Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 5 years ago

#29826 closed defect (bug) (fixed)

subtitles added to media are stripped for anyone without unfiltered_html capability

Reported by: jwenerd's profile jwenerd Owned by: wonderboymusic's profile wonderboymusic
Milestone: 4.1 Priority: normal
Severity: normal Version: 4.0
Component: Media Keywords: commit
Focuses: Cc:

Description

If you are an author (or an editor or administrator on multisite) you are able to insert a video, add a subtitle track which inserts the track element within the video shortcode. Then when saving the post the track is removed due to it not being in the list of allowed post tags.

Attachments (2)

29826.patch (404 bytes) - added by jwenerd 10 years ago.
Patch that adds track and permissible attributes to allowed tags
29826.diff (1.2 KB) - added by wonderboymusic 10 years ago.

Download all attachments as: .zip

Change History (9)

@jwenerd
10 years ago

Patch that adds track and permissible attributes to allowed tags

#1 @SergeyBiryukov
10 years ago

  • Component changed from General to Media
  • Milestone changed from Awaiting Review to 4.1

#2 follow-up: @wonderboymusic
10 years ago

  • Keywords dev-feedback added

should we allow <audio> and <video> in the list as well? <track> is a sub-element of them, so probably? someone with knowledge of this KSES file weigh in?

#3 @DrewAPicture
10 years ago

  • Summary changed from subtitles added to media are striped for anyone without unfiltered_html capability to subtitles added to media are stripped for anyone without unfiltered_html capability

#4 in reply to: ↑ 2 @westi
10 years ago

Replying to wonderboymusic:

should we allow <audio> and <video> in the list as well? <track> is a sub-element of them, so probably? someone with knowledge of this KSES file weigh in?

That makes sense to me, we need to try and keep the file consistent by adding support for tags in there groupings rather than individual tags alone.

#5 @westi
10 years ago

  • Keywords commit added; dev-feedback removed

@wonderboymusic the patch looks good (although a little bit of me dies when I see autoplay=true ;))

#6 @wonderboymusic
10 years ago

  • Owner set to wonderboymusic
  • Resolution set to fixed
  • Status changed from new to closed

In 30064:

Add audio, video, and track to $allowedposttags (KSES).

Props jwenerd, wonderboymusic.
Fixes #29826.

#7 @peterwilsoncc
5 years ago

In 47837:

KSES: Support the video element's playsinline attribute.

Allow users without the unfiltered_html capability to use the playsinline attribute when embedding videos.

Additionally this adds unit tests for passing the video element through kses.

Fixes #50167. See #29826.

Note: See TracTickets for help on using tickets.