Make WordPress Core

Opened 4 years ago

Last modified 2 years ago

#37134 new enhancement

Allow filtering of safecss_filter_attr

Reported by: paulschreiber Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.6
Component: Formatting Keywords: kses has-patch
Focuses: Cc:
PR Number:


It would be helpful if sites could customize the allowed CSS. This would work around #24157 (which is 3+ years old).

In kses.php, we could solve this by filtering safecss_filter_attr. Diff attached.

Attachments (4)

37134.diff (443 bytes) - added by paulschreiber 4 years ago.
37134.2.diff (435 bytes) - added by paulschreiber 4 years ago.
37134.3.diff (779 bytes) - added by bartekcholewa 2 years ago.
safecss_filter_attr - filter to unallowed chars
37134.4.diff (1.0 KB) - added by miinasikk 7 months ago.
Update patch based on changes. Add CSS value as filter param.

Download all attachments as: .zip

Change History (14)

4 years ago

#1 @swissspidy
4 years ago

  • Component changed from General to Formatting
  • Keywords kses added

Filters with the same name as the function are usually inside that function, not wrapped around it.

#2 @rmccue
4 years ago

This seems already possible via the safe_style_css filter, which controls the allowed properties in the CSS. It would potentially be nice to have more granular control though, allowing only specific values for fields e.g.

#3 @paulschreiber
4 years ago

@rmccue The safe_style_css filter won't work in this case, because, as described in #24157 safecss_filter_attr rejects any CSS with parentheses. Meaning <p style="color: rgb(100,100,100,0.5)"> gets rejected even though the color attribute is already whitelisted (see safecss_filter_attr() in kses.php around line 1714).

#4 @rmccue
4 years ago

Got it, so this needs to be a short-circuit hook at the start of the function then; probably pre_safe_style_css for the name.

#5 @paulschreiber
4 years ago

Okay. I uploaded a new diff which uses pre_safe_style_css as the filter name.

#6 @paulschreiber
4 years ago

  • Keywords has-patch added

#7 @paulschreiber
4 years ago


#8 @paulschreiber
3 years ago

Can we include this in 4.7?

#9 @swissspidy
3 years ago

37134.2.diff would need inline docs as per the PHP Documentation Standards.

Edit: Also, the original $value should probably be passed to the filter as the second argument. Otherwise it seems a bit pointless.

Last edited 3 years ago by swissspidy (previous) (diff)

2 years ago

safecss_filter_attr - filter to unallowed chars

#10 @bartekcholewa
2 years ago

We could simply add filter to pattern in preg_match, i've added 36134.3.fdiff

7 months ago

Update patch based on changes. Add CSS value as filter param.

Note: See TracTickets for help on using tickets.