Make WordPress Core

Opened 3 weeks ago

Last modified 7 days ago

#47367 assigned enhancement

KSES: Update CSS properties considered safe for all users.

Reported by: peterwilsoncc Owned by: marybaum
Milestone: 5.3 Priority: normal
Severity: normal Version:
Component: Editor Keywords: has-patch needs-refresh 2nd-opinion commit
Focuses: Cc:


Apart from some minor updates to account for the block editor, the KSES list of allowed CSS properties for authors and contributors has not been updated for quite some time.

Most significantly, not all safe grid and flex box attributes are supported. There are several other new features of CSS missing too.

Reference: https://developer.mozilla.org/en-US/docs/Web/CSS/Reference


  • add support for new individual properties implicitly supported by shorthand attributes
  • determine what is considered safe

Related #47281, #37248, #45067, #42729.

Attachments (3)

added__idea_files.patch (2.2 MB) - added by marybaum 12 days ago.
Adds properties from CSS-Grid, Flexbox and CSS columns to safe-styles array
kses_php.patch (435 bytes) - added by marybaum 12 days ago.
This patch has just one file in it.
kses-190609.patch (1.3 KB) - added by marybaum 7 days ago.
Many modern CSS properties, many lines, one file!

Change History (12)

This ticket was mentioned in Slack in #core-editor by peterwilsoncc. View the logs.

3 weeks ago

This ticket was mentioned in Slack in #core by desrosj. View the logs.

3 weeks ago

#3 @desrosj
3 weeks ago

  • Keywords needs-patch added

#4 @peterwilsoncc
3 weeks ago

  • Milestone changed from Awaiting Review to Future Release
  • Owner set to marybaum
  • Status changed from new to assigned
  • Type changed from defect (bug) to enhancement

Assigning @marybaum as owner per discussion in Slack.

Assigning to future release to assist with triage, once a patch exists it can be moved to a version number.

12 days ago

Adds properties from CSS-Grid, Flexbox and CSS columns to safe-styles array

#5 @marybaum
12 days ago

  • Keywords has-patch added; needs-patch removed
  • Milestone changed from Future Release to 5.2.2

Probably could have named that patch better. 😜
Oh well.

I'm also changing the milestone to 5.2.2 per my conversation with @peterwilsoncc on Slack last week.


#6 @peterwilsoncc
12 days ago

  • Keywords needs-refresh added
  • Milestone changed from 5.2.2 to 5.3


I was unclear when chatting, I was thinking next major release rather next minor. In this case, auto updating KSES is probably fine but I'd prefer to wait until the major release.

I'm sorry but the patch will need a refresh, too. It contains changes to quite a few files rather than just the kses file. I'll reach out to you via Slack to help you with the process.

12 days ago

This patch has just one file in it.

#7 @marybaum
12 days ago

@peterwilsoncc I've refreshed the patch with a new one but will leave the workflow as needs-refresh until you've looked at it.

7 days ago

Many modern CSS properties, many lines, one file!

#8 @marybaum
7 days ago

  • Keywords 2nd-opinion commit added

New patch!

Would love y'all to look it over, make sure it's right and then commit.

#9 @birgire
7 days ago

Thanks for the patch @marybaum

I collected a list of grid attributes in #46597 that might be of use here.

Most of them are now already patched in kses-190609.patch, so I've marked them with an x:

x grid-column
x grid-row
x grid-gap
x grid-column-gap
x grid-row-gap
x grid-template-columns
x grid-column-start
x grid-column-end
x grid-row-start
x justify-self
x justify-items
x justify-content
x align-self
x align-items
x align-content

What do you think about the other ones on the list not marked with x?

In kses-190609.patch I noticed there are two new empty lines added in few places. I guess it should only be single ones.

There's also duplicate entry for grid-column-start in kses-190609.patch

All the best.

Note: See TracTickets for help on using tickets.