WordPress 2.7, now with fewer absurd bugs

By March 10, 2009Technical

I went ahead and upgraded the installation of wordpress we use for this blog from 2.6 to 2.7 – you won’t notice anything mind you, but we get a completely different admin interface under the hood. Keeping things up to date is always a good idea from a security standpoint, but I also wanted to address an odd issue that wasn’t present in my own personal installation of 2.7.

I’d noticed a little while ago that the font-colour controls in the editor didn’t seem to work. I could select the text and apply the colour, but the change disappeared once I saved the changes. Looking at the HTML, something odd was afoot:

<span style="#990000">lorem ipsum dolor</span>

Definitely not the expected behaviour, the “color:” was being stripped out of the style attribute. A little further searching revealed the treachery: wp-include/kses.php

kses.php performs data sanitisation, mostly to do with handling dodgy/exploitable code in posts and comments. The editor implements colours in the expected manner using inline CSS, but the sanitiser strips it out! I imagined that surely this was well-tested, but trawling google for likely problem reports was largely fruitless.

There were a couple of posts from people who’d run into this same issue, but the fix was largely unsatisfactory.

Why unsatisfactory? Because you add the desired css attributes to an array in kses.php called “$allowed_protocols” – a rather nasty hack to my mind. In WordPress’ defence, I didn’t perform a vanilla installation and verify the issue was still there with no user modifications – it would have been substantial effort for a problem that could be fixed by keeping up to date anyway. No hard feelings, guys.