[wp-trac] [WordPress Trac] #27858: Bug HTML onmouseover and onmouseout
WordPress Trac
noreply at wordpress.org
Fri Aug 1 18:54:27 UTC 2014
#27858: Bug HTML onmouseover and onmouseout
--------------------------+-------------------------
Reporter: TTBoS | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 4.0
Component: TinyMCE | Version: 3.9
Severity: normal | Resolution:
Keywords: | Focuses: javascript
--------------------------+-------------------------
Comment (by adamsilverstein):
If these are already stripped in 3.9 it seems reasonable to leave it in -
especially considering how easy it is to filter.
Sounds like won't fix, I leave that in your capable hands :)
Replying to [comment:21 azaozz]:
> Considering the security aspect, I'm starting to think this should be a
"plugin material". Two reasons:
> - These attributes are currently disabled (in 3.9).
> - Legitimate uses seem very rare.
>
> I've only heard of two user cases:
> - Rollover images that can probably be done from CSS or from a dedicated
plugin that handles the `onmouseover` storing/restoring on
`editor.on('BeforeSetContent', ...)` and `editor.on('GetContent', ...)`.
> - Capture clicks on links for SEO that should probably be handled
"globally" from a dedicated script.
>
> > I wonder if there's something that could also be done upstream to make
this less "kudgy" on our end.
>
> Yeah, talked to the TinyMCE developers about that too. There is a
private method in MCE that can add more "valid attributes" to any tag in
the schema, would take some work to make it into a public method. Seems it
would be worth it, will submit a patch.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27858#comment:22>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list