Skip to:
Content
Pages
Categories
Search
Top
Bottom

Users Can Post Bad HTML Content

  • @samtime

    Participant

    Hi, One of my users discovered that they can post potentially malicious HTML into the bbPress reply box.

    I once added the code below to my functions.php file, because users were not able to use Left-align, Centre, and Right-align for text, but I fear maybe it’s now given too many HTML permissions.

    Could anyone please look at this code and let me know if something needs to be changed (maybe some trues switched to falses)?

    Thank you so much, Sam

    add_filter( 'bbp_kses_allowed_tags', 'ntwb_bbpress_custom_kses_allowed_tags' );
    function ntwb_bbpress_custom_kses_allowed_tags() {
    	return array(
    		// Links
    		'a'          => array(
    			'class'    => true,
    			'href'     => true,
    			'title'    => true,
    			'rel'      => true,
    			'class'    => true,
    			'target'    => true,
    		),
    		// Quotes
    		'blockquote' => array(
    			'cite'     => true,
    		),
    		
    		// Div
    		'div' => array(
    			'class'     => true,
    		),
    		
    		// Span
    		'span'             => array(
    			'class'     => true,
                            'style'     => true,
    		),
    		
                    // Paragraph
    		'p'             => array(
    			'class'     => true,
                            'style'     => true,
    		),
    
    		// Code
    		'code'       => array(),
    		'pre'        => array(
    			'class'  => true,
    		),
    		// Formatting
    		'em'         => array(),
    		'strong'     => array(),
    		'del'        => array(
    			'datetime' => true,
    		),
    		// Lists
    		'ul'         => array(),
    		'ol'         => array(
    			'start'    => true,
    		),
    		'li'         => array(),
    		// Images
    		'img'        => array(
    			'class'    => true,
    			'src'      => true,
    			'border'   => true,
    			'alt'      => true,
    			'height'   => true,
    			'width'    => true,
    		),
    		// Tables
    		'table'      => array(
    			'align'    => true,
    			'bgcolor'  => true,
    			'border'   => true,
    		),
    		'tbody'      => array(
    			'align'    => true,
    			'valign'   => true,
    		),
    		'td'         => array(
    			'align'    => true,
    			'valign'   => true,
    		),
    		'tfoot'      => array(
    			'align'    => true,
    			'valign'   => true,
    		),
    		'th'         => array(
    			'align'    => true,
    			'valign'   => true,
    		),
    		'thead'      => array(
    			'align'    => true,
    			'valign'   => true,
    		),
    		'tr'         => array(
    			'align'    => true,
    			'valign'   => true,
    		)
    	);
    }
Viewing 3 replies - 1 through 3 (of 3 total)
  • @robin-w

    Moderator

    ‘One of my users discovered that they can post potentially malicious HTML into the bbPress reply box.’

    could you user state what ‘potentially malicious HTML’ they were able to post – that would help

    @johnjamesjacoby

    Keymaster

    Basically all of the extra attributes you are allowing can be used to disrupt your design in some fashion.

    style, class, align, height, width, etc…

    @samtime

    Participant

    Okay, thanks. I think I might have thought it was a bit more scary than it really is.
    As long as those attributes listed above only affect the design of the post, and not allow any sort of strange code to run.

    Here’s one of the posts from the user, looks like it’s just some funky formatting. Not too bad.

    html post

    Oh, and the skills tab he’s talking about in the post is to do with the Youzer plugin for BuddyPress. I think it just allows him to put more text there than neccessary, but not weird code.

    Skills bug

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.
Skip to toolbar