#30409 closed defect (bug) (fixed)
Twenty Fifteen: HTML characters in the color scheme CSS are escaped.
Reported by: | iamtakashi | Owned by: | iandstewart |
---|---|---|---|
Milestone: | 4.1 | Priority: | normal |
Severity: | blocker | Version: | 4.1 |
Component: | Bundled Theme | Keywords: | has-patch commit |
Focuses: | Cc: |
Attachments (9)
Change History (31)
#1
@
10 years ago
- Milestone changed from Awaiting Review to 4.1
- Severity changed from normal to blocker
This ticket was mentioned in Slack in #core-themes by iamtakashi. View the logs.
10 years ago
#4
@
10 years ago
- Owner set to iandstewart
- Resolution set to fixed
- Status changed from new to closed
In 30398:
#5
follow-up:
↓ 6
@
10 years ago
esc_html() is not a sanitization function. Please never do what [30398] un-did. :-)
#6
in reply to:
↑ 5
@
10 years ago
Replying to nacin:
esc_html() is not a sanitization function. Please never do what [30398] un-did. :-)
Do we need to use something else? CSS shouldn't need escaping though is this good idea to use wp_filter_nohtml_kses
? I'm asking this because a theme check reports the setting missing a sanitisation.
#7
@
10 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
Core doesn't have sanitize_css
so ...
@nacin I know you added a smiley but "Please never do" isn't helpful without an alternative suggestion.
This ticket was mentioned in Slack in #core-themes by lancewillett. View the logs.
10 years ago
#9
@
10 years ago
Discussing today in Slack, next step is to work with 30409.patch approach — remove the theme_mod
and instead generate the CSS from a shared JS/PHP template. See also notes at https://core.trac.wordpress.org/ticket/29988#comment:18
#10
@
10 years ago
https://core.trac.wordpress.org/attachment/ticket/30409/30409.2.diff is what I'm thinking -- store the css in a function that can interpolate either JS tokens for wp.template
to use, or colors, for outputting directly to the front-end.
#11
@
10 years ago
- Keywords needs-testing added
30409.4.diff and 30409.5.diff are based on 30409.2.diff.
In .4 the CSS generation is still done in the control and then send to the Previewer. Sending an event to the preview is easy (see #27666/[29048]), capturing the event not because the preview is still private. The patch will change this, otherwise we have to do something like trunk/src/wp-includes/js/customize-preview-widgets.js@29051#L107.
In .5 I moved the CSS generation to the preview. Since the script depends on Iris we have to move Iris out of is_admin()
.
#12
@
10 years ago
Just uploaded 30409.4.1.diff and 30409.5.1.diff -- based off the prior respective patches, they just move the derivative color logic into the twentyfifteen_get_color_scheme_css
function, so only the six color scheme colors need to be passed in, rather than calculating before passing. If they are passed, though, it will override any internal calculations.
Had a light discussion with @ocean90 in slack here as to this relocation of the calculations: https://wordpress.slack.com/archives/core-themes/p1418478625000200
This ticket was mentioned in Slack in #core by johnbillion. View the logs.
10 years ago
This ticket was mentioned in Slack in #core-themes by lancewillett. View the logs.
10 years ago
#15
@
10 years ago
Should we use sanitize_hex_color
on the hex values that aren't the rdba values?
Testing 30409.4.1.diff passes, color schemes save and correct CSS is served inline as expected.
@
10 years ago
iamtakashi: sidebar_textcolor should be 100% -
$color_scheme[4] and
secondary_sidebar_textcolor` should be the one with 70%.
#16
@
10 years ago
OK, let's get the latest patch in. Exception:
- The change to src/wp-includes/js/customize-preview.js should be done in its own commit, preferably its own quick ticket.
Things I still don't like, and would consider adjustments to:
- The editable colors being 0, 1, and 4, rather than 0, 1, and 2. This is far too magical and I have no idea what it means.
- Using numeric arrays for color definitions when it's really important for others to understand what is what, but associative arrays internally when it doesn't matter as much.
- Lots of really complicated stuff in a default theme. Lots of opportunities to simplify.
And while I am here, things that are definitely fixable:
- Far, far too much unnecessary use of esc_html(), especially on translated strings.
- Lots of things are pluggable that shouldn't be.
Remove Sanitization Callback from Color Scheme CSS setting.