I would love to know how to fix this, but this thread seems a bit screwy.
Okay, to clear this up once and for all. comments_allowed_tags is gone. This is deliberate. We’ve moved to a new HTML filtering system called KSES which is very robust and should protect use from all XSS attacks. It allows more control than a simple
strip_tags, and actually lets you specify attributes you allow on different elements, et cetera. So now instead of a list of tags, we have a nested array of tags and attributes.
Since this is a security feature, a balance needed to be drawn. Most people should not be editing the allowed tags lightly without knowing the consequences of enabling say,
<img>. Changing the allowed tags (and attributes) is now done through the file
wp-includes/kses.php. A known (and now fixed) bug in 1.0 is that comment_allowed_tags is still called in some places. 1.0.1 will correct this, as well as the current CVS. Adding the option back into the table is not a solution, and it’ll just be removed again next time you run
Thanks Matt. This raises a couple of new questions for me though.
First, the allowed tags, whatever they are, still need to be shown to people leaving comments, yes? Since the obvious thing would be to pull then from the array, is it correct to assume 1.0.1 will fix this in
Second, they way it’s working for me right now (again on 1.0) is that all tags are stripped from my comments. I’m not sure if this is intended, but it sure isn’t what I want. How do I make sure that whatever tags are posted in the comments also render? I like the idea behind filtering comment markup so that it is well-formed and checked according to allowed tags, etc., but there’s no point if it’s removed from the output.
Thanks for the clarification Matt!
If it was removed from 1.0, why was the code still in the wp-comments.php? What is the proper way to add the “HTML allowed line”?
Nevermind…I found the changes in the CVS and applied them to my install. Works great!
I updated what I think is all the necessary files from the CVS, and it now shows the allowed tags.
However, the output now strips everything inside the tags, i.e. both the href in anchors and all attributes, regardless of element type.
I guess I should have tested to make sure it was working….
Mine is also stripping the attributes.
I’ve updated wp-comments-post.php with the CVS version I had earlier. I’ve updated kses.php. Still no luck.
The comments are being stored in the database with the attributes, but being stripped off when displaying the page.
I can’ t find anywhere in the CVS where function wp_kses is being called.
Matt, yes I updated wp-comments.php with rev 1.2, as well as a bunch of other files that were updated within the last two days.
This thread is totaly confusing. I need the ability to turn off the automatic tags in the editor so I can replace them with my own. I would be wasting my time designing a new template with xhtml strict unless this was possible.
since the post from MtDewVirus has the sql [edit snip] I can’t fix the problem.
Is there a way of turning off the auto tags so I can use my own tags in admin interface?
Gary, you’re talking about something totally different from the rest of the thread. Perhaps you should start a new one.
I believe I’ve tracked down the code where the HTML allowed tags are checked (or should be).
In function comment_text(), apply_filters is called, which I assume calls a bunch of filters.
In kses.php (at the end), a filter (wp_filter_kses) is added, which (I assume) checks the tags.
Does anyone know if I’m missing something or where I should look?
- The topic ‘“HTML allowed” tags in 1.0?’ is closed to new replies.