTML allowed line"?

  7. Nick Momrik
    Member
    Posted 10 years ago #

    Nevermind...I found the changes in the CVS and applied them to my install. Works great!

  8. lars
    Member
    Posted 10 years ago #

    I updated what I think is all the necessary files from the CVS, and it now shows the allowed tags.
    However, the output now strips everything inside the tags, i.e. both the href in anchors and all attributes, regardless of element type.
    Help?

  9. Matt Mullenweg
    Troublemaker
    Posted 10 years ago #

    Lars, did you update wp-comment-post.php?

  10. Nick Momrik
    Member
    Posted 10 years ago #

    I guess I should have tested to make sure it was working....
    Mine is also stripping the attributes.
    I've updated wp-comments-post.php with the CVS version I had earlier. I've updated kses.php. Still no luck.

  11. Nick Momrik
    Member
    Posted 10 years ago #

    The comments are being stored in the database with the attributes, but being stripped off when displaying the page.
    I can' t find anywhere in the CVS where function wp_kses is being called.

  12. lars
    Member
    Posted 10 years ago #

    Matt, yes I updated wp-comments.php with rev 1.2, as well as a bunch of other files that were updated within the last two days.

  13. gary
    Member
    Posted 10 years ago #

    This thread is totaly confusing. I need the ability to turn off the automatic tags in the editor so I can replace them with my own. I would be wasting my time designing a new template with xhtml strict unless this was possible.
    since the post from MtDewVirus has the sql [edit snip] I can't fix the problem.
    Is there a way of turning off the auto tags so I can use my own tags in admin interface?

  14. Matt Mullenweg
    Troublemaker
    Posted 10 years ago #

    Gary, you're talking about something totally different from the rest of the thread. Perhaps you should start a new one.

  15. Nick Momrik
    Member
    Posted 10 years ago #

    I believe I've tracked down the code where the HTML allowed tags are checked (or should be).
    In function comment_text(), apply_filters is called, which I assume calls a bunch of filters.
    In kses.php (at the end), a filter (wp_filter_kses) is added, which (I assume) checks the tags.
    Does anyone know if I'm missing something or where I should look?

  16. Dextrine
    Member
    Posted 10 years ago #

    Is it possible just to add tags that are ok to use? Like I would like to add div tag. I added that to kses.php where there are the others like em, i, strong but at least from there it does not enable them.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.