#53156 closed defect (bug) (fixed)
Add 'main' tag to kses
Reported by: | glendaviesnz | Owned by: | davidbaumwald |
---|---|---|---|
Milestone: | 5.8 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Formatting | Keywords: | has-patch has-unit-tests |
Focuses: | Cc: |
Description
Gutenberg recently added the main
tag as a wrapper option for the group block for accessibility reasons (https://github.com/WordPress/gutenberg/pull/28576).
This tag is not currently included in $allowedposttags
in wp-includes/kses.php
, so if this tag is selected by a user without unfiltered_html
rights it is stripped from the content on save and the block invalidates when the post/page is reloaded.
To replicate the issue this causes:
- In an WP env with Gutenberg plugin installed add a user with author permissions
- Log in as that user and add a group block and set the wrapper as main under Advanced settings
- Save the post and reload
There don't seem to be any security implications with adding this tag to $allowedposttags
, and is probably only missing as it wouldn't have existed when this list was first created.
Change History (13)
This ticket was mentioned in PR #1228 on WordPress/wordpress-develop by glendaviesnz.
4 years ago
#1
- Keywords has-patch added
#5
follow-up:
↓ 7
@
4 years ago
- Keywords needs-unit-tests added; commit removed
The patch itself looks fine, but this should have some unit tests to make sure the functionality works as expected now and in the future.
#7
in reply to:
↑ 5
@
4 years ago
Replying to jorbin:
The patch itself looks fine, but this should have some unit tests to make sure the functionality works as expected now and in the future.
I have added a basic unit test to the PR - https://github.com/WordPress/wordpress-develop/pull/1228/commits/ddd994fdac637c5752c6f16a5dfdbd1050cf2cfd - at this stage just checking that the style and class attributes are preserved as these are the critical ones from a gutenberg block perspective, but let me know if you think it is worth testing anything else.
#8
follow-up:
↓ 11
@
4 years ago
Thanks for udating the patch to add tests @glendaviesnz. Also, since no one has welcomed you yet, welcome and thanks for the ticket and initial patch.
I've updated the test to simplify it a bit and am going to commit everything now.
aaronjorbin commented on PR #1228:
4 years ago
#10
Noting that I fixed the phpcs piece locally before commiting in SVN but not here. This was committed in https://core.trac.wordpress.org/changeset/50987
#11
in reply to:
↑ 8
@
4 years ago
Replying to jorbin:
Also, since no one has welcomed you yet, welcome
Thanks!
I've updated the test to simplify it a bit and am going to commit everything now.
Thanks also for tidying this up, and finalising.
This ticket was mentioned in PR #1301 on WordPress/wordpress-develop by peterwilsoncc.
4 years ago
#13
- Keywords has-unit-tests added; needs-unit-tests removed
This reverts commit 84eee38fcb4114595f1cc6b751868c5649cbc1e6.
# Conflicts:
# src/wp-includes/kses.php
Testing revert to see if PHP 8 stops hanging.
https://core.trac.wordpress.org/ticket/53156
Gutenberg recently added the main tag as a wrapper option for the group block for accessibility reasons.
This tag is not currently included in $allowedposttags in wp-includes/kses.php, so if this tag is selected by a user without unfiltered_html rights it is stripped from the content on save and the block invalidates when the post/page is reloaded.
To replicate the issue this causes:
Trac ticket: https://core.trac.wordpress.org/ticket/53156