Opened 3 years ago
Last modified 5 months ago
#56391 reopened defect (bug)
safecss_filter_attr(): support rgba background-color
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | has-patch has-unit-tests |
| Focuses: | Cc: |
Description
This ticket allows rgba-valued background-color in safecss_filter_attr.
It was (https://github.com/WordPress/gutenberg/issues/39402) in Gutenberg that triggered this ticket.
In RichText, when an inline text color is specified, a transparent background color style (background-color:rgba(0, 0, 0, 0)) is generated at the same time.
This is to disable the browser's default style (yellow for Chrome), since highlighted text is wrapped with a mark tag.
However, this background color is sanitized by wp_kes_post, and the browser's default style is restored.
This ticket proposes to allow rgba values only for background-color.
Please check with the additions to the Unit Test to see what values are allowed.
Change History (13)
This ticket was mentioned in PR #3097 on WordPress/wordpress-develop by t-hamano.
3 years ago
#1
- Keywords has-unit-tests added
#2
@
3 years ago
I initially submitted a PR that attempted to resolve this problem only in the block where it was occurring.
https://github.com/WordPress/gutenberg/pull/39488
However, it was considered that it would be better to support rgba in safecss_filter_attr, so I submitted a ticket.
3 years ago
#3
I have added support for RGB and allowed some properties, and updated regular expressions.
And I have tried to cover as many variations of the test as possible. Is this enough?
3 years ago
#4
I have relaxed the regex rules and updated the existing tests.
With the relaxed rules, should we reduce the number of test cases a little more?
@wildworks commented on PR #3097:
3 years ago
#6
The problem this PR is trying to solve appears to have been fixed by Changeset 54117.
Therefore, I would like to close this PR.
#7
@
2 years ago
- Resolution set to invalid
- Status changed from new to closed
The issue reported in this ticket was reported in Changeset 54117, so could someone please close this ticket?
#9
@
19 months ago
- Resolution set to duplicate
- Status changed from reopened to closed
Duplicate of #56353.
#11
@
5 months ago
- Resolution duplicate deleted
- Status changed from closed to reopened
Duplicate of #56353.
This was incorrect. The rgba colors are still escaped. I'd like to re-open this ticket.
@wildworks commented on PR #3097:
5 months ago
#12
The problem this PR is trying to solve appears to have been fixed by Changeset 54117.
I realized this wasn't correct. This changeset only allowed CSS variables, so RGB(A) colors are still not allowed. We will reopen this PR and resume work on it.
@wildworks commented on PR #3097:
5 months ago
#13
I started by using the equivalent regular expression from the colored_parse_rgba_string() function. This logic should work well for both comma and space value separators. I also overhauled the tests to test as many patterns as possible without overdoing it.
Trac ticket: https://core.trac.wordpress.org/ticket/56391