[wp-trac] [WordPress Trac] #60979: safecss_filter_attr() should support query strings with "& " as used by Gutenberg
WordPress Trac
noreply at wordpress.org
Fri Oct 4 15:13:02 UTC 2024
#60979: safecss_filter_attr() should support query strings with "&" as used by
Gutenberg
-------------------------------------------------+-------------------------
Reporter: philippmuenchen | Owner:
| hellofromTonya
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 6.7
Component: Formatting | Version: 6.5
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests changes- | Focuses:
requested |
-------------------------------------------------+-------------------------
Changes (by hellofromTonya):
* keywords: has-patch has-unit-tests commit changes-requested => has-patch
has-unit-tests changes-requested
Comment:
Removing `commit`. Need to first explore the possibility of a
[https://github.com/WordPress/wordpress-
develop/pull/6645/files#r1787861740 safety concern for decoding without
re-encoding]:
What if the incoming string has encoded nefarious HTML in it? For example,
what if it's this
{{{
'background-image: url("<script>alert`1`</script>")'
}}}
Result:
{{{
background-image: url("<script>alert`1`</script>")
}}}
Seems unsafe unless it gets re-encoded before returning.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60979#comment:25>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list