WordPress.org

Make WordPress Core

Opened 8 weeks ago

Last modified 8 weeks ago

#53098 new defect (bug)

Add all HTML spec attributes to wp kses

Reported by: malthert Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Formatting Keywords: close
Focuses: Cc:

Description

Currently wp kses is missing loads of HTML5 attributes, e.g. input with minlength, maxlength, min, max, step,...

These should be added.

Change History (6)

#1 @audrasjb
8 weeks ago

  • Component changed from Security to Formatting
  • Version trunk deleted

#2 @audrasjb
8 weeks ago

  • Keywords reporter-feedback added

Hello,

Currently, the list of allowed tags and attributes is an allowlist, not a blocklist. Therefore, we need to add the HTML elements and attributes in the allowlist one by one.

This is handled in the $allowedposttags global, defined in the wp-includes/kses.php file: https://core.trac.wordpress.org/browser/tags/5.7.1/src/wp-includes/kses.php#L50

So. In order to help this ticket to move forward, we need a proposal concerning the tags and attributes you want to add to the allowlist. Please feel free to make a proposal. I think it would be great to add some explanation on why each tag or attribute should be allowlisted :)

#3 @malthert
8 weeks ago

I would like to add all specified in the HTML standard.
Specifically the ones listed here: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes (shows attribute + the element they may be used in)

#4 @audrasjb
8 weeks ago

To clarify my first comment, there is no plan to add all the existing tags and attributes in the allowlist.

If there is a need concerning some specific tags/attributes, please provide full context on why they should be allowed. If you need to allow all the tags in the HTML5 specification for your projects, please use the provided hooks to allow them, like wp_kses_allowed_html (https://developer.wordpress.org/reference/functions/wp_kses_allowed_html/)
:)

#5 @audrasjb
8 weeks ago

  • Keywords close added; reporter-feedback removed

#6 @malthert
8 weeks ago

Why would we not add all allowed HTML attributes to this by default?
The current selection is completely arbitrary (e.g. the min/max/... for input, or even "id" attribute is not allowed for all HTML tags).

Note: See TracTickets for help on using tickets.