[wp-trac] [WordPress Trac] #29807: add support for picture element and srcset attribute on img in wp_kses

WordPress Trac noreply at wordpress.org
Wed Oct 3 06:00:38 UTC 2018

#29807: add support for picture element and srcset attribute on img in wp_kses
 Reporter:  mattheu                              |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Formatting                           |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch has-unit-tests needs-      |     Focuses:
  refresh                                        |

Comment (by 1000camels):

 Replying to [comment:21 peterwilsoncc]:
 > The refactor of `wp_kses_hair()` remains a gift for someone suitably

 I am enthusiastic, but might not be skilled enough.

 I wanted to discuss some approaches to dealing with the weird case of

 It strikes me that the first major issue is there are multiple values for
 srcset, separated by a comma. This is similar to the style attribute,
 which is delimited by ; and which has its own function to test it
 (safecss_filter_attr). Are there any other html attributes that function
 like this? If there are, it might make sense to develop an approach to
 exploding multi-valued attributes, possibly putting them into their own
 version of $attrarr element, and collapse these again, once they pass.

 Of course, that doesn't deal with the additional 'width descriptor', so
 perhaps the real way to approach this is to create a condition for srcset
 in wp_kses_hair().

 I've made a stab at this and I have allowed for the wp_kses_bad_protocol
 to process any number of urls in srcset (or rather any attribute - is this
 a problem?). It does nothing to process the width descriptor, which is
 optional. It also does not check that there is a sizes attribute, which is
 required. However, my sense is that this code is not validating the HTML
 (which is fine according to Postel). It is rather just making sure we
 don't allow bad markup, which in the case of picture, img and source, it
 is primarily checking for valid structure and good protocols. So I think
 this works.

 Of course, it could also be written better, cleaner and more succinct, but
 I will leave that to those who know better.

Ticket URL: <https://core.trac.wordpress.org/ticket/29807#comment:26>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list