WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#34178 closed feature request (wontfix)

Text Widget accept only inline style tag

Reported by: miguelmuller Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Widgets Keywords:
Focuses: Cc:

Description

Recently a user added an style tag inside of a text widget that changed the header of the site. That way he changed the style of an object that was unrelated to the widget. Segue o exemplo:

<div class="textwidget"><style>
header {
    background-image: url(IMAGE-URL)!important;
    background-repeat: no-repeat !important;
}
</style></div>

I suggest that the text widget accepted only inline style tags, as in example:

<div class="textwidget">
    <h1 style="color:blue;margin-left:30px;">This is a heading.</h1>
</div>

Change History (6)

#1 @peterwilsoncc
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Welcome to trac!

The style tag is only permitted in the text widget for users with the unfiltered_html capability: editors and administrators by default on single site installs.

A plugin can be added to remove the capability from editors.

I'll close this ticket for now, but you should feel free to open any bug reports or enhancement requests in future.

#2 @peterwilsoncc
5 years ago

  • Milestone set to Awaiting Review
  • Resolution wontfix deleted
  • Status changed from closed to reopened

Following a discussion in slack, reverting status changes above.

#3 @miguelmuller
5 years ago

My suggestion is not to remove the stylization. But allow the style is only inline.
Allowing only the style inline only modifications within the widget's context would be allowed.

We know what happens in real life, sometimes you have to give your clients the admin role, even if they're not so technical.

#4 @jeremyfelt
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to fixed
  • Status changed from reopened to closed

<style> is one of the HTML tags allowed for a user with the unfiltered_html capability. I can imagine cases where site owners use the text widget specifically to insert internal stylesheets - however wise/unwise that may be. :)

One method to approach this would be extra sanitization via filter (see widget_text) in a plugin. There are likely others as well, including replacing the default text widget provided by WordPress with a more custom one. Adding extra sanitization to remove <style> by default is not something that we can do here.

Thank you for the report and the resulting conversation!

Last edited 5 years ago by jeremyfelt (previous) (diff)

#5 @jeremyfelt
5 years ago

  • Resolution changed from fixed to wontfix

This ticket was mentioned in Slack in #core by miguelsmuller. View the logs.


5 years ago

Note: See TracTickets for help on using tickets.