Make WordPress Core

Opened 4 years ago

Closed 2 years ago

Last modified 2 years ago

#53098 closed defect (bug) (duplicate)

Add all HTML spec attributes to wp kses

Reported by: malthert's profile malthert Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Formatting Keywords: close
Focuses: Cc:

Description

Currently wp kses is missing loads of HTML5 attributes, e.g. input with minlength, maxlength, min, max, step,...

These should be added.

Change History (8)

#1 @audrasjb
4 years ago

  • Component changed from Security to Formatting
  • Version trunk deleted

#2 @audrasjb
4 years ago

  • Keywords reporter-feedback added

Hello,

Currently, the list of allowed tags and attributes is an allowlist, not a blocklist. Therefore, we need to add the HTML elements and attributes in the allowlist one by one.

This is handled in the $allowedposttags global, defined in the wp-includes/kses.php file: https://core.trac.wordpress.org/browser/tags/5.7.1/src/wp-includes/kses.php#L50

So. In order to help this ticket to move forward, we need a proposal concerning the tags and attributes you want to add to the allowlist. Please feel free to make a proposal. I think it would be great to add some explanation on why each tag or attribute should be allowlisted :)

#3 @malthert
4 years ago

I would like to add all specified in the HTML standard.
Specifically the ones listed here: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes (shows attribute + the element they may be used in)

#4 @audrasjb
4 years ago

To clarify my first comment, there is no plan to add all the existing tags and attributes in the allowlist.

If there is a need concerning some specific tags/attributes, please provide full context on why they should be allowed. If you need to allow all the tags in the HTML5 specification for your projects, please use the provided hooks to allow them, like wp_kses_allowed_html (https://developer.wordpress.org/reference/functions/wp_kses_allowed_html/)
:)

#5 @audrasjb
4 years ago

  • Keywords close added; reporter-feedback removed

#6 @malthert
4 years ago

Why would we not add all allowed HTML attributes to this by default?
The current selection is completely arbitrary (e.g. the min/max/... for input, or even "id" attribute is not allowed for all HTML tags).

#7 @malthert
2 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #55605.

#8 @desrosj
2 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.