Make WordPress Core

Opened 3 years ago

Closed 9 months ago

Last modified 9 months ago

#55605 closed defect (bug) (wontfix)

kses "selected" for option

Reported by: malthert's profile malthert Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.9
Component: Formatting Keywords: has-patch needs-refresh
Focuses: Cc:

Description

<select>
  <option>A</option>
  <option selected>B</option>
  <option>C</option>
</select>

wp_kses_post should not strip the "selected" from option

Change History (7)

This ticket was mentioned in PR #2654 on WordPress/wordpress-develop by kkmuffme.


3 years ago
#1

  • Keywords has-patch added

Trac ticket: https://core.trac.wordpress.org/ticket/55605

Additionally:

  • update global HTML tag attributes to match attributes in 2022 (e.g. SEO,... with itemprop,...)

*

  • sort modified tag attributes alphabetically (no removals)
  • add all attributes for <img> tag
  • allow picture + source tag to allow loading webp,... with fallback
  • allow select + option tags for dropdowns
  • allow meta and link tag for improved SEO and performance
  • allow autocomplete attribute for form

Attributes are mostly based on https://developer.mozilla.org/en-US/docs/Web/HTML/Element with some containing browser specifics which were introduced in the last years.

The tags were chosen based on a WP installation that contains the most popular WP + WooCommerce plugins, as well as features introduced by browsers (e.g. picture tag)

#2 @costdev
3 years ago

  • Version changed from trunk to 2.9

#3 @malthert
2 years ago

#53098 was marked as a duplicate.

This ticket was mentioned in Slack in #core by kkmuffme. View the logs.


9 months ago

@swissspidy commented on PR #2654:


9 months ago
#5

I think the changes here are too broad.

https://core.trac.wordpress.org/ticket/55605 is just about the selected attribute, so the PR should be covering that.

There was https://core.trac.wordpress.org/ticket/53098 for adding basically all HTML tags, like this PR seems to be doing to an extent. There is also a comment there explaining why the list is currently as it is. The intention behind the KSES allowlist is not to 1:1 match all the existing HTML tags there are. It only contains the ones that provide value and address a specific need.

Also, many of these attributes need specific sanitization as well. That's why there is a separate ticket for picture and srcset: https://core.trac.wordpress.org/ticket/29807
So that should be handled as part of that ticket.

---

Aside: There are some merge conflicts

#6 @swissspidy
9 months ago

  • Component changed from Security to Formatting
  • Keywords needs-refresh added
  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

select or option are not in the KSES allowlist by default, neither is form. So this is plugin territory.

@swissspidy commented on PR #2654:


9 months ago
#7

After re-reading the ticket, I decided to close the ticket as wontfix because select and option aren't in the allowlist to begin with, so there's no point in adding <option selected> support.

Note: See TracTickets for help on using tickets.