[wp-trac] [WordPress Trac] #58921: wp_kses_allowed_html doesn't allow to add esi:include

WordPress Trac noreply at wordpress.org
Thu Jul 27 10:19:29 UTC 2023 

#58921: wp_kses_allowed_html doesn't allow to add esi:include
--------------------------+-----------------------------
 Reporter:  alekv         |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Plugins       |    Version:  6.2.2
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 In my plugin I want to implement an [ESI exclusion](https://www.w3.org/TR
 /esi-lang/) for Litespeed using their filter like this:

 {{{#!php
 <?php
 echo apply_filters(
         'litespeed_esi_url',
         'pmw_data_layer',
         'Inject data layer through ESI block');
 }}}


 The filter returns a script that contains an HTML comment and an ESI
 exclusion tag (which is not a standard HTML tag):

 {{{
 <!-- lscwp Inject data layer through ESI block -->
 <esi:include src='/?lsesi=pmw_data_layer&_control=private%2Cno-
 vary&_hash=6b8400dc86345e005f6cbea3e58da1e2' cache-control='private,no-
 vary' />
 <!-- lscwp Inject data layer through ESI block esi end -->
 }}}


 However, using the unescaped echo is bad practice and is not allowed by
 WooCommerce (my plugin is published on woocomerce.com, so I can't upload a
 version that's using `echo`).

 So I tried using `wp_kses`.

 Using the `wp_kses_allowed_html` filter, one could add custom tags to
 `wp_kses`. But it doesn’t work in this particular case because the ESI tag
 contains a colon `esi:include`.

 I’m stuck here. I can’t change the [ESI
 specification](https://www.w3.org/TR/esi-lang/) which specifies the tag
 `esi:include`.

 Litespeed (or any other technology that uses ESI) must consume the
 `esi:include` tag to work. That means we need to output the script
 somehow.

 I think there should be a way to add custom tags like `esi:include`.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58921>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list