[wp-trac] [WordPress Trac] #27858: Bug HTML onmouseover and onmouseout
WordPress Trac
noreply at wordpress.org
Fri Aug 1 16:46:54 UTC 2014
#27858: Bug HTML onmouseover and onmouseout
--------------------------+-------------------------
Reporter: TTBoS | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 4.0
Component: TinyMCE | Version: 3.9
Severity: normal | Resolution:
Keywords: | Focuses: javascript
--------------------------+-------------------------
Comment (by adamsilverstein):
azaozz - testing the patch it works as expected. When you say "browsers in
contenteditable mode still run JS added with these attributes." - can you
explain a bit more? testing in chrome and firefox I added an onclick
handler - I don't see it firing anywhere when i'm in the editor.
Replying to [comment:9 azaozz]:
> Replying to [comment:8 elliott-stocks]:
> > Should we allow all of the {{{on*}}} attributes for all elements if
the current user has unfiltered_html?
>
> Not sure that is a good idea. Unfortunately the browsers in
contneteditable mode still run JS added with these attributes.
>
> The patch works however as all attributes for images are replaced, it
should include all (HTML 4 and 5) attributes. I'm still 50/50 whether this
should be patched in core or should be left for plugins to do. A typical
plugin would be something like:
>
> {{{
> add_filter( 'tiny_mce_before_init', 'my_mce_init', 20 );
> function my_mce_init( $init ) {
> if ( current_user_can('unfiltered_html') ) {
> if ( ! empty( $init['extended_valid_elements'] ) ) {
> $init['extended_valid_elements'] .= ',';
> } else {
> $init['extended_valid_elements'] = '';
> }
>
> $init['extended_valid_elements'] .=
'img[id|accesskey|class|dir|lang|style|tabindex|title|contenteditable|contextmenu|draggable|dropzone|hidden|spellcheck|translate|src|alt=|usemap|ismap|width|height|name|longdesc|align|border|hspace|vspace|crossorigin|onmouseover|onmouseout]';
> }
>
> return $init;
> }
> }}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27858#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list