Make WordPress Core


Ignore:
Timestamp:
10/15/2018 05:21:04 AM (6 years ago)
Author:
peterwilsoncc
Message:

KSES: Allow HTML data-* attributes.

Add global support for HTML attributes prefixed data- for authors and contributors, as required by the new editor.

Props azaozz, peterwilsoncc.
Fixes #33121.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/5.0/src/wp-includes/kses.php

    r42861 r43727  
    855855 *
    856856 * @since 4.2.3
     857 * @since 5.0.0 Add support for `data-*` wildcard attributes.
    857858 *
    858859 * @param string $name The attribute name. Returns empty string when not allowed.
     
    865866 */
    866867function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) {
    867     $allowed_attr = $allowed_html[strtolower( $element )];
     868    $allowed_attr = $allowed_html[ strtolower( $element ) ];
    868869
    869870    $name_low = strtolower( $name );
     871
    870872    if ( ! isset( $allowed_attr[$name_low] ) || '' == $allowed_attr[$name_low] ) {
    871         $name = $value = $whole = '';
    872         return false;
     873        /*
     874         * Allow `data-*` attributes.
     875         *
     876         * When specifying `$allowed_html`, the attribute name should be set as
     877         * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
     878         * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
     879         *
     880         * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
     881         * double hyphens `--` are not accepted by WordPress.
     882         */
     883        if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] ) && preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match ) ) {
     884            /*
     885             * Add the whole attribute name to the allowed attributes and set any restrictions
     886             * for the `data-*` attribute values for the current element.
     887             */
     888            $allowed_attr[ $match[0] ] = $allowed_attr['data-*'];
     889        } else {
     890            $name = $value = $whole = '';
     891            return false;
     892        }
    873893    }
    874894
     
    885905    }
    886906
    887     if ( is_array( $allowed_attr[$name_low] ) ) {
     907    if ( is_array( $allowed_attr[ $name_low ] ) ) {
    888908        // there are some checks
    889909        foreach ( $allowed_attr[$name_low] as $currkey => $currval ) {
     
    18091829 *
    18101830 * @since 3.5.0
     1831 * @since 5.0.0 Add support for `data-*` wildcard attributes.
    18111832 * @access private
    18121833 *
     
    18211842        'title' => true,
    18221843        'role' => true,
     1844        'data-*' => true,
    18231845    );
    18241846
Note: See TracChangeset for help on using the changeset viewer.