I want the right to post cat macros in my own damn comments. You pop an ‘img’ quicktag above the comment editor and then continue to strip my images? One, this alone is moronic. Two, I am the admin, and I can post as many images as I like, yet you don’t trust me enough to let post them in my own comments? This is lame and makes no sense.
(I still sort of think it would be the funniest thing ever if even a tiny portion of the livejournal fandom refugees wound up here, posting porn and bitching about the ToS. Though of course we only get one icon, so this will never happen.)
wordpress™ wank 
sunburntkamel said
ew. please no.
bad usability, yes. the img button shouldn’t appear on the edit comment page. mildly frustrating as admin i suppose. but random users posting pictures in comments? myspace indeed.
Alan said
sbk: How very elitists of you. aha At least on WP you can edit pictures out.
sunburntkamel said
fair enough, i am.
i believe you mean _in_ wp. as in, the hosted version. _on_ wp.com, posting images would be an XSS attack vector, and security would require filtering the file extension off the end of the link and making sure it’s .jpg, .gif, or .png. (which is not foolproof).
for hosted wp, i’d venture it should only be enabled for users with
unfiltered_htmlcapabilities. moreover, this is probably the sort of thing that a plugin should handle (like threaded comments, openID, and other livejournal features).Andrea said
But what they’ve done with the .com and MU code is strip out the img tag altogether (among a whole pile of other things).
Check it out:
http://trac.mu.wordpress.org/browser/trunk/wp-includes/kses.php
line 21 declares tags allowed in posts, while line 186 declares tags allowed elsewhere (such as comments). No checking or filtering of file extensions to see is scripts are attached, just a blanket. Or a sledgehammer, depending on your viewpoint.
Uzume said
Updated link: https://core.trac.wordpress.org/browser/trunk/src/wp-includes/kses.php (0.2.2; currently @39638).
The key tags are
$allowedposttags(line 61) and$allowedtags(line 424).Note: character entity references are also stripped. Allowed list is in
$allowedentitynames(line 454).that girl again said
So basically, they’re too lazy to check whether I’m logged in or not. And too lazy to get the comment editor to reflect the reality of what I’m actually allowed to post.
If images are that much of a security risk, then why are bloggers allowed to post them? I mean, anyone can sign up for a blog here; couple of minutes, disposable email, done. There’s no reason why users should be considered more deserving of privileges than any other random passerby.
options said
>So basically, they’re too lazy to check whether I’m logged in or not.
that’s it.
heck, even a `pre` element got striped, that almost drove me demented when I was trying to post some code snippets in the comment of mine. same for ID and NAME attributes — simply a huge vuln vector!
as for XSS, why do you think an ancient (as compared with a state-of-the-art semantic platform) Blogger publishes on the blogspot.com?
Andrea said
A couple days after you wrote this, Donncha added hooks to that file so WPMU admins could choose what to allow.
tester said
link test
i hope this works.