[wp-trac] [WordPress Trac] #54488: wp_filter_nohtml_kses does not remove HTML comments
WordPress Trac
noreply at wordpress.org
Sun Feb 26 22:05:10 UTC 2023
#54488: wp_filter_nohtml_kses does not remove HTML comments
--------------------------------------------------+-----------------------
Reporter: leewillis77 | Owner: audrasjb
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 6.2
Component: Formatting | Version: 2.1
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests 2nd-opinion | Focuses: docs
--------------------------------------------------+-----------------------
Comment (by peterwilsoncc):
One functional difference I've noticed with kses is that it's possible to
filter the allowed HTML for the strip context:
{{{
case 'strip':
/** This filter is documented in wp-includes/kses.php */
return apply_filters( 'wp_kses_allowed_html', array(), $context );
}}}
-- [https://github.com/WordPress/wordpress-
develop/blob/e0a9b1f4c5ae3ef1080b5e8fe5d7d36f4cebcfec/src/wp-
includes/kses.php#L902-L904 source code]
Were the kses approach to be deprecated in favour of `wp_strip_all_html()`
then I'd suggest modifying `wp_kses()` to use the function if the allowed
HTML is an empty array.
Reading the comments above I see two changes in behaviour:
* comments are also removed
* the content of `script` and `style` tags would be removed
I think these changes are acceptable provided they're included in the
field guide/miscellaneous dev notes for the appropriate release. In my
view it better matches expectations.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54488#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list