Opened 3 years ago
Closed 9 months ago
#46197 closed defect (bug) (fixed)
safecss_filter_attr remove styles with calc()
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 5.8 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Formatting | Keywords: | has-patch |
| Focuses: | Cc: |
Description
I have a shortcode inside a tag attribute:
<a style="color:#d0c900; width: calc([myshortcode]% *10*1 );">
Executing do_shortcode returns:
<a style="color:#d0c900;">
Debuging safecss_filter_attr I found that if the attribute contains a parentheses, the method ignores it. So using: calc( 100% - 20px ) is not allowed
Change History (8)
This ticket was mentioned in Slack in #core by soderlind. View the logs.
3 years ago
This ticket was mentioned in PR #1260 on WordPress/wordpress-develop by aristath.
9 months ago
- Keywords has-patch added
This patch allows using ( in CSS sanitized using the safecss_filter_attr function.
The original regex was created more than a decade ago, and back then we didn't have things like calc(), var() etc - so disallowing ( made sense. This is no longer the case.
Trac ticket: https://core.trac.wordpress.org/ticket/46197
This also fixes https://github.com/WordPress/gutenberg/pull/31740 in Gutenberg, as well as https://core.trac.wordpress.org/ticket/46498
There are quite a few valid things that would get removed. Gradients and filters and
varcan also have parentheses, not to mention data URIs orcontentvalues.But what is odd is that the $allowed_attr is filtered, and if empty, no other change is made to the $css. Only if it has something is the $css further manipulated. This seems backward.