#34178 closed feature request (wontfix)
Text Widget accept only inline style tag
Reported by: | miguelmuller | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Widgets | Keywords: | |
Focuses: | Cc: |
Description
Recently a user added an style tag inside of a text widget that changed the header of the site. That way he changed the style of an object that was unrelated to the widget. Segue o exemplo:
<div class="textwidget"><style> header { background-image: url(IMAGE-URL)!important; background-repeat: no-repeat !important; } </style></div>
I suggest that the text widget accepted only inline style tags, as in example:
<div class="textwidget"> <h1 style="color:blue;margin-left:30px;">This is a heading.</h1> </div>
Change History (6)
#1
@
9 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
#2
@
9 years ago
- Milestone set to Awaiting Review
- Resolution wontfix deleted
- Status changed from closed to reopened
Following a discussion in slack, reverting status changes above.
#3
@
9 years ago
My suggestion is not to remove the stylization. But allow the style is only inline.
Allowing only the style inline only modifications within the widget's context would be allowed.
We know what happens in real life, sometimes you have to give your clients the admin role, even if they're not so technical.
#4
@
9 years ago
- Milestone Awaiting Review deleted
- Resolution set to fixed
- Status changed from reopened to closed
<style>
is one of the HTML tags allowed for a user with the unfiltered_html
capability. I can imagine cases where site owners use the text widget specifically to insert internal stylesheets - however wise/unwise that may be. :)
One method to approach this would be extra sanitization via filter (see widget_text
) in a plugin. There are likely others as well, including replacing the default text widget provided by WordPress with a more custom one. Adding extra sanitization to remove <style>
by default is not something that we can do here.
Thank you for the report and the resulting conversation!
Welcome to trac!
The
style
tag is only permitted in the text widget for users with the unfiltered_html capability: editors and administrators by default on single site installs.A plugin can be added to remove the capability from editors.
I'll close this ticket for now, but you should feel free to open any bug reports or enhancement requests in future.