#55605 closed defect (bug) (wontfix)
kses "selected" for option
Reported by: | malthert | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 2.9 |
Component: | Formatting | Keywords: | has-patch needs-refresh |
Focuses: | Cc: |
Description
<select> <option>A</option> <option selected>B</option> <option>C</option> </select>
wp_kses_post should not strip the "selected" from option
Change History (7)
This ticket was mentioned in PR #2654 on WordPress/wordpress-develop by kkmuffme.
3 years ago
#1
- Keywords has-patch added
This ticket was mentioned in Slack in #core by kkmuffme. View the logs.
9 months ago
@swissspidy commented on PR #2654:
9 months ago
#5
I think the changes here are too broad.
https://core.trac.wordpress.org/ticket/55605 is just about the selected
attribute, so the PR should be covering that.
There was https://core.trac.wordpress.org/ticket/53098 for adding basically all HTML tags, like this PR seems to be doing to an extent. There is also a comment there explaining why the list is currently as it is. The intention behind the KSES allowlist is not to 1:1 match all the existing HTML tags there are. It only contains the ones that provide value and address a specific need.
Also, many of these attributes need specific sanitization as well. That's why there is a separate ticket for picture
and srcset
: https://core.trac.wordpress.org/ticket/29807
So that should be handled as part of that ticket.
---
Aside: There are some merge conflicts
#6
@
9 months ago
- Component changed from Security to Formatting
- Keywords needs-refresh added
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
select
or option
are not in the KSES allowlist by default, neither is form
. So this is plugin territory.
@swissspidy commented on PR #2654:
9 months ago
#7
After re-reading the ticket, I decided to close the ticket as wontfix because select
and option
aren't in the allowlist to begin with, so there's no point in adding <option selected>
support.
Trac ticket: https://core.trac.wordpress.org/ticket/55605
Additionally:
*
Attributes are mostly based on https://developer.mozilla.org/en-US/docs/Web/HTML/Element with some containing browser specifics which were introduced in the last years.
The tags were chosen based on a WP installation that contains the most popular WP + WooCommerce plugins, as well as features introduced by browsers (e.g. picture tag)