Topic: Users Can Post Bad HTML Content

Users Can Post Bad HTML Content

Participant

@samtime

Hi, One of my users discovered that they can post potentially malicious HTML into the bbPress reply box.

I once added the code below to my functions.php file, because users were not able to use Left-align, Centre, and Right-align for text, but I fear maybe it’s now given too many HTML permissions.

Could anyone please look at this code and let me know if something needs to be changed (maybe some trues switched to falses)?

Thank you so much, Sam

add_filter( 'bbp_kses_allowed_tags', 'ntwb_bbpress_custom_kses_allowed_tags' );
function ntwb_bbpress_custom_kses_allowed_tags() {
	return array(
		// Links
		'a'          => array(
			'class'    => true,
			'href'     => true,
			'title'    => true,
			'rel'      => true,
			'class'    => true,
			'target'    => true,
		),
		// Quotes
		'blockquote' => array(
			'cite'     => true,
		),
		
		// Div
		'div' => array(
			'class'     => true,
		),
		
		// Span
		'span'             => array(
			'class'     => true,
                        'style'     => true,
		),
		
                // Paragraph
		'p'             => array(
			'class'     => true,
                        'style'     => true,
		),

		// Code
		'code'       => array(),
		'pre'        => array(
			'class'  => true,
		),
		// Formatting
		'em'         => array(),
		'strong'     => array(),
		'del'        => array(
			'datetime' => true,
		),
		// Lists
		'ul'         => array(),
		'ol'         => array(
			'start'    => true,
		),
		'li'         => array(),
		// Images
		'img'        => array(
			'class'    => true,
			'src'      => true,
			'border'   => true,
			'alt'      => true,
			'height'   => true,
			'width'    => true,
		),
		// Tables
		'table'      => array(
			'align'    => true,
			'bgcolor'  => true,
			'border'   => true,
		),
		'tbody'      => array(
			'align'    => true,
			'valign'   => true,
		),
		'td'         => array(
			'align'    => true,
			'valign'   => true,
		),
		'tfoot'      => array(
			'align'    => true,
			'valign'   => true,
		),
		'th'         => array(
			'align'    => true,
			'valign'   => true,
		),
		'thead'      => array(
			'align'    => true,
			'valign'   => true,
		),
		'tr'         => array(
			'align'    => true,
			'valign'   => true,
		)
	);
}

Viewing 3 replies - 1 through 3 (of 3 total)

Robin W
Moderator

@robin-w

4 years, 9 months ago

‘One of my users discovered that they can post potentially malicious HTML into the bbPress reply box.’

could you user state what ‘potentially malicious HTML’ they were able to post – that would help

John James Jacoby
Keymaster

@johnjamesjacoby

4 years, 9 months ago

Basically all of the extra attributes you are allowing can be used to disrupt your design in some fashion.

style, class, align, height, width, etc…

samtime
Participant

@samtime

4 years, 9 months ago

Okay, thanks. I think I might have thought it was a bit more scary than it really is.
As long as those attributes listed above only affect the design of the post, and not allow any sort of strange code to run.

Here’s one of the posts from the user, looks like it’s just some funky formatting. Not too bad.

Oh, and the skills tab he’s talking about in the post is to do with the Youzer plugin for BuddyPress. I think it just allows him to put more text there than neccessary, but not weird code.