Make WordPress Core

Opened 13 years ago

Closed 12 years ago

Last modified 10 years ago

#17977 closed enhancement (fixed)

Allow rel attributes on links in KSES

Reported by: joostdevalk's profile joostdevalk Owned by: joostdevalk's profile joostdevalk
Milestone: 3.5 Priority: normal
Severity: normal Version: 3.2
Component: Formatting Keywords: has-patch dev-feedback 3.4-early
Focuses: Cc:


Due to the recent Google changes, authors will be wanting to add rel="me" to the links in their author descriptions on blogs they write on. Currently though, rel="me" (and every other rel) is stripped out because it's not an allowed attribute.

I propose we allow it, there seems to be no harm in allowing it and it would help people out. Patch attached.

Attachments (1)

kses-patch.diff (358 bytes) - added by joostdevalk 13 years ago.
Patch of KSES filter to allow rel attribute on links.

Download all attachments as: .zip

Change History (21)

13 years ago

Patch of KSES filter to allow rel attribute on links.

#1 @nacin
13 years ago

  • Milestone changed from Awaiting Review to 3.3

Good to me as long as there are no security issues.

#2 @hakre
13 years ago

+1 from me. If href and title is allowed can't imagine why rel should be worse.

#3 @joostdevalk
13 years ago

Ugh, just thought of an issue. The way this patch is done right now, you'd probably also be able to add rel="me" and rel="author" etc. in a link in the comments which is unwanted behavior I suppose.

#4 follow-up: @nacin
13 years ago

We could add it to allowedposttags only.

#5 in reply to: ↑ 4 @joostdevalk
13 years ago

Replying to nacin:

We could add it to allowedposttags only.

It's already allowed there, I'd like it allowed in author bio's...

#6 @nacin
13 years ago

This whole thing is a mess thanks to how ancient the kses library is and how the globals and constants were implemented there.

Something like this should work as a one-off:

remove_filter( 'pre_user_description', 'wp_filter_kses' );
add_filter( 'pre_user_description', 'wp_filter_pre_user_description' );
function wp_filter_pre_user_description( $data ) {
	$allowedtags = $GLOBALS['allowedtags'];
	if ( isset( $allowedtags['a'] ) )
		$allowedtags['a']['rel'] = array();
	return addslashes( wp_kses( stripslashes( $data ), $allowedtags ) );

#7 @joostdevalk
13 years ago

Ugh that is ugly. Anyway we can fix that in a less ugly way? If it involves rewriting kses, i'm up for that with some help :)

#8 @jane
13 years ago

  • Keywords 3.4-early added
  • Milestone changed from 3.3 to Future Release

At this point we're past freeze, and and are switching over to "bugs only" mode. Punting and marking for 3.4-early. If you guys figure out what to do about kses etc., this ticket can be one of the first things in 3.4.

#11 @navjotjsingh
12 years ago

  • Cc navjotjsingh@… added

#13 @ryan
12 years ago

  • Milestone changed from Future Release to 3.5

#14 @ryan
12 years ago

  • Resolution set to fixed
  • Status changed from new to closed

In [21790]:

  • Introduce wp_kses_allowed_html() which accepts a context string and returns an array of allowed tags.
  • Remove explicit declarations of class, id, style, and title from $allowedposttags
  • Dynamicallly add global attributes to every tag for the 'post' context
  • No longer calls wp_kses_array_lc() every time wp_kses() runs. Instead it runs once if CUSTOM_TAGS is true. Plugins directly passing a custom allowed_html array will no longer get the lc treatment. Keep an eye out for problems with this.
  • wp_kses_data() and wp_filter_kses() pass current_filter() for the $allowed_html argument to wp_kses().
  • wp_kses_allowed_html() handles being passed a filter name for a context. If the filter is not a recognized one it defaults to using $allowedtags as was done before for wp_kses_data() and wp_filter_kses().
  • wp_kses_allowed_html() recognizes user_description and pre_user_description out of the box. For these it takes $allowedtags and inserts rel attribute support.
  • wp_kses_allowed_html() allows plugins to override the return values for the default contexts and support arbitrary contexts via a wp_kses_allowed_html filter.
  • wp_kses_hook() can now pass a string context for $allowed_html to the pre_kses filter. We might have to pass the result of wp_kses_allowed_html() instead if it turns out that plugins are digging in $allowed_html.

fixes #17977
see #20210

#15 @nacin
12 years ago

In [21795]:

Remove kses allowedtags that were commented out long ago. see #17977.

#16 @nacin
12 years ago

In [21796]:

Recommend the wp_kses_allowed_html filter over CUSTOM_TAGS. Soft deprecate CUSTOM_TAGS. see #17977, #20210.

#17 @nacin
12 years ago

[21790] is a work of art. <3

#18 @technosailor
12 years ago

Maybe include support for data-* attributes to be HTML5 ready?

#19 @chriscct7
10 years ago

#11268 was marked as a duplicate.

#20 @DrewAPicture
10 years ago

#11268 was marked as a duplicate.

Note: See TracTickets for help on using tickets.