Opened 6 years ago
Closed 6 years ago
#44724 closed enhancement (fixed)
KSES: Allow 'download' attribute for links
Reported by: | SergeyBiryukov | Owned by: | chriscct7 |
---|---|---|---|
Milestone: | 5.0 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Formatting | Keywords: | has-patch has-unit-tests fixed-5.0 |
Focuses: | Cc: |
Description
HTML5 introduced a download attribute for <a>
tag. When a user with Author role tries to create a link with this attribute, it's stripped by KSES.
Before saving:
<a href="/images/w3logo.jpg" download="w3logo">w3logo</a>
After saving:
<a href="/images/w3logo.jpg">w3logo</a>
At the moment, allowed attributes for <a>
are: href
, rel
, rev
, name
, and target
.
download
should be added as well.
Attachments (4)
Change History (19)
#3
@
6 years ago
- Focuses coding-standards removed
- Keywords needs-unit-tests added
- Type changed from defect (bug) to enhancement
#6
@
6 years ago
When committing, props should also be given to @marina_wp for reporting the issue.
#9
@
6 years ago
44724-50-branch.diff is identical to previous patch reformatted to apply cleanly to the 5.0 branch.
#11
@
6 years ago
- Keywords good-first-bug commit removed
...not so fast. 😔
The download
attribute doesn't work on cross-origin links (eg, any site that uses a CDN for hosting uploads
). I don't know that we necessarily need to account for this, but it is something to consider.
It's also a risk to allow the download filename to be set: for example, an author could upload my_definitely_not_suspicious_file.txt
, but then set the download
attribute to be CLICK_ME.bat
, which isn't great. If we do allow the download
attribute, it should only be allowed with no value.
#12
@
6 years ago
We don't need to remove the download
attribute entirely. If we just restrict it to being set (but not given a value), that removes the security issues.
For sites that use a CDN for hosting uploads, it's possible touse a file passthrough handler to add the Content-Disposition: attachment
header, forcing the file to be a download.
This ticket doesn't need an update until GB#10693 is resolved, which will change the behaviour of the file block to match.
I added download attribute in kese( allowed post tags)