KSES: Allow 'download' attribute for links

[SergeyBiryukov]

HTML5 introduced a ​download attribute for <a> tag. When a user with Author role tries to create a link with this attribute, it's stripped by KSES.

Before saving:

<a href="/images/w3logo.jpg" download="w3logo">w3logo</a>

After saving:

<a href="/images/w3logo.jpg">w3logo</a>

At the moment, allowed attributes for <a> are: href, rel, rev, name, and target.

download should be added as well.

[kalpshit]

I added download attribute in kese( allowed post tags)

[arshidkv12]

Added spacing

[chriscct7]

Will work on some unit tests for this, and then it'll be ready for merge.

[SergeyBiryukov]

When committing, props should also be given to @marina_wp for ​reporting the issue.

[welcher]

Adding unit test

[peterwilsoncc]

44724-50-branch.diff​ is identical to previous patch reformatted to apply cleanly to the 5.0 branch.

[pento]

👍🏻

[pento]

...not so fast. 😔

The download attribute doesn't work on cross-origin links (eg, any site that uses a CDN for hosting uploads). I don't know that we necessarily need to account for this, but it is something to consider.

It's also a risk to allow the download filename to be set: for example, an author could upload my_definitely_not_suspicious_file.txt, but then set the download attribute to be CLICK_ME.bat, which isn't great. If we do allow the download attribute, it should only be allowed with no value.

[pento]

We don't need to remove the download attribute entirely. If we just restrict it to being set (but not given a value), that removes the security issues.

For sites that use a CDN for hosting uploads, it's possible touse a file passthrough handler to add the Content-Disposition: attachment header, forcing the file to be a download.

This ticket doesn't need an update until ​GB#10693 is resolved, which will change the behaviour of the file block to match.

[pento]

In 43813:

KSES: Allow the download attribute on <a> tags.

To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.

Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
See #44724.

[pento]

In 44156:

KSES: Allow the download attribute on <a> tags.

To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.

Merges [43813] from the 5.0 branch to trunk.

Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
Fixes #44724.