[wp-trac] [WordPress Trac] #45011: Add source to $allowedposttags

WordPress Trac noreply at wordpress.org
Fri Sep 28 21:34:38 UTC 2018 

#45011: Add source to $allowedposttags
--------------------------+------------------------
 Reporter:  1000camels    |       Owner:  (none)
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Media         |     Version:  trunk
 Severity:  normal        |  Resolution:  duplicate
 Keywords:                |     Focuses:
--------------------------+------------------------
Description changed by SergeyBiryukov:

Old description:

> The source element, which is needed for audio, video and picture
> elements, is not included in the array of $allowedposttags in kses.php
>
> It can be included on line 299, as:
>
>                 'source' => array(
>                         'sizes' => true,
>                         'src' => true,
>                         'srcset' => true,
>                         'type' => true,
>                         'media' => true
>                 ),
>
> This is important because media's audio shortcode applies the src to the
> source element. The source element is optional, but in this case it is
> not. If it is excluded, the player will render but not play.
>
> I am not sure how wide-spread this case is, but I encountered it where
> do_shortcode was being applied to the the_excerpt filter before kses was
> applied. So an audio shortcode was being clobbered in a case that does
> not normally happen. Nevertheless, it would seem that the source element
> is valid and should be included.

New description:

 The source element, which is needed for audio, video and picture elements,
 is not included in the array of $allowedposttags in kses.php

 It can be included on line 299, as:
 {{{
                 'source' => array(
                         'sizes' => true,
                         'src' => true,
                         'srcset' => true,
                         'type' => true,
                         'media' => true
                 ),
 }}}
 This is important because media's audio shortcode applies the src to the
 source element. The source element is optional, but in this case it is
 not. If it is excluded, the player will render but not play.

 I am not sure how wide-spread this case is, but I encountered it where
 do_shortcode was being applied to the the_excerpt filter before kses was
 applied. So an audio shortcode was being clobbered in a case that does not
 normally happen. Nevertheless, it would seem that the source element is
 valid and should be included.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45011#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list