[wp-trac] [WordPress Trac] #20210: Always allow the standard attributes for all elements when filtering content using kses for posts.

WordPress Trac wp-trac at lists.automattic.com
Sat Sep 8 16:23:13 UTC 2012 

#20210: Always allow the standard attributes for all elements when filtering
content using kses for posts.
--------------------------+-----------------------------
 Reporter:  westi         |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Future Release
Component:  Formatting    |     Version:  3.4
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |
--------------------------+-----------------------------

Comment (by ryan):

 * Introduce wp_kses_allowed_htm() which accepts a context string and
 returns and array of allowed tags.
  * Removes explicit declarations of class, id, style, and title from
 $allowedposttags
  * wp_kses_allowed_htm() dynamically adds the global attributes to every
 tag for the 'post' context
  * No longer calls wp_kses_array_lc() every time wp_kses() runs. Instead
 it runs once if CUSTOM_TAGS is true. Plugins directly passinga custom
 allowed_html array would no longer get the lc treatment. We need to see if
 that would be a problem.
  * wp_kses_data() and wp_filter_kses() pass current_filter() for the
 $allowed_html argument to wp_kses().
  * wp_kses_allowed_htm() handles being passed a filter name for a context.
 If the filter is not a recognized one it defaults to using $allowedtags as
 was done before for wp_kses_data() and wp_filter_kses().
  * wp_kses_allowed_htm() recognizes user_description and
 pre_user_description out of the box. For these it takes $allowedtags and
 inserts rel attribute support.
  * wp_kses_allowed_htm() allows plugins to override the return values for
 the default contexts and support arbitrary context via a
 wp_kses_allowed_tags filter.
  * Maybe @todo wp_kses_hook() can now pass a string context for
 $allowed_html to the pre_kses filter. We might have to pass the result of
 wp_kses_allowed_htm() instead if it turns out that plugins are digging in
 $allowed_html.
  * @todo There are several spots in $allowedposttags where array() can be
 replaced with true. If we go with this I'll tidy that up.

 So, basically, $allowed_html can now be passed around as a string context
 that wp_kses_allowed_htm() will turn into the proper array when needed.
 This reduces a lot of array passing and avoids making new globals for
 every possible context. Some of the kses filter functions now pass
 current_filter() as the $allowed_html context allowing us to support
 custom allowed html for any field in any filter context.
 wp_kses_allowed_html() is sort of like default-filters.php for kses.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/20210#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list