[wp-trac] [WordPress Trac] #24157: safecss_filter_attr doesn't allow rgb() in inline styles
WordPress Trac
noreply at wordpress.org
Sat May 25 22:07:38 UTC 2013
#24157: safecss_filter_attr doesn't allow rgb() in inline styles
--------------------------+------------------------------
Reporter: joehoyle | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Formatting | Version: 2.8.1
Severity: normal | Resolution:
Keywords: |
--------------------------+------------------------------
Comment (by joehoyle):
I wanted to open the discussion up to what css should be supported, and
what is deemed insecure. AFAIK css expression as the main reason for this
restriction, whereas there are a lot of CSS values that are currently not
allowed due to the stripping of `(`, e.g. bg image urls, gradients, other
css 3 "functions", rgb(a), hsla to name some.
I was going to write a patch to whitelist rgb for this ticket, however, if
css expressions [http://webfx.eae.net/dhtml/cssexpr/cssexpr.html] are the
only issue (which I believe are only available in <= IE7) then does it
make more sense to blacklist "expression" rather than trying to write
complex regex to whitelist the others?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24157#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list