Comments on: Filtering Post Content with kses http://ryan.boren.me/2005/09/20/filtering-post-content-with-kses/ Sun, 21 Mar 2010 02:07:11 +0000 http://wordpress.com/ hourly 1 By: craig http://ryan.boren.me/2005/09/20/filtering-post-content-with-kses/#comment-102 craig Thu, 29 Sep 2005 21:29:10 +0000 http://ryan.wordpress.com/2005/09/20/filtering-post-content-with-kses/#comment-102 Damn, my example got filtered even though I spaced the html tag brackets. I mean using the font tag with attribute color="red". Damn, my example got filtered even though I spaced the html tag brackets. I mean using the font tag with attribute color=”red”.

]]> By: craig http://ryan.boren.me/2005/09/20/filtering-post-content-with-kses/#comment-101 craig Thu, 29 Sep 2005 21:27:21 +0000 http://ryan.wordpress.com/2005/09/20/filtering-post-content-with-kses/#comment-101 Lorelle with inline styles you can do posistion:absolute or relative etc and overlay the wordpress admin bar with one that looks just like it but does something entirely different. (send the user to a false login page should they click it) if position: was excluded and all the other styling elements were reinstated, everyone would be happier. Floats will only float inside a container so they're not a problem since we can only create content in the template areas. Colors too. I can't think of any other style elements off the top of my head that could be abused... If you want to do colors you can do redtext I think... Lorelle with inline styles you can do posistion:absolute or relative etc and overlay the wordpress admin bar with one that looks just like it but does something entirely different. (send the user to a false login page should they click it)

if position: was excluded and all the other styling elements were reinstated, everyone would be happier. Floats will only float inside a container so they’re not a problem since we can only create content in the template areas. Colors too. I can’t think of any other style elements off the top of my head that could be abused…

If you want to do colors you can do redtext I think…

]]> By: Lorelle VanFossen http://ryan.boren.me/2005/09/20/filtering-post-content-with-kses/#comment-84 Lorelle VanFossen Mon, 26 Sep 2005 16:51:02 +0000 http://ryan.wordpress.com/2005/09/20/filtering-post-content-with-kses/#comment-84 I understand that stripping javascript functions is totally a security precaution. But stripping out <span style="color:red">text in red</span> is really dumb. Inline styles like font, color, font size, border, and such are totally lacking any security risks, so why should all style inline styles be stripped out in post content? Even tags like <small>, <large>, and <x-large> for font sizes are stripped out, even if they are used in the style sheet. Please explain the security risk involved in such CSS inline styles and common styling HTML tags. I understand that stripping javascript functions is totally a security precaution. But stripping out <span style=”color:red”>text in red</span> is really dumb. Inline styles like font, color, font size, border, and such are totally lacking any security risks, so why should all style inline styles be stripped out in post content?

Even tags like <small>, <large>, and <x-large> for font sizes are stripped out, even if they are used in the style sheet.

Please explain the security risk involved in such CSS inline styles and common styling HTML tags.

]]> By: footballtrivia http://ryan.boren.me/2005/09/20/filtering-post-content-with-kses/#comment-78 footballtrivia Sun, 25 Sep 2005 16:16:22 +0000 http://ryan.wordpress.com/2005/09/20/filtering-post-content-with-kses/#comment-78 Is it absolutely necessary to remove the script elements from the pages? I wanted to do a little toggle function so people don't see the answers to trivia questions until they click on the 'Show Answer' link. Maybe you could have a library of common javascript functions exposed to all users of wordpress.com. Peopl e can submit code they would like to be there and moderators can decide whether it is a valid entry or not? Can you explain the reason for stripping the 'style' attributes? Thanks Is it absolutely necessary to remove the script elements from the pages? I wanted to do a little toggle function so people don’t see the answers to trivia questions until they click on the ‘Show Answer’ link. Maybe you could have a library of common javascript functions exposed to all users of wordpress.com. Peopl e can submit code they would like to be there and moderators can decide whether it is a valid entry or not?

Can you explain the reason for stripping the ’style’ attributes?

