#57780 closed defect (bug) (fixed)
wp_kses: Add filter to css_url_data_types
Reported by: | scruffian | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 6.3 | Priority: | normal |
Severity: | normal | Version: | |
Component: | General | Keywords: | has-patch has-testing-info has-screenshots gutenberg-merge add-to-field-guide |
Focuses: | Cc: |
Description (last modified by )
Since filter can also refer to urls (see https://developer.mozilla.org/en-US/docs/Web/CSS/url) then we should add it to the css_url_data_types array.
PR here: https://github.com/WordPress/wordpress-develop/pull/4108
Reference:
- Part of Gutenberg PR 48281 for Duotone: Use the style engine to generate CSS for Duotone
.
Change History (10)
This ticket was mentioned in PR #4108 on WordPress/wordpress-develop by @scruffian.
22 months ago
#1
- Keywords has-patch added
#2
@
22 months ago
Is it worth adding the other properties that url
can be used with?
The url() function can be included as a value for background, background-image, border, border-image, border-image-source, content, cursor, filter, list-style, list-style-image, mask, mask-image, offset-path, src as part of a @font-face block, and @counter-style/symbol
I'm not sure what the performance overhead would be to add more to the array here if they're going to be mostly unused. If any of them are needed they can certainly be added in follow-up PRs as needed. I'm mostly curious to learn more about context here.
#3
@
21 months ago
- Keywords has-testing-info has-screenshots added
For additional context, this update is required for core support of this duotone PR: https://github.com/WordPress/gutenberg/pull/48281.
Test Report
Patch tested: https://github.com/WordPress/wordpress-develop/pull/4108
Steps to Test
- Make sure that the Gutenberg plugin is disabled.
- Install the test mu-plugin located here.
- Confirm that the displayed image is in purple/yellow duotone, and inspect the markup to verify styles applied.
Expected Results
- ✅ The displayed image should be in purple/yellow duotone.
- ✅ The image should not be blurred.
Environment
- Hardware: MacBook Pro Apple M1 Pro
- OS: macOS 12.6.3
- Browser: Safari 16.3
- Server: nginx/1.23.3
- PHP: 7.4.33
- WordPress: 6.2-beta5-55481-src
- Theme: twentytwentythree v1.1
- Active Plugins:
- modern-images-wp v1.1.0
- trac-57780 (mu-plugin noted above)
Actual Results
- ✅ The kitten image was displayed with the purple/yellow duotone effect.
- ✅ Image was not blurred (i.e.
filter: blur(5px)
was not allowed throughwp_kses()
).
Supplemental Artifacts
Before Patch | After Patch |
---|---|
#4
follow-up:
↓ 6
@
21 months ago
- Milestone changed from Awaiting Review to 6.3
The CSS filter
seems "safe" at first look.
#7
@
21 months ago
- Owner set to SergeyBiryukov
- Resolution set to fixed
- Status changed from new to closed
In 55564:
@SergeyBiryukov commented on PR #4108:
21 months ago
#8
Thanks for the PR! Merged in r55564.
#9
in reply to:
↑ 6
@
21 months ago
Replying to SergeyBiryukov:
This PR appears to be about specifically using
filter
with a URL:
filter: url( my-file.svg#svg-blur );
Yea, sorry, should have explained better. Was wondering what happens to non-image files (SVG, etc.) when loaded from CSS, and if that may need more consideration.
Since
filter
can also refer to urls (see https://developer.mozilla.org/en-US/docs/Web/CSS/url) then we should add it to thecss_url_data_types
array.Trac ticket: https://core.trac.wordpress.org/ticket/57780#ticket