Filtering Post Content with kses

With the commit for bug 1674, we now run kses against post content for users that do not have the ‘unfiltered_html’ capability. By default, only the Administrator and Editor roles have the unfiltered_html capability. Users without that capability with have their posts filtered by kses for some added security.

12 thoughts on “Filtering Post Content with kses

  1. Alan says:

    I read that as ‘filtering post content with kisses’ and no amount of rational thought couldn’t stop me giggling.

    Like this

  2. craig says:

    lol@Alan!

    Ryan, will this be applied to WordPress.com and I can say bye-bye to my little yellow sticky Post-It? Or because I’m an Admin of my own blog here, as all users are, it’ll still be cool? ;)

    Like this

  3. I just figured out what you are talking about. This means that if I have any inline styles they are totally filtered out of the posts. This sucks. I have a bunch of inline styles put in to create little sidbar boxes and stuff throughout my wordpress.com site. These are now all borked. This stripping of the content inline styles has taken away the tiny bit of creative element available in the post area.

    Why?

    Is it because of the problems with the WYSIWYG for copying and pasting from other sites? What is the purpose of this?

    I want control of the HTML tags when I write in the post area. Why take that away?

    And now, I have to go through and edit dozens of posts which are now really confusing due to the loss of the little highlighted boxes. Or is this temporary?

    I can see it being stripped from comments, but not from the content area. Fixing borked tags, sure, but stripping? That’s a little drastic.

    Like this

  4. Is it absolutely necessary to remove the script elements from the pages? I wanted to do a little toggle function so people don’t see the answers to trivia questions until they click on the ‘Show Answer’ link. Maybe you could have a library of common javascript functions exposed to all users of wordpress.com. Peopl e can submit code they would like to be there and moderators can decide whether it is a valid entry or not?

    Can you explain the reason for stripping the ‘style’ attributes?

    Thanks

    Like this

  5. I understand that stripping javascript functions is totally a security precaution. But stripping out <span style=”color:red”>text in red</span> is really dumb. Inline styles like font, color, font size, border, and such are totally lacking any security risks, so why should all style inline styles be stripped out in post content?

    Even tags like <small>, <large>, and <x-large> for font sizes are stripped out, even if they are used in the style sheet.

    Please explain the security risk involved in such CSS inline styles and common styling HTML tags.

    Like this

  6. craig says:

    Lorelle with inline styles you can do posistion:absolute or relative etc and overlay the wordpress admin bar with one that looks just like it but does something entirely different. (send the user to a false login page should they click it)

    if position: was excluded and all the other styling elements were reinstated, everyone would be happier. Floats will only float inside a container so they’re not a problem since we can only create content in the template areas. Colors too. I can’t think of any other style elements off the top of my head that could be abused…

    If you want to do colors you can do redtext I think…

    Like this

  7. craig says:

    Damn, my example got filtered even though I spaced the html tag brackets. I mean using the font tag with attribute color=”red”.

    Like this

Comments are closed.