I've noticed something with MU that doesn't seem to happen with my normal Wordpress installs. It seems that everytime I save a post, the style tags get stripped off. For example, I need a roman letter style ordered list. But everytime the post is saved, the style="list-style-type" attributes are all stripped out.
I'm doing some serious digging to find out where this is happening, but so far haven't found where it might be. It may be a plugin though I don't have many installed. I've checked the database and it's definitely being saved in a stripped format (vs being stripped when the post is viewed)
Yup, they get stripped for security. We have a couple examples of sytle tags being used for hacking over at wp.com. Please take a look at wp-includes/kses.php for the code that you are looking for if you want to add these back in. Please note that doing so may leave you open for hackers.
Thanks for the tip on where to look. I'm curious exactly how a hacker could gain access via style tags in a post. Is this some type of exotic cross site scripting issue? It might help decide if it's worth allowing or not. What types of style tags allowed them in?
Our main goal here is to allow custom styles in ordered lists. How would allowing a poster to include a style attribute in and ol tag allow them to hack wordpress-mu?
Honest answer - not sure. My web security knowledge is rather limited. (I was the one to bring up what needs to be done with text widget security)
I know the FAQ over at wp.com points to a pair of articles about a hacking example where someone was able to get javascript in there via sytle coding.
I'm a bit out of my league I must admit. :(
I grew up on Turbo Pascal. You young people today with your PXP and your MyScrewy. Back in my day, we had to walk 5 miles in teh snow and the lava simply to deliver one of your en-turn-net packets... :)
I really need to go get my mail. Back in a bit.
