The MU forums have moved to WordPress.org

Use class in Image Tag? (11 posts)

  1. Majestix
    Member
    Posted 16 years ago #

    Hi there,

    I'd like to align my images to right or left and would like to use class='right' inside the img tag for example.

    However, wordpress mu is removing the class definition. Any way to pretend WP mu removing it?

    Thanks!

  2. donncha
    Key Master
    Posted 16 years ago #

    You'll have to modify your wp-includes/kses.php but it's removed for security reasons.

  3. Majestix
    Member
    Posted 16 years ago #

    Thanks for your reply, just curious, what could happen if I remove this security feature?

  4. lunabyte
    Member
    Posted 16 years ago #

    Donncha, could you elaborate a little? I'm not sure I "grasp" how a "class" can be an injection point.

  5. peiqinglong
    Member
    Posted 16 years ago #

    Majestix, nothing. You'll be able to use class again.

  6. donncha
    Key Master
    Posted 16 years ago #

    http://ha.ckers.org/blog/20060817/variable-width-encoding/ seems like a good reason not to allow them, via http://mu.wordpress.org/forums/topic.php?id=4611&replies=4

    I'll be the first to say I don't know all the implications of allowing bits of code to get to the browser but as the post above shows, something that could be considered safe can be exploited.

  7. KKWangen
    Member
    Posted 16 years ago #

    I was just wondering if there where a way to create "allowed attribute values", as I understand this is just a security risk if someone enters things that really aren't allowed as values if you want valid html.

    So if you allow the class attribute in the img tag the only allowed values would be 'right','left' and 'center'. If someone enters something else the tag will be stripped out.

    Is it possible to code something like that?

    Because it would be nice if people could use class for aligning images or create a sidequote using the class attribute.

  8. lunabyte
    Member
    Posted 16 years ago #

    I think there would be a few ways around it, so that you get the best of both worlds.

    For the main blog, just use a plugin that allows that tag, or any other tag you want for your personal use.

    Then, for other plugins a different image inserter bar could be made as a plugin.

    One where it inserts the image as something like the old coppermine plugin did, then parses it when the post is pulled.

    [image:id:l:s] would turn into an image tag, using the image id to pull the right image (or it could just be the path to the image to speed it up), the "l" would be "left" (as in float), and then an optional border to create a shadow type look (the "s").

    Not perfect, but it could be done to produce the same functionality.

  9. KKWangen
    Member
    Posted 16 years ago #

    Actually, it sound like a good idea.

    But; I have to ask about this, isn't all html attributes a security risk in this case?

    In the article linked to from this thread the author uses the alt attribute as an example, so I'm not sure why class or id is especially harmful.

  10. donncha
    Key Master
    Posted 16 years ago #

    KKWangen - that's correct, all attributes are at risk not just ALT. I presume he used ALT as an example to show how it's done.

  11. GregM
    Member
    Posted 16 years ago #

    Hi folks,

    As far as I can tell, the interpretation of the variable width encoding exploit and its relevance to WPMU that's been offered isn't quite right. See the other thread on this topic here:

    http://mu.wordpress.org/forums/topic.php?id=5258&page&replies=29#post-34263

    Or for my own ramblings on the issue, see:

    http://whereelsetoputit.com/blog/restoring-lost-wordpress-functionality/

    All the best,
    Greg

About this Topic