WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 11 months ago

#37085 new defect (bug)

$allowedposttags doesn't allow form inputs

Reported by: wido Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Formatting Keywords: needs-patch
Focuses: Cc:

Description

The global $allowedposttags include the following allowed tags:

  • Form
  • Label
  • Legend
  • Textarea

But not inputs, select, option and other input tags. So when I have a form within an html string and use wp_kses_post function I miss all of the form inputs.

Attachments (1)

unnamed.patch (2.6 KB) - added by wido 11 days ago.
Allow input, option, optgroup, select and more textarea attributes

Download all attachments as: .zip

Change History (5)

#1 @ocean90
2 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release
  • Version trunk deleted

#2 @wido
16 months ago

  • Keywords reporter-feedback added

I made this little function but need more re-search about all of the allowed attributes. Also, seems the form tag have missed the 'novalidate' attribute, but I want to read the specs about it.

Update: Fieldset in $allowedposttags have no attributes allowed like id, class, form and name. I don't know right now for other attributes.

/**
 * Sanitize content for allowed HTML tags for post content.
 *
 * @param string $data Post content to filter
 *
 * @return string Filtered post content with allowed HTML tags and attributes intact.
 */
function kses_post($data)
{
    global $allowedposttags;

    $tagsInputIncluded = array_merge($allowedposttags, [
        'input' => [
            'accept'       => true,
            'autocomplete' => true,
            'autofocus'    => true,
            'checked'      => true,
            'class'        => true,
            'disabled'     => true,
            'id'           => true,
            'height'       => true,
            'min'          => true,
            'max'          => true,
            'minlenght'    => true,
            'maxlength'    => true,
            'name'         => true,
            'pattern'      => true,
            'placeholder'  => true,
            'readony'      => true,
            'required'     => true,
            'size'         => true,
            'src'          => true,
            'step'         => true,
            'type'         => true,
            'value'        => true,
            'width'        => true,
        ],
    ]);

    // Form attributes.
    $tagsInputIncluded['form'] = array_merge($tagsInputIncluded['form'], ['novalidate' => true]);
    // Fieldset attributes.
    // WordPress have an empty array.
    $tagsInputIncluded['fieldset'] = array_merge($tagsInputIncluded['fieldset'], [
        'id'    => true,
        'class' => true,
        'form'  => true,
        'name'  => true,
    ]);

    return wp_kses($data, $tagsInputIncluded);
}
Last edited 16 months ago by wido (previous) (diff)

#4 @SergeyBiryukov
11 months ago

  • Keywords reporter-feedback removed

@wido
11 days ago

Allow input, option, optgroup, select and more textarea attributes

Note: See TracTickets for help on using tickets.