WordPress.org

Make WordPress Core

Opened 6 weeks ago

Last modified 7 hours ago

#44044 new defect (bug)

$allowed_tags and $allowed_protocols in wp_privacy_generate_personal_data_export_group_html not filterable.

Reported by: TZ Media Owned by:
Milestone: 4.9.8 Priority: normal
Severity: normal Version: 4.9.6
Component: Privacy Keywords: gdpr has-patch needs-testing
Focuses: Cc:

Description

In order to allow other tags (e.g. <img>) and other protocols in the generated output html file, the $allowed_tags and $allowed_protocols variables in the function wp_privacy_generate_personal_data_export_group_html() should be filterable.

Attachments (2)

44044.patch (1.5 KB) - added by TZ Media 6 weeks ago.
44044.diff (771 bytes) - added by desrosj 7 hours ago.

Download all attachments as: .zip

Change History (9)

@TZ Media
6 weeks ago

#1 @TZ Media
6 weeks ago

  • Keywords has-patch needs-testing added; needs-patch removed

I couldn't figure out how to document the parameters for the filter hook wp_privacy_personal_data_export_allowed_tags. This needs to be added.

This ticket was mentioned in Slack in #gdpr-compliance by tz-media. View the logs.


6 weeks ago

#3 @desrosj
6 weeks ago

  • Milestone changed from Awaiting Review to 4.9.7

#4 @desrosj
5 weeks ago

  • Component changed from General to Privacy

Moving to the new Privacy component.

#5 @desrosj
5 weeks ago

  • Version set to 4.9.6

Marking privacy bugs as introduced in 4.9.6.

#6 @desrosj
5 weeks ago

  • Milestone changed from 4.9.7 to 4.9.8

Moving all tickets in 4.9.7 to 4.9.8.

#7 @desrosj
7 hours ago

@TZ Media good catch on this. I am wondering if massaging this to use wp_kses_allowed_html() and wp_allowed_protocols() is a better approach than introducing two new filters.

I think the the $allowedtags list in wp_kses_allowed_html() is a pretty basic list we may be able to utilize. Allowing basic formatting tags could potentially open the door for plugins to style the export files, and these tags could indicate important structural aspects of the data (acronym, cite, or abbr, for example) and may be better left in the export.

Incoming patch with this approach for thoughts and testing.

@desrosj
7 hours ago

Note: See TracTickets for help on using tickets.