[wp-trac] [WordPress Trac] #27858: Bug HTML onmouseover and onmouseout

WordPress Trac noreply at wordpress.org
Fri Aug 1 16:46:54 UTC 2014 

#27858: Bug HTML onmouseover and onmouseout
--------------------------+-------------------------
 Reporter:  TTBoS         |       Owner:
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:  4.0
Component:  TinyMCE       |     Version:  3.9
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:  javascript
--------------------------+-------------------------

Comment (by adamsilverstein):

 azaozz - testing the patch it works as expected. When you say "browsers in
 contenteditable mode still run JS added with these attributes." - can you
 explain a bit more? testing in chrome and firefox I added an onclick
 handler - I don't see it firing anywhere when i'm in the editor.


 Replying to [comment:9 azaozz]:
 > Replying to [comment:8 elliott-stocks]:
 > > Should we allow all of the {{{on*}}} attributes for all elements if
 the current user has unfiltered_html?
 >
 > Not sure that is a good idea. Unfortunately the browsers in
 contneteditable mode still run JS added with these attributes.



 >
 > The patch works however as all attributes for images are replaced, it
 should include all (HTML 4 and 5) attributes. I'm still 50/50 whether this
 should be patched in core or should be left for plugins to do. A typical
 plugin would be something like:
 >
 > {{{
 > add_filter( 'tiny_mce_before_init', 'my_mce_init', 20 );
 > function my_mce_init( $init ) {
 >       if ( current_user_can('unfiltered_html') ) {
 >               if ( ! empty( $init['extended_valid_elements'] ) ) {
 >                       $init['extended_valid_elements'] .= ',';
 >               } else {
 >                       $init['extended_valid_elements'] = '';
 >               }
 >
 >               $init['extended_valid_elements'] .=
 'img[id|accesskey|class|dir|lang|style|tabindex|title|contenteditable|contextmenu|draggable|dropzone|hidden|spellcheck|translate|src|alt=|usemap|ismap|width|height|name|longdesc|align|border|hspace|vspace|crossorigin|onmouseover|onmouseout]';
 >       }
 >
 >       return $init;
 > }
 > }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/27858#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list