[wp-trac] [WordPress Trac] #27858: Bug HTML onmouseover and onmouseout
WordPress Trac
noreply at wordpress.org
Sat Apr 26 00:15:53 UTC 2014
#27858: Bug HTML onmouseover and onmouseout
--------------------------+-------------------------
Reporter: TTBoS | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 3.9.1
Component: TinyMCE | Version: 3.9
Severity: normal | Resolution:
Keywords: needs-patch | Focuses: javascript
--------------------------+-------------------------
Comment (by azaozz):
Replying to [comment:8 elliott-stocks]:
> Should we allow all of the {{{on*}}} attributes for all elements if the
current user has unfiltered_html?
Not sure that is a good idea. Unfortunately the browsers in
contneteditable mode still run JS added with these attributes.
The patch works however as all attributes for images are replaced, it
should include all (HTML 4 and 5) attributes. I'm still 50/50 whether this
should be patched in core or should be left for plugins to do. A typical
plugin would be something like:
{{{
add_filter( 'tiny_mce_before_init', 'my_mce_init', 20 );
function my_mce_init( $init ) {
if ( current_user_can('unfiltered_html') ) {
if ( ! empty( $init['extended_valid_elements'] ) ) {
$init['extended_valid_elements'] .= ',';
} else {
$init['extended_valid_elements'] = '';
}
$init['extended_valid_elements'] .=
'img[id|accesskey|class|dir|lang|style|tabindex|title|contenteditable|contextmenu|draggable|dropzone|hidden|spellcheck|translate|src|alt=|usemap|ismap|width|height|name|longdesc|align|border|hspace|vspace|crossorigin|onmouseover|onmouseout]';
}
return $init;
}
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27858#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list