This notice relates to the following platforms: VIP Go and WordPress.com
WordPress 5.0.1, was just released and it includes several security enhancements. All VIP sites have already been patched and are protected.
More details about the changes in this release, please see the announcement post and developer notes.
Notable change: wp_kses and form elements
A notable change in 5.0.1 is the removal of <form> as a default allowed tag in the KSES filters. In most cases, this will have no impact as <form> is automatically allowed if <input> or <select> are also allowed, but there are a few specific situations to watch out for. Before going into further detail, it is worth mentioning that we have assessed the impact of these changes to be minimal for VIP sites.
With this change, when a Contributor or Author adds the <form> tag to a post, it will now be stripped out when the post is saved. This will also happen with any other content areas that are passed through the wp_kses_post() family of functions. That means this is not just limited to the main content field on posts, but can occur on other meta boxes and plugin outputs — including shortcode outputs in some cases. As an example, this code could cause the update to be a breaking change:
// will return an empty string
wp_kses_post( '<form class="my-form" id="form-id-5"></form>' );If you need to continue to allow <form> tags to pass KSES, the solution is to explicitly allow either the form, input, or select tags via the wp_kses_allowed_html filter. Any one of these will prevent the form tag from being stripped. Here is an example of using the filter:
add_filter( 'wp_kses_allowed_html', function( $allowed_tags ) {
$allowed_tags['form'] = array(
'action' => true,
'accept' => true,
'accept-charset' => true,
'enctype' => true,
'method' => true,
'name' => true,
'target' => true,
);
return $allowed_tags;
} );It is also worth noting that the input and select tags have never been allowed to pass KSES by default. As a result, you likely will not be impacted by this change if you’re already explicitly using wp_kses_allowed_html to define one of these allowed HTML elements. This is why we anticipate minimal impact here.
Have questions?
If you have any questions related to this release, please open a support ticket with details and we will be happy to assist.
WordPress VIP Lobby 