[wp-trac] [WordPress Trac] #60979: safecss_filter_attr() should support query strings with "& " as used by Gutenberg

[WordPress Trac]

#60979: safecss_filter_attr() should support query strings with "&" as used by
Gutenberg
-------------------------------+-----------------------------
 Reporter:  philippmuenchen    |      Owner:  (none)
     Type:  defect (bug)       |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  Posts, Post Types  |    Version:  6.5
 Severity:  normal             |   Keywords:  needs-patch
  Focuses:                     |
-------------------------------+-----------------------------
 Gutenberg transforms "&" to "&" when saving content.

 E.g. for the Media/Text-Block the content that is filtered by
 {{{safecss_filter_attr()}}} might contain "&" as here:

 {{{
 style="background-
 image:url(https://example.com/uploads/sites/2/2023/10/image.jpg?width=1024&height=600
 );background-position:46% 43%"
 }}}


 As {{{safecss_filter_attr()}}} simply explodes the style value by
 semicolons. Therefore the example above does not pass and gets striped
 out. Finally the block layout breaks as the saved result is:

 {{{
 style="background-position:46% 43%"
 }}}


 Fixing it for the moment by filtering the content before kses-functions:

 {{{#!php
 <?php
 add_filter('pre_kses', function ($content) {
     // Replace all '&' with '&' in the parameters of every URL in the
 content
     return preg_replace_callback('/(https?:\/\/[^\s]*?)&([^#]*?)/',
 function($matches) {
         return str_replace('&', '&', $matches[0]);
     }, $content);
 });
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/60979>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform