[wp-testers] My Patches Need Testing (fix invalid xhtml)

Jeff Schiller codedread at gmail.com
Mon Apr 14 03:16:24 GMT 2008 

Hello,

This is the first time writing to this list.  I have found and tried to fix
4 bugs that deal with WordPress producing invalid XHTML (and yellow screens
of death in Firefox) upon certain things happening with comments.

I would really appreciate any more focus these bugs can get as I would like
to see these types of things fixed sooner than later in WordPress.  Ideally
2.5.1 (but I have no idea of triage criteria).

The bugs are :

1) http://trac.wordpress.org/ticket/5998 - Invalid Unicode characters

Someone injecting invalid Unicode characters like U-FFFE, U-FFFF can break
XHTML pages.  This patch only assumes UTF-8 in WordPress comments (not
trackbacks, pingbacks), so of the four patches, it's the one that still
needs the most work.  I'd like to work with someone on what they feel might
be a more general solution.

2) http://trac.wordpress.org/ticket/6583 - kses Allows Invalid Unicode
Numeric Entities

Someone typing "&xfffe;" into a WordPress comment can break XHTML pages.
This patch escapes any invalid numeric entities.  I believe the patch is
pretty straightforward, though it may need some style tweaks (function
rename?).

3) http://trac.wordpress.org/ticket/6602 - kses Should Prevent Duplicate
Attributes

Someone typing "<a href='foo' href='foo2'>test</a>" into a WordPress comment
can break XHTML pages.  This patch rejects all duplicate attributes but the
first.  In my opinion, the patch is pretty straightforward.

4) http://trac.wordpress.org/ticket/6642 - Commenters can break page
validation via HTML comments

Someone typing "<!-- foo -- bar -->" into a WordPress comment can break
XHTML pages.  This patch replaces all "--" in HTML comments with "-".  I
believe the patch is pretty straightforward.

Please bear in mind that anyone trying to serve a WordPress blog using true
XHTML (application/xhtml+xml) will be susceptible to these vulnerabilities -
anybody could come along and break the blogs using any of the above 4
techniques.  This includes my own blog (blog.codedread.com), which I've of
course patched for now.

Thanks for your help,
Jeff Schiller

More information about the wp-testers mailing list