Broken kses.php function "wp_kses_named_entities" crashes WordPress

admin管理员组

文章数量:1193739

To clarify -- these files in the error were NOT edited at the time of the error, I checked twice. And I checked again by doing a diff with a fresh WordPress install. I had to remove the broken line -- shown below -- because it crashes WordPress. This line does not crash all WordPress blogs, obviously, and I have another blog on the same LEMP stack without the fatal error. How is "kses" activated in this case? Is it the content of the blog? I don't know, but I don't see any plugin or theme in the stack trace.

Here's the error:

[error] FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught TypeError: in_array(): Argument #2 ($haystack) must be of type array, null given in /home/www-data/example/wp-includes/kses.php:1871
#0 /home/www-data/example/wp-includes/kses.php(1871): in_array()
#1 [internal function]: wp_kses_named_entities()
#2 /home/www-data/example/wp-includes/kses.php(1842): preg_replace_callback()
#3 /home/www-data/example/wp-includes/formatting.php(981): wp_kses_normalize_entities()

This line does not work in PHP8:

return ( ! in_array( $i, $allowedentitynames, true ) ) ? "&$i;" : "&$i;";

There's no plugin or theme referring to "allowedentitynames" as per grep.

To clarify -- these files in the error were NOT edited at the time of the error, I checked twice. And I checked again by doing a diff with a fresh WordPress install. I had to remove the broken line -- shown below -- because it crashes WordPress. This line does not crash all WordPress blogs, obviously, and I have another blog on the same LEMP stack without the fatal error. How is "kses" activated in this case? Is it the content of the blog? I don't know, but I don't see any plugin or theme in the stack trace.

Here's the error:

[error] FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught TypeError: in_array(): Argument #2 ($haystack) must be of type array, null given in /home/www-data/example.com/wp-includes/kses.php:1871
#0 /home/www-data/example.com/wp-includes/kses.php(1871): in_array()
#1 [internal function]: wp_kses_named_entities()
#2 /home/www-data/example.com/wp-includes/kses.php(1842): preg_replace_callback()
#3 /home/www-data/example.com/wp-includes/formatting.php(981): wp_kses_normalize_entities()

This line does not work in PHP8:

return ( ! in_array( $i, $allowedentitynames, true ) ) ? "&$i;" : "&$i;";

There's no plugin or theme referring to "allowedentitynames" as per grep.

• php
• wp-kses

Share Improve this question edited Jul 30, 2022 at 23:34 Jay Brunet asked Jul 29, 2022 at 9:10 Jay BrunetJay Brunet 57022 gold badges88 silver badges1515 bronze badges 6

• This make post claims there are only deprecation notices left. Which WP version are you on? Could also be that a plugin/theme is using a WP function wrong, try to deactivate them one by one and check if the error disappears. – kero Commented Jul 29, 2022 at 9:27
• @kero Latest WP version as of this morning. – Jay Brunet Commented Jul 29, 2022 at 18:51
• @kero Removed PHP8 from the question, keeping an open mind as to what the problem is. – Jay Brunet Commented Jul 29, 2022 at 20:51
• 2 Does your installation configuration or one of your extensions define the CUSTOM_TAGS constant? – bosco Commented Jul 30, 2022 at 22:37
• is this a full stack trace? That variable is passed through filters that can be misused e.g. it's passed through an array_map with _wp_add_global_attributes, and if you define CUSTOM_TAGS it prevents WordPress from defining that variable. – Tom J Nowell ♦ Commented Jul 30, 2022 at 23:23

 |  Show 1 more comment

2 Answers 2

Sorted by: Reset to default 5

When you use the deprecated CUSTOM_TAGS constant, you have to define the variables WordPress would normally create in kses.php at the top. If you do not then you will encounter this issue.

/**
 * Specifies the default allowable HTML tags.
 *
 * Using `CUSTOM_TAGS` is not recommended and should be considered deprecated. The
 * {@see 'wp_kses_allowed_html'} filter is more powerful and supplies context.
 *
 * @see wp_kses_allowed_html()
 * @since 1.2.0
 *
 * @var array[]|false Array of default allowable HTML tags, or false to use the defaults.
 */
if ( ! defined( 'CUSTOM_TAGS' ) ) {
    define( 'CUSTOM_TAGS', false );
}

Instead, you should use the wp_kses_allowed_html filter to modify which tags are allowed, using the context parameter to control when and where the adjusted tags are usable:

https://developer.wordpress.org/reference/hooks/wp_kses_allowed_html/

Just keep in mind that the list of tags is chosen to avoid allowing dangerous things into posts and comments. E.g. iframes or script tags. Changing these will have significant security consequences.

How is "kses" activated in this case? Is it the content of the blog?

kses functions are used everywhere in WordPress and play a pivotal role in security. E.g. wp_kses_post is used to strip out dangerous tags when saving a post, and wp_kses can strip out tags and attributes that don't fit a whitelist. wp_kses and it's wrapper functions act as both pseudo-escaping and as sanitisation functions.

Never edit core files, and definitely do not make this change.

Looking at the source the problem doesn't seem related to PHP 8.1 at all. Something in a theme or plugin is causing $allowedentitynames to be null, which it should not be. See this trac ticket for a previous discussion with somebody who encountered this issue.

本文标签： Broken ksesphp function quotwpksesnamedentitiesquot crashes WordPress