[wp-trac] [WordPress Trac] #57979: Can't upload images to WordPress Comments
WordPress Trac
noreply at wordpress.org
Mon Oct 16 01:48:06 UTC 2023
#57979: Can't upload images to WordPress Comments
-------------------------------------------------+-------------------------
Reporter: sbb | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future
| Release
Component: Comments | Version: 6.0.3
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion dev-feedback | Focuses:
needs-testing changes-requested early | administration
-------------------------------------------------+-------------------------
Changes (by peterwilsoncc):
* keywords: has-patch 2nd-opinion dev-feedback needs-testing =>
has-patch 2nd-opinion dev-feedback needs-testing changes-requested
early
* milestone: 6.4 => Future Release
Comment:
I'm very, very reluctant to make this change.
Without going in to too many details, each of the PRs linked to the ticket
will reintroduce the issue [54527] resolved. As it's been 10 months since
the security issue was resolved, it's probably fine to introduce the some
obvious tests illustrating the problem, but I'll need to find them.
As this issue relates to a prior security flaw, I'm going to move this off
the current milestone as there's no suitable patch at this stage. I've
added the `early` label so the security team can monitor and test any
changes.
----
To allow images in comments, I suggest the tag be added via a filter:
{{{#!php
<?php
add_filter(
'wp_kses_allowed_html',
function( $allowed_html ) {
if ( isset( $allowed_html['img'] ) ) {
// Nothing to do.
return $allowed_html;
}
/* START: Only allow in admin */
if ( ! function_exists( 'get_current_screen' ) ) {
return $allowed_html;
}
$current_screen = get_current_screen();
if ( ! $current_screen || 'edit-comments' !==
$current_screen->parent_base ) {
return $allowed_html;
}
/* END: Only allow in admin */
$allowed_html['img'] = array(
'alt' => true,
'align' => true,
'border' => true,
'height' => true,
'hspace' => true,
'loading' => true,
'longdesc' => true,
'vspace' => true,
'src' => true,
'usemap' => true,
'width' => true,
);
return $allowed_html;
}
);
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57979#comment:25>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list