Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#46889 closed enhancement (duplicate)

kses allow data: protocol in wp_allowed_protocols

Reported by: nextendweb's profile nextendweb Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Formatting Keywords:
Focuses: Cc:


It is getting common to use inline base64 encoded images to minimalize request count. It would be great if WordPress' kses would allow to use the data: protocol in src attributes.

Example where the data: protocol get removed:

echo wp_kses_post('<img src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZlcnNpb249IjEuMCIgd2lkdGg9IjEyMDAiIGhlaWdodD0iNjAwIiA+PC9zdmc+" alt="Slider" />');

Suggested code change:

function wp_allowed_protocols() {
        static $protocols = array();

        if ( empty( $protocols ) ) {
                $protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn', 'tel', 'fax', 'xmpp', 'webcal', 'urn', 'data');

        if ( ! did_action( 'wp_loaded' ) ) {
                 * Filters the list of protocols allowed in HTML attributes.
                 * @since 3.0.0
                 * @param array $protocols Array of allowed protocols e.g. 'http', 'ftp', 'tel', and more.
                $protocols = array_unique( (array) apply_filters( 'kses_allowed_protocols', $protocols ) );

        return $protocols;

Change History (1)

#1 @SergeyBiryukov
4 years ago

  • Component changed from General to Formatting
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi @nextendweb, thanks for the ticket!

We're already tracking this issue in #19354.

Note: See TracTickets for help on using tickets.