Support » Fixing WordPress » Comment tag attributes being stripped

  • Nick Momrik

    (@mtdewvirus)


    The attributes on my comment tags are being stripped. I’ve tracked it down to the wp_kses_split function, but can’t get any further. The attributes are still on the tags before the comment string goes through this function, but are removed when it comes out.
    I decided to back and try the kses.php from WP 1.0 again and found some strange results. Some of the attribute tags are on now and some are stripped. I looked at $allowedtags, comparing WP 1.0 to the CVS and they differ.
    In WP 1.0:
    'a' => array('href' => array('minlen' => 6, 'maxlen' => 250),
    'title',
    'rel' => array('minlen' => 3, 'maxlen' => 250)),</code
    CVS:
    'a' => array('href',
    'title',
    'rel'),

    href is not being stripped now when I use kses.php from 1.0, but the title tag is. With 1.0, the line HTML allowed is printing with Array="" in several places (where an array is declared in $allowedtags), but with the CVS version it was printing this line correctly.
    Does anyone have a working copy of this file?
    Thanks!

Viewing 7 replies - 1 through 7 (of 7 total)
  • lars

    (@lars)


    *bump*

    lars

    (@lars)


    the kses filter is applied at the very end of kses.php:
    <pre>
    add_filter(‘comment_text’, ‘wp_filter_kses’);
    </pre>
    the problem here is that with this filter enabled, all element attributes are stripped out (including anchor hrefs).
    however, in the preceding line, the same filter gets applied to comment_author, and there it works.
    a temporary workaround to restore the attributes is to comment out the above line. i’m hoping for a real fix though.

    Nick Momrik

    (@mtdewvirus)


    Has anyone found a solution to this yet?

    Nick Momrik

    (@mtdewvirus)


    Lars,
    If you remove that line or comment it out, won’t that allow people to put in scripts that could crash your page? I’d reather have html tags not working in comments for now instead of having the possibility that somone puts nasty javascript into a comment.

    Moderator Matt Mullenweg

    (@matt)


    Fixed.

    Nick Momrik

    (@mtdewvirus)


    Woohooo!! You guys rock! Working great!

    lars

    (@lars)


    Great news. I’m off to the nightly builds then.

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.