Make WordPress Core

Opened 2 years ago

Closed 2 months ago

Last modified 2 months ago

#55605 closed defect (bug) (wontfix)

kses "selected" for option

Reported by: malthert's profile malthert Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.9
Component: Formatting Keywords: has-patch needs-refresh
Focuses: Cc:


  <option selected>B</option>

wp_kses_post should not strip the "selected" from option

Change History (7)

This ticket was mentioned in PR #2654 on WordPress/wordpress-develop by kkmuffme.

2 years ago

  • Keywords has-patch added

Trac ticket:


  • update global HTML tag attributes to match attributes in 2022 (e.g. SEO,... with itemprop,...)


  • sort modified tag attributes alphabetically (no removals)
  • add all attributes for <img> tag
  • allow picture + source tag to allow loading webp,... with fallback
  • allow select + option tags for dropdowns
  • allow meta and link tag for improved SEO and performance
  • allow autocomplete attribute for form

Attributes are mostly based on with some containing browser specifics which were introduced in the last years.

The tags were chosen based on a WP installation that contains the most popular WP + WooCommerce plugins, as well as features introduced by browsers (e.g. picture tag)

#2 @costdev
2 years ago

  • Version changed from trunk to 2.9

#3 @malthert
22 months ago

#53098 was marked as a duplicate.

This ticket was mentioned in Slack in #core by kkmuffme. View the logs.

2 months ago

@swissspidy commented on PR #2654:

2 months ago

I think the changes here are too broad. is just about the selected attribute, so the PR should be covering that.

There was for adding basically all HTML tags, like this PR seems to be doing to an extent. There is also a comment there explaining why the list is currently as it is. The intention behind the KSES allowlist is not to 1:1 match all the existing HTML tags there are. It only contains the ones that provide value and address a specific need.

Also, many of these attributes need specific sanitization as well. That's why there is a separate ticket for picture and srcset:
So that should be handled as part of that ticket.


Aside: There are some merge conflicts

#6 @swissspidy
2 months ago

  • Component changed from Security to Formatting
  • Keywords needs-refresh added
  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

select or option are not in the KSES allowlist by default, neither is form. So this is plugin territory.

@swissspidy commented on PR #2654:

2 months ago

After re-reading the ticket, I decided to close the ticket as wontfix because select and option aren't in the allowlist to begin with, so there's no point in adding <option selected> support.

Note: See TracTickets for help on using tickets.