WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 20 months ago

Last modified 20 months ago

#17977 closed enhancement (fixed)

Allow rel attributes on links in KSES

Reported by: joostdevalk Owned by: joostdevalk
Milestone: 3.5 Priority: normal
Severity: normal Version: 3.2
Component: Formatting Keywords: has-patch dev-feedback 3.4-early
Focuses: Cc:

Description

Due to the recent Google changes, authors will be wanting to add rel="me" to the links in their author descriptions on blogs they write on. Currently though, rel="me" (and every other rel) is stripped out because it's not an allowed attribute.

I propose we allow it, there seems to be no harm in allowing it and it would help people out. Patch attached.

Attachments (1)

kses-patch.diff (358 bytes) - added by joostdevalk 3 years ago.
Patch of KSES filter to allow rel attribute on links.

Download all attachments as: .zip

Change History (19)

joostdevalk3 years ago

Patch of KSES filter to allow rel attribute on links.

comment:1 nacin3 years ago

  • Milestone changed from Awaiting Review to 3.3

Good to me as long as there are no security issues.

comment:2 hakre3 years ago

+1 from me. If href and title is allowed can't imagine why rel should be worse.

comment:3 joostdevalk3 years ago

Ugh, just thought of an issue. The way this patch is done right now, you'd probably also be able to add rel="me" and rel="author" etc. in a link in the comments which is unwanted behavior I suppose.

comment:4 follow-up: nacin3 years ago

We could add it to allowedposttags only.

comment:5 in reply to: ↑ 4 joostdevalk3 years ago

Replying to nacin:

We could add it to allowedposttags only.

It's already allowed there, I'd like it allowed in author bio's...

comment:6 nacin3 years ago

This whole thing is a mess thanks to how ancient the kses library is and how the globals and constants were implemented there.

Something like this should work as a one-off:

remove_filter( 'pre_user_description', 'wp_filter_kses' );
add_filter( 'pre_user_description', 'wp_filter_pre_user_description' );
function wp_filter_pre_user_description( $data ) {
	$allowedtags = $GLOBALS['allowedtags'];
	if ( isset( $allowedtags['a'] ) )
		$allowedtags['a']['rel'] = array();
	return addslashes( wp_kses( stripslashes( $data ), $allowedtags ) );
}

comment:7 joostdevalk3 years ago

Ugh that is ugly. Anyway we can fix that in a less ugly way? If it involves rewriting kses, i'm up for that with some help :)

comment:8 jane3 years ago

  • Keywords 3.4-early added
  • Milestone changed from 3.3 to Future Release

At this point we're past freeze, and and are switching over to "bugs only" mode. Punting and marking for 3.4-early. If you guys figure out what to do about kses etc., this ticket can be one of the first things in 3.4.

comment:11 navjotjsingh21 months ago

  • Cc navjotjsingh@… added

comment:13 ryan20 months ago

  • Milestone changed from Future Release to 3.5

comment:14 ryan20 months ago

  • Resolution set to fixed
  • Status changed from new to closed

In [21790]:

  • Introduce wp_kses_allowed_html() which accepts a context string and returns an array of allowed tags.
  • Remove explicit declarations of class, id, style, and title from $allowedposttags
  • Dynamicallly add global attributes to every tag for the 'post' context
  • No longer calls wp_kses_array_lc() every time wp_kses() runs. Instead it runs once if CUSTOM_TAGS is true. Plugins directly passing a custom allowed_html array will no longer get the lc treatment. Keep an eye out for problems with this.
  • wp_kses_data() and wp_filter_kses() pass current_filter() for the $allowed_html argument to wp_kses().
  • wp_kses_allowed_html() handles being passed a filter name for a context. If the filter is not a recognized one it defaults to using $allowedtags as was done before for wp_kses_data() and wp_filter_kses().
  • wp_kses_allowed_html() recognizes user_description and pre_user_description out of the box. For these it takes $allowedtags and inserts rel attribute support.
  • wp_kses_allowed_html() allows plugins to override the return values for the default contexts and support arbitrary contexts via a wp_kses_allowed_html filter.
  • wp_kses_hook() can now pass a string context for $allowed_html to the pre_kses filter. We might have to pass the result of wp_kses_allowed_html() instead if it turns out that plugins are digging in $allowed_html.

fixes #17977
see #20210

comment:15 nacin20 months ago

In [21795]:

Remove kses allowedtags that were commented out long ago. see #17977.

comment:16 nacin20 months ago

In [21796]:

Recommend the wp_kses_allowed_html filter over CUSTOM_TAGS. Soft deprecate CUSTOM_TAGS. see #17977, #20210.

comment:17 nacin20 months ago

[21790] is a work of art. <3

comment:18 technosailor20 months ago

Maybe include support for data-* attributes to be HTML5 ready?

Note: See TracTickets for help on using tickets.