[wp-trac] [WordPress Trac] #30920: Add support for JavaScript templates (Underscore) to wp_kses()
WordPress Trac
noreply at wordpress.org
Tue Jan 6 14:10:50 UTC 2015
#30920: Add support for JavaScript templates (Underscore) to wp_kses()
---------------------------+------------------------------
Reporter: stevegrunwell | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Formatting | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch | Focuses: template
---------------------------+------------------------------
Changes (by stevegrunwell):
* keywords: => has-patch
Comment:
@dd32, that's a very good point - the instances where JavaScript templates
should be user provided (without at least requiring some extra work on the
part of the developer) is slim to nil (hence why I wrote this as a
separate function rather than build it into the main `wp_kses()`). Even if
third-party plugins are able to filter templates and thus potentially make
them evil before they're displayed, that would be the result of a third-
party plugin that the user has installed on his/her WordPress site.
The behavior of `wp_kses()` still seems broken when it's handed an
Underscore template, however. Do you think a simple `str_replace()` for
Underscore template tags (`<%`, `<%=`, `<%-`, and `%>`, probably including
trailing/leading spaces on opening/closing tags, respectively, but I would
need to confirm with the Underscore parser rules on spacing) would
suffice? Using the example in the original ticket, the expected output
would then be a harmless `<div id="post-ID">title</div>`, which should
prevent any parsers from breaking.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/30920#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list