Make WordPress Core

Opened 6 weeks ago

Last modified 5 weeks ago

#60979 new defect (bug)

safecss_filter_attr() should support query strings with "&" as used by Gutenberg

Reported by: philippmuenchen's profile philippmuenchen Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.5
Component: Posts, Post Types Keywords: needs-patch needs-dev-note
Focuses: Cc:

Description

Gutenberg transforms "&" to "&" when saving content.

E.g. for the Media/Text-Block the content that is filtered by safecss_filter_attr() might contain "&" as here:

style="background-image:url(https://example.com/uploads/sites/2/2023/10/image.jpg?width=1024&height=600);background-position:46% 43%"


As safecss_filter_attr() simply explodes the style value by semicolons. Therefore the example above does not pass and gets striped out. Finally the block layout breaks as the saved result is:

style="background-position:46% 43%"

Fixing it for the moment by filtering the content before kses-functions:

<?php
add_filter('pre_kses', function ($content) {
    // Replace all '&amp;' with '&' in the parameters of every URL in the content
    return preg_replace_callback('/(https?:\/\/[^\s]*?)&amp;([^#]*?)/', function($matches) {
        return str_replace('&amp;', '&', $matches[0]);
    }, $content);
});

Change History (1)

#1 @khoipro
5 weeks ago

  • Keywords needs-dev-note added

Great catch! I have the same issue with one of my project.

Note: See TracTickets for help on using tickets.