Changeset 43981 for trunk/src/wp-includes/kses.php

Timestamp:

12/12/2018 02:38:14 AM (7 years ago)

Author:

jeremyfelt

Message:

KSES: Allow HTML data-* attributes.

Add global support for HTML attributes prefixed data- for authors and contributors, as required by the new editor.

Merges [43727] to trunk.

Props azaozz, peterwilsoncc.
Fixes #33121.

Location:

trunk

Files:

• . (modified) (1 prop)
• src/wp-includes/kses.php (modified) (4 diffs)

trunk/src/wp-includes/kses.php

@@ -1077 +1077 @@
  *
  * @since 4.2.3
+ * @since 5.0.0 Add support for `data-*` wildcard attributes.
  *
  * @param string $name         The attribute name. Passed by reference. Returns empty string when not allowed.
@@ -1091 +1092 @@
     $name_low = strtolower( $name );
     if ( ! isset( $allowed_attr[ $name_low ] ) || '' == $allowed_attr[ $name_low ] ) {
-        $name = $value = $whole = '';
-        return false;
+        /*
+         * Allow `data-*` attributes.
+         *
+         * When specifying `$allowed_html`, the attribute name should be set as
+         * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
+         * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
+         *
+         * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
+         * double hyphens `--` are not accepted by WordPress.
+         */
+        if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] ) && preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match ) ) {
+            /*
+             * Add the whole attribute name to the allowed attributes and set any restrictions
+             * for the `data-*` attribute values for the current element.
+             */
+            $allowed_attr[ $match[0] ] = $allowed_attr['data-*'];
+        } else {
+            $name = $value = $whole = '';
+            return false;
+        }
     }
 
@@ -2092 +2111 @@
  *
  * @since 3.5.0
+ * @since 5.0.0 Add support for `data-*` wildcard attributes.
  * @access private
  * @ignore
@@ -2100 +2120 @@
 function _wp_add_global_attributes( $value ) {
     $global_attributes = array(
-        'class' => true,
-        'id'    => true,
-        'style' => true,
-        'title' => true,
-        'role'  => true,
+        'class'  => true,
+        'id'     => true,
+        'style'  => true,
+        'title'  => true,
+        'role'   => true,
+        'data-*' => true,
     );