Make WordPress Core

Opened 13 months ago

Last modified 8 months ago

#46197 new defect (bug)

safecss_filter_attr remove styles with calc()

Reported by: displaynone Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Formatting Keywords:
Focuses: Cc:


I have a shortcode inside a tag attribute:

<a style="color:#d0c900; width: calc([myshortcode]% *10*1 );">

Executing do_shortcode returns:

<a style="color:#d0c900;">

Debuging safecss_filter_attr I found that if the attribute contains a parentheses, the method ignores it. So using: calc( 100% - 20px ) is not allowed

Change History (4)

#1 @joyously
13 months ago

There are quite a few valid things that would get removed. Gradients and filters and var can also have parentheses, not to mention data URIs or content values.

But what is odd is that the $allowed_attr is filtered, and if empty, no other change is made to the $css. Only if it has something is the $css further manipulated. This seems backward.

#2 @pento
13 months ago

  • Version trunk deleted

This ticket was mentioned in Slack in #core by soderlind. View the logs.

8 months ago

#4 @SergeyBiryukov
8 months ago

  • Component changed from General to Formatting
Note: See TracTickets for help on using tickets.