Opened 19 months ago
Last modified 18 months ago
#55452 new defect (bug)
`safecss_filter_attr` removes background-images with URL parameters
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Future Release | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Formatting | Keywords: | needs-patch |
| Focuses: | css | Cc: |
Description
If you try to add a background-image using an inline style, and the URL has query parameters (specifically, an &), the background-image will be stripped from the content.
What seems to be happening: the & is encoded, and becomes &, and when safecss_filter_attr splits the $css into separate declarations, it does so just by breaking on a semicolon, which breaks the URL value. For example, background-image:url(https://fake.test/image.png?a=1&b=2); becomes background-image:url(https://fake.test/image.png?a=1& and b=2), and neither are valid CSS.
To reproduce:
Try adding this Media & Text block, which uses this image: https://img.rawpixel.com/s3fs-private/rawpixel_images/website_content/a005-scottw-465.jpg?w=1200&h=1200…
<!-- wp:media-text {"mediaId":null,"mediaType":"image","imageFill":true,"focalPoint":{"x":"0.75","y":"0.72"}} -->
<div class="wp-block-media-text alignwide is-stacked-on-mobile is-image-fill"><figure class="wp-block-media-text__media" style="background-image:url(https://img.rawpixel.com/s3fs-private/rawpixel_images/website_content/a005-scottw-465.jpg?w=1200&h=1200&fit=clip&crop=default&dpr=1&q=75&vib=3&con=3&usm=15&cs=srgb&bg=F4F4F3&ixlib=js-2.2.1&s=06d4e5a9962096a6010029591ae36198);background-position:75% 72%"><img src="https://img.rawpixel.com/s3fs-private/rawpixel_images/website_content/a005-scottw-465.jpg?w=1200&h=1200&fit=clip&crop=default&dpr=1&q=75&vib=3&con=3&usm=15&cs=srgb&bg=F4F4F3&ixlib=js-2.2.1&s=06d4e5a9962096a6010029591ae36198" alt="" /></figure><div class="wp-block-media-text__content"><!-- wp:paragraph {"placeholder":"Content…","fontSize":"medium"} -->
<p class="has-medium-font-size">"<a rel="noreferrer noopener" href="https://www.rawpixel.com/image/430579/free-photo-image-palm-tree-palm-africa" target="_blank">Palm trees at Cape Town, South Africa</a>" by Scott Webb is marked with <a rel="noreferrer noopener" href="https://creativecommons.org/publicdomain/zero/1.0/?ref=openverse" target="_blank">CC0 1.0</a>.</p>
<!-- /wp:paragraph --></div></div>
<!-- /wp:media-text -->
When you save and view the post, the background-image is gone.
This seems to be affecting Cover block with "Fixed background" enabled too.