Thanks

]]> By: Lorelle on WordPress » Users FAQ for wordpress.com http://ryan.boren.me/2005/09/20/filtering-post-content-with-kses/#comment-71 Lorelle on WordPress » Users FAQ for wordpress.com Sat, 24 Sep 2005 03:31:18 +0000 http://ryan.wordpress.com/2005/09/20/filtering-post-content-with-kses/#comment-71 [...] I’ll talk more about this later, but remember this. WordPress is user driven. If you don’t like what is going on, complain, loudly, with specific suggestions. Squeaky wheel and all that. [...] [...] I’ll talk more about this later, but remember this. WordPress is user driven. If you don’t like what is going on, complain, loudly, with specific suggestions. Squeaky wheel and all that. [...]

]]> By: Lorelle VanFossen http://ryan.boren.me/2005/09/20/filtering-post-content-with-kses/#comment-42 Lorelle VanFossen Thu, 22 Sep 2005 21:49:02 +0000 http://ryan.wordpress.com/2005/09/20/filtering-post-content-with-kses/#comment-42 I take my thank you back. Posts saved before the change still retain the inline styles. New posts strip them. Not happy. Very much not happy. I take my thank you back. Posts saved before the change still retain the inline styles. New posts strip them. Not happy. Very much not happy.

]]> By: Lorelle VanFossen http://ryan.boren.me/2005/09/20/filtering-post-content-with-kses/#comment-41 Lorelle VanFossen Thu, 22 Sep 2005 21:45:11 +0000 http://ryan.wordpress.com/2005/09/20/filtering-post-content-with-kses/#comment-41 It looks like the inline styles have been restored. Thank you!!! THANK YOU!!!! (can I use inline styles to make this 150px high?) ;-) It looks like the inline styles have been restored. Thank you!!! THANK YOU!!!! (can I use inline styles to make this 150px high?) ;-)

]]> By: craig http://ryan.boren.me/2005/09/20/filtering-post-content-with-kses/#comment-39 craig Thu, 22 Sep 2005 09:11:03 +0000 http://ryan.wordpress.com/2005/09/20/filtering-post-content-with-kses/#comment-39 Donncha, I haven't edited them today and they are being filtered... Just like Lorelle's there. Donncha,

I haven’t edited them today and they are being filtered…
Just like Lorelle’s there.

]]> By: Lorelle VanFossen http://ryan.boren.me/2005/09/20/filtering-post-content-with-kses/#comment-38 Lorelle VanFossen Thu, 22 Sep 2005 00:50:55 +0000 http://ryan.wordpress.com/2005/09/20/filtering-post-content-with-kses/#comment-38 I just figured out what you are talking about. This means that if I have any inline styles they are totally filtered out of the posts. This sucks. I have a bunch of inline styles put in to create little sidbar boxes and stuff throughout my wordpress.com site. These are now all borked. This stripping of the content inline styles has taken away the tiny bit of creative element available in the post area. Why? Is it because of the problems with the WYSIWYG for copying and pasting from other sites? What is the purpose of this? I want control of the HTML tags when I write in the post area. Why take that away? And now, I have to go through and edit dozens of posts which are now really confusing due to the loss of the little highlighted boxes. Or is this temporary? I can see it being stripped from comments, but not from the content area. Fixing borked tags, sure, but stripping? That's a little drastic. I just figured out what you are talking about. This means that if I have any inline styles they are totally filtered out of the posts. This sucks. I have a bunch of inline styles put in to create little sidbar boxes and stuff throughout my wordpress.com site. These are now all borked. This stripping of the content inline styles has taken away the tiny bit of creative element available in the post area.

Why?

Is it because of the problems with the WYSIWYG for copying and pasting from other sites? What is the purpose of this?

I want control of the HTML tags when I write in the post area. Why take that away?

And now, I have to go through and edit dozens of posts which are now really confusing due to the loss of the little highlighted boxes. Or is this temporary?

I can see it being stripped from comments, but not from the content area. Fixing borked tags, sure, but stripping? That’s a little drastic.

]]> By: Donncha http://ryan.boren.me/2005/09/20/filtering-post-content-with-kses/#comment-29 Donncha Wed, 21 Sep 2005 09:07:58 +0000 http://ryan.wordpress.com/2005/09/20/filtering-post-content-with-kses/#comment-29 Your current post still contains the div, but from now on that code will be removed. Better not edit those posts again! :) Your current post still contains the div, but from now on that code will be removed. Better not edit those posts again! :)

]]>