Get WordPress

Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#54138 new defect (bug)

wp_strip_all_tags should remove scripts/styles content recursively

Reported by: wppunk's profile wppunk Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Formatting Keywords: has-patch
Focuses: Cc:

Description

If we try to run the next code <scri<script></script>pt>alert("krya");</script> via the wp_strip_all_tags function it remove the script content only once. So, the next hack allows passing the script content throw the function.

## In details.

First iteration:

  • input: `<scri<script></script>pt>alert("krya");</script>
  • output: <script>alert("krya");</script>

Thankfully the strip_tags removes scripts tags later, but the content is still present.

Change History (2)

This ticket was mentioned in PR #1681 on WordPress/wordpress-develop by wppunk.
3 years ago #1

  • Keywords has-patch added

Remove scripts and styles tags recursively.

Trac ticket: https://core.trac.wordpress.org/ticket/54138#ticket

#2 @sabernhardt
3 years ago

  • Component changed from General to Formatting
Note: See TracTickets for help on using tickets.