I went ahead and upgraded the installation of wordpress we use for this blog from 2.6 to 2.7 – you won’t notice anything mind you, but we get a completely different admin interface under the hood. Keeping things up to date is always a good idea from a security standpoint, but I also wanted to address an odd issue that wasn’t present in my own personal installation of 2.7.

I’d noticed a little while ago that the font-colour controls in the editor didn’t seem to work. I could select the text and apply the colour, but the change disappeared once I saved the changes. Looking at the HTML, something odd was afoot:

<span style="#990000">lorem ipsum dolor</span>

Definitely not the expected behaviour, the “color:” was being stripped out of the style attribute. A little further searching revealed the treachery: wp-include/kses.php

kses.php performs data sanitisation, mostly to do with handling dodgy/exploitable code in posts and comments. The editor implements colours in the expected manner using inline CSS, but the sanitiser strips it out! I imagined that surely this was well-tested, but trawling google for likely problem reports was largely fruitless.

There were a couple of posts from people who’d run into this same issue, but the fix was largely unsatisfactory.

• http://mu.wordpress.org/forums/topic.php?id=5619
• http://ryan.wordpress.com/2005/09/20/filtering-post-content-with-kses/
• http://mu.wordpress.org/forums/topic.php?id=6029

Why unsatisfactory? Because you add the desired css attributes to an array in kses.php called “$allowed_protocols” – a rather nasty hack to my mind. In WordPress’ defence, I didn’t perform a vanilla installation and verify the issue was still there with no user modifications – it would have been substantial effort for a problem that could be fixed by keeping up to date anyway. No hard feelings, guys.