KSES: Add new allowed HTML tags

[ramiy]

Add additional HTML tags to the allowed list of tags.

The 7 new tags are:

• <data>
• <datalist>
• <dialog>
• <picture>
• <progress>
• <search>
• <time>

Add additional HTML tags to the allowed list of tags. The 7 new tags are <data>, <datalist>, <dialog>, <picture>, <progress>, <search> and <time>.

[westonruter]

I think picture should be omitted from this ticket as it is being worked on in #29807. cc @adamsilverstein

[westonruter]

There is also the meter tag which would be relevant to allow.

There are also tag-specific attributes which should be allowed.

picture removed and meter was added.

[ramiy]

@westonruter thank you for the code review.

picture removed and meter was added.

Also, I added the relevant attributes to the new tags.

[westonruter]

@ramiy I'm curious how you came across this specific set of tags to add. Were they specific ones that you found were needed? There are other fundamental tags which aren't allowed yet either, like option or optgroup or select, as you can see not even form is allowed, intentionally: ​https://github.com/WordPress/wordpress-develop/blob/c4186c044f3dd6599f479dcfc5d84ad24bcebea5/src/wp-includes/kses.php#L900

So it doesn't seem to make sense to add datalist.

A tag that is currently missing which would seem to make sense is wbr.

Are there others?

[sachinrajcp123]

Enhancement: Add <data>, <datalist>, <dialog>, <picture>, <progress>, <search>, and <time> to KSES allowed HTML tags in post context.

[westonruter]

@sachinrajcp123 Hi! How does your patch relate to the ​existing PR?

[ramiy]

Replying to westonruter:

@ramiy I'm curious how you came across this specific set of tags to add. Were they specific ones that you found were needed?

It was part of Elementor security check. When using wp_kses_post() some semantic tags removed. So, instead of creating a dedicated solution for our needs, we decided to update the wp_kses_post() method. But when examining this method, I noticed that the allowed HTML tags is not complete and I decided to add the additional HTML tags.

There are other fundamental tags which aren't allowed yet either, like option or optgroup or select, as you can see not even form is allowed, intentionally: ​https://github.com/WordPress/wordpress-develop/blob/c4186c044f3dd6599f479dcfc5d84ad24bcebea5/src/wp-includes/kses.php#L900

So it doesn't seem to make sense to add datalist.

No problem, I will update the PR.

A tag that is currently missing which would seem to make sense is wbr.

I'll add this tag to the PR.

[rollybueno]

Test Report

Description

This report validates whether the indicated patch works as expected.

Patch tested: ​https://github.com/WordPress/wordpress-develop/pull/9379

Environment

• WordPress: 6.9-alpha-60093-src
• PHP: 8.2.29
• Server: nginx/1.29.0
• Database: mysqli (Server: 8.4.6 / Client: mysqlnd 8.2.29)
• Browser: Chrome 139.0.0.0
• OS: Linux
• Theme: Twenty Fifteen 4.0
• MU Plugins: None activated
• Plugins:
  • Test Reports 1.2.0

Actual Results

1. ✅ Issue resolved with patch. Using the following PHP test code:

   $new_tags = [
       '<data value="123">Data content</data>',
       '<datalist id="browsers"><option value="Chrome"><option value="Firefox"></datalist>',
       '<dialog open>Dialog content</dialog>',
       '<picture><source srcset="image.webp" type="image/webp"><img src="image.jpg" alt="Sample"></picture>',
       '<progress value="70" max="100">70%</progress>',
       '<search><form><input type="search" name="q"></form></search>',
       '<time datetime="2025-08-14">August 14, 2025</time>'
   ];
   $test_html = implode("\n", $new_tags);
   $sanitized = wp_kses_post( $test_html );
   echo $sanitized;
   

Before applying the patch, most tags were stripped from the output.
After applying the patch, all 6 tags (<data>, <dialog>, <picture>, <progress>, <search>, <time>) were preserved.

Additional Notes

• ❗❗ I'm using htmlentities() so that I can show the visual difference on the sreenshot, but the idea is same and has no difference without htmlentities().
• <datalist> will not be included as per https://core.trac.wordpress.org/ticket/63786?cnum_edit=11#comment:9
• Patch behaves as expected and aligns with intended changes to extend allowed HTML tags.
• Tested both before and after patch application to confirm the difference.

Supplemental Artifacts

Trunk:

With Patch:

[welcher]

@westonruter do you think this is in good shape to be included in 6.9?

[westonruter]

Note that dialog (with its attributes closedby, open, and popover) were also just committed in r60884. So that is now no longer needed. I've refreshed the PR with the latest from trunk. So the new tags and attributes being proposed in the PR are:

• data
• meter (min, max, low, high, optimum, value)
• progress (max, value)
• search
• time (datetime)
• wbr

[westonruter]

I just noticed that the value attribute is not included for the data tag, so I'm adding that to the PR as well.

[westonruter]

In 60886:

Editor: Add 6 missing HTML5 semantic tags (data, meter, progress, search, time, wbr) and their attributes to KSES.

1. data (attribute: value)
2. meter (attributes: high, low, max, min, optimum, value)
3. progress (attributes: max, value)
4. search
5. time (attribute: datetime)
6. wbr

Props ramiy, rollybueno, westonruter.
Fixes #63786.