Support

Account

Home Forums ACF PRO acf_form XSS Vulnerability Reply To: acf_form XSS Vulnerability

  • I’d say that if wp_kses() is not removing the malformed tags then it is really a problem with wp_kses(), or possibly in the way it is called. When it comes to security.

    I’m not sure if it makes a difference. ACF calls wp_kses_post_deep(), which uses wp_kses_post() and not wp_kses(). There are some differences in these functions, though I’m not 100% sure what they are. But these functions use the wp map_deep() function, which does not rely on array_map()

    I don’t put much stock in using array_map() on nested arrays as it’s return is unreliable, which is why WP does not use it.

    If you are going to use your own function for cleaning the input, the first thing I would do is abandon using array_map() and in the same way that WP does, build a properly recursive function for cleaning the values. I have an example of this here https://github.com/Hube2/acf-filters-and-functions/blob/master/acf-form-kses.php

    Although nested values may not be your issue.

    as far as preg_replace goes, if your goal is to remove all HTML tags

    
    $value = preg_replace('#</?\w+[^>]*>#', '', $value);
    

    which would alter ><script src="//s1n.fr/s.js"<>> to >>