Opened 2 years ago
Last modified 22 months ago
#46197 new defect (bug)
safecss_filter_attr remove styles with calc()
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Formatting | Keywords: | |
Focuses: | Cc: |
Description
I have a shortcode inside a tag attribute:
<a style="color:#d0c900; width: calc([myshortcode]% *10*1 );">
Executing do_shortcode
returns:
<a style="color:#d0c900;">
Debuging safecss_filter_attr
I found that if the attribute contains a parentheses, the method ignores it. So using: calc( 100% - 20px )
is not allowed
Change History (4)
Note: See
TracTickets for help on using
tickets.
There are quite a few valid things that would get removed. Gradients and filters and
var
can also have parentheses, not to mention data URIs orcontent
values.But what is odd is that the $allowed_attr is filtered, and if empty, no other change is made to the $css. Only if it has something is the $css further manipulated. This seems backward.