#46197 closed defect (bug) (fixed)
safecss_filter_attr remove styles with calc()
Reported by: | displaynone | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.8 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Formatting | Keywords: | has-patch |
Focuses: | Cc: |
Description
I have a shortcode inside a tag attribute:
<a style="color:#d0c900; width: calc([myshortcode]% *10*1 );">
Executing do_shortcode
returns:
<a style="color:#d0c900;">
Debuging safecss_filter_attr
I found that if the attribute contains a parentheses, the method ignores it. So using: calc( 100% - 20px )
is not allowed
Change History (10)
This ticket was mentioned in Slack in #core by soderlind. View the logs.
5 years ago
This ticket was mentioned in PR #1260 on WordPress/wordpress-develop by aristath.
4 years ago
#5
- Keywords has-patch added
This patch allows using (
in CSS sanitized using the safecss_filter_attr
function.
The original regex was created more than a decade ago, and back then we didn't have things like calc()
, var()
etc - so disallowing (
made sense. This is no longer the case.
Trac ticket: https://core.trac.wordpress.org/ticket/46197
This also fixes https://github.com/WordPress/gutenberg/pull/31740 in Gutenberg, as well as https://core.trac.wordpress.org/ticket/46498
This ticket was mentioned in PR #2395 on WordPress/wordpress-develop by grappler.
3 years ago
#9
https://core.trac.wordpress.org/ticket/46197 is now patched
Trac ticket: https://core.trac.wordpress.org/ticket/55356
dream-encode commented on PR #2395:
3 years ago
#10
Thanks for the PR! This was merged into Core in https://core.trac.wordpress.org/changeset/52924.
There are quite a few valid things that would get removed. Gradients and filters and
var
can also have parentheses, not to mention data URIs orcontent
values.But what is odd is that the $allowed_attr is filtered, and if empty, no other change is made to the $css. Only if it has something is the $css further manipulated. This seems backward.