Make WordPress Core

Opened 8 years ago

Closed 6 years ago

Last modified 6 years ago

#37085 closed defect (bug) (invalid)

$allowedposttags doesn't allow form inputs

Reported by: wido's profile wido Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Formatting Keywords:
Focuses: Cc:

Description

The global $allowedposttags include the following allowed tags:

  • Form
  • Label
  • Legend
  • Textarea

But not inputs, select, option and other input tags.
So when I have a form within an html string and use wp_kses_post function I miss all of the form inputs.

Attachments (1)

unnamed.patch (2.6 KB) - added by wido 6 years ago.
Allow input, option, optgroup, select and more textarea attributes

Download all attachments as: .zip

Change History (7)

#1 @ocean90
8 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release
  • Version trunk deleted

#2 @wido
8 years ago

  • Keywords reporter-feedback added

I made this little function but need more re-search about all of the allowed attributes.
Also, seems the form tag have missed the 'novalidate' attribute, but I want to read the specs about it.

Update:
Fieldset in $allowedposttags have no attributes allowed like id, class, form and name. I don't know right now for other attributes.

/**
 * Sanitize content for allowed HTML tags for post content.
 *
 * @param string $data Post content to filter
 *
 * @return string Filtered post content with allowed HTML tags and attributes intact.
 */
function kses_post($data)
{
    global $allowedposttags;

    $tagsInputIncluded = array_merge($allowedposttags, [
        'input' => [
            'accept'       => true,
            'autocomplete' => true,
            'autofocus'    => true,
            'checked'      => true,
            'class'        => true,
            'disabled'     => true,
            'id'           => true,
            'height'       => true,
            'min'          => true,
            'max'          => true,
            'minlenght'    => true,
            'maxlength'    => true,
            'name'         => true,
            'pattern'      => true,
            'placeholder'  => true,
            'readony'      => true,
            'required'     => true,
            'size'         => true,
            'src'          => true,
            'step'         => true,
            'type'         => true,
            'value'        => true,
            'width'        => true,
        ],
    ]);

    // Form attributes.
    $tagsInputIncluded['form'] = array_merge($tagsInputIncluded['form'], ['novalidate' => true]);
    // Fieldset attributes.
    // WordPress have an empty array.
    $tagsInputIncluded['fieldset'] = array_merge($tagsInputIncluded['fieldset'], [
        'id'    => true,
        'class' => true,
        'form'  => true,
        'name'  => true,
    ]);

    return wp_kses($data, $tagsInputIncluded);
}
Last edited 8 years ago by wido (previous) (diff)

#3 @wido
7 years ago

I'll add new attributes and tags here https://gist.github.com/widoz/2b0e7501fb4b86103e3e529339652952#file-ksespost-php

Update: After the WordCamp Europe 2018 during the contributor day I realized a patch. Do not rely on the github snippet.

Last edited 6 years ago by wido (previous) (diff)

#4 @SergeyBiryukov
7 years ago

  • Keywords reporter-feedback removed

@wido
6 years ago

Allow input, option, optgroup, select and more textarea attributes

#5 @wido
6 years ago

  • Keywords close added; needs-patch removed
  • Resolution set to invalid
  • Status changed from new to closed

I this this can be closed because since WordPress 5.0.1 form and input are no more allowed tags.

#6 @desrosj
6 years ago

  • Keywords close removed
  • Milestone Future Release deleted
Note: See TracTickets for help on using tickets.