[wp-trac] [WordPress Trac] #48955: WP 5.3.1 changes cause potential backwards compatibility breakage with kses

WordPress Trac noreply at wordpress.org
Fri Dec 13 14:45:42 UTC 2019 

#48955: WP 5.3.1 changes cause potential backwards compatibility breakage with kses
--------------------------+---------------------
 Reporter:  iCaleb        |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  5.3.2
Component:  Security      |     Version:  5.3.1
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+---------------------

Comment (by aduth):

 On some initial investigation, the reason these functions would have
 appeared to work previously is due to the fact that the functions used by
 KSES to transform a string tend to support an overloaded form accepting an
 array.

 See `$subject` argument:

 - https://www.php.net/manual/en/function.preg-replace.php
 - https://www.php.net/manual/en/function.preg-replace-callback.php
 - https://www.php.net/manual/en/function.str-replace.php

 Again, since the KSES functions are documented to accept a string, and the
 names and types of the arguments are designated accordingly (`{string}`
 and `$string` in the singular forms), that this happened to work is
 coincidental. It's also unclear whether there are other references in code
 to the string which would not work if the argument is provided as a non-
 string.

 Some possible action items:

 - Close this as "working as intended", in that the functions are
 documented to accept a string, and should be passed a string.
 - Consider this as an enhancement request to allow an array of strings to
 be passed to KSES functions.
 - Make a one-off exception in `wp_pre_kses_block_attributes` to handle
 `$string` passed as an array of strings.

 The last of these would be non-ideal from the perspective of a contributor
 or third-party developer in leaving ambiguity surrounding whether KSES is
 expected to support non-string values. As a solution, it would be for the
 sole purpose of maintaining support for an existing, undocumented
 behavior.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48955#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list