WordPress 3.0.4, KSES Library Patched

WordPress 3.0.4 released on Deecember 29, 2010 as the latest WordPress released in 2010. This released is a patch for XSS vulnerabilities in in the KSES library. And this release is considered as critical security update by WordPress.

What is KSES?
KSES is an HTML/XHTML filter written in PHP. It removes all unwanted HTML elements and attributes, and it also does several checks on attribute values. kses can be used to avoid Cross-Site Scripting (XSS). KSES is an open source project available on sourceforge. But it is a dead project and no longer maintain by the author.

How to produce the vulnearbilites
Kses HTML filter (wp-includes/kses.php) applies “bad protocol” check to all attribute values now. It treats string including a colon (:) as URI, and if the string doesn’t have an allowed protocol (http, https, ftp, …), it delete the letters before colon as a bad protocol.

<img src="something.png" alt="Something: here" />

will change to:

<img src="something.png" alt="here" />

“Something:” will be deleted because it will consider as bad protocol.

What file is patched
The core files that need patched only 2:


And other files revised:


For more detail about the changes WordPress trac.

Give me your feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.