Hi there,
I'd like to align my images to right or left and would like to use class='right' inside the img tag for example.
However, wordpress mu is removing the class definition. Any way to pretend WP mu removing it?
Thanks!
Hi there,
I'd like to align my images to right or left and would like to use class='right' inside the img tag for example.
However, wordpress mu is removing the class definition. Any way to pretend WP mu removing it?
Thanks!
You'll have to modify your wp-includes/kses.php but it's removed for security reasons.
Thanks for your reply, just curious, what could happen if I remove this security feature?
Donncha, could you elaborate a little? I'm not sure I "grasp" how a "class" can be an injection point.
Majestix, nothing. You'll be able to use class again.
http://ha.ckers.org/blog/20060817/variable-width-encoding/ seems like a good reason not to allow them, via http://mu.wordpress.org/forums/topic.php?id=4611&replies=4
I'll be the first to say I don't know all the implications of allowing bits of code to get to the browser but as the post above shows, something that could be considered safe can be exploited.
I was just wondering if there where a way to create "allowed attribute values", as I understand this is just a security risk if someone enters things that really aren't allowed as values if you want valid html.
So if you allow the class attribute in the img tag the only allowed values would be 'right','left' and 'center'. If someone enters something else the tag will be stripped out.
Is it possible to code something like that?
Because it would be nice if people could use class for aligning images or create a sidequote using the class attribute.
I think there would be a few ways around it, so that you get the best of both worlds.
For the main blog, just use a plugin that allows that tag, or any other tag you want for your personal use.
Then, for other plugins a different image inserter bar could be made as a plugin.
One where it inserts the image as something like the old coppermine plugin did, then parses it when the post is pulled.
[image:id:l:s] would turn into an image tag, using the image id to pull the right image (or it could just be the path to the image to speed it up), the "l" would be "left" (as in float), and then an optional border to create a shadow type look (the "s").
Not perfect, but it could be done to produce the same functionality.
Actually, it sound like a good idea.
But; I have to ask about this, isn't all html attributes a security risk in this case?
In the article linked to from this thread the author uses the alt attribute as an example, so I'm not sure why class or id is especially harmful.
KKWangen - that's correct, all attributes are at risk not just ALT. I presume he used ALT as an example to show how it's done.
Hi folks,
As far as I can tell, the interpretation of the variable width encoding exploit and its relevance to WPMU that's been offered isn't quite right. See the other thread on this topic here:
http://mu.wordpress.org/forums/topic.php?id=5258&page&replies=29#post-34263
Or for my own ramblings on the issue, see:
http://whereelsetoputit.com/blog/restoring-lost-wordpress-functionality/
All the best,
Greg