The MU forums have moved to WordPress.org

Allowing Images in Comments - Sanitizing (8 posts)

  1. honewatson
    Member
    Posted 15 years ago #

    If you want to allow images to comments and additional html tags to comments check the following link:

    http://orangescale.net/blognotes/wordpress/sanitizing-html-tags-in-wordpress-mu/index.php

    Add appropriate tag hacks to your /wp-includes/kses.php file in the below array:

    $allowedtags = array (

    You could basically just copy whats in your $allowedposttags = array:


    'img' => array (
    'alt' => array (),
    'border' => array (),
    'class' => array (),
    'height' => array (),
    'hspace' => array (),
    'longdesc' => array (),
    'vspace' => array (),
    'src' => array (),
    'width' => array ()),

  2. drmike
    Member
    Posted 15 years ago #

    OK, I'm an idiot. How does this "Sanitize" the images?

  3. lunabyte
    Member
    Posted 15 years ago #

    It doesn't.

    According to Donncha's reference the other day, this would open a hole bigger than Texas.

    Not to mention, spammers would end up bypassing all the spam plugins out there and insert their crap in an image.

    Ouch. This idea isn't good at all.

  4. thomasarie
    Member
    Posted 15 years ago #

    Hello,

    I am the author of that entry. I use that method for our WordPress MU at http://asiablogging.com

    Well, not the asiablogging.com itself, but for blogs in that network. We want our contributors to be able to add style="" inside

    <img src="" />
    . We will use our class="" to format the images in entries. But for quick and dirty solution, just in case our bloggers want to do their own formatting, they can.

    If you have a better solution, I really appreciate it. Thank you.

  5. lunabyte
    Member
    Posted 15 years ago #

    Wow, talk about a walking security risk.

  6. drmike
    Member
    Posted 15 years ago #

    style tags are a security risk. That's how the myspace worm worked. and the kses file can't work with them so they're stripped. (We had this dicussion on the wp-hackers list about a month ago. Someone care to grab a link? locked down, crashing terminal tonight. we discussed it when comparing the different security filter scripts out there.)

  7. thomasarie
    Member
    Posted 15 years ago #

    This experiment (I mean enabling style="") was not applied globally. Thank you for your feedbacks!

    We will use class="" instead. Once again, thank you!

  8. honewatson
    Member
    Posted 15 years ago #

    Hey I'm certainly not recommending it.

    For my purposes I needed to have images in comments of a private multiuser blog which uses Angsuman's Authenticated WordPress Plugin so maybe these security risks are not relevant in my situation since you cannot access the blog unless you are registered and you cannot register unless you are invited.

About this Topic

  • Started 15 years ago by honewatson
  • Latest reply from honewatson