[wp-trac] [WordPress Trac] #38609: REST API should honor the `unfiltered_html` capability
WordPress Trac
noreply at wordpress.org
Tue Nov 1 18:07:07 UTC 2016
#38609: REST API should honor the `unfiltered_html` capability
--------------------------+-----------------------------
Reporter: jnylen0 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Migrated from https://github.com/WP-API/WP-API/issues/2787, comments
paraphrased from @rachelbacker @kadamwhite and @rmccue.
----
Match WordPress Core's logic when users with the unfiltered_html
capability are creating/updating Posts or Comments
* For Posts: Core removes the appropriate `kses` filter from sanitizing
`post_content` and `post_title`.
* For Comments: Core changes the active `kses` filter used for sanitizing
`comment_content` to `wp_filter_post_kses()`.
See the `kses_init()` function in WP Core for the complete logic.
----
Per discussion in [https://wordpress.slack.com/archives/core-
restapi/p1476713547007670 2016-10-17 API team chat], the API should honor
`unfiltered_html`; proposed next steps:
1. Let's take a look at introducing a new function into core that checks
`unfiltered_html` and sanitizes the input appropriately, and this could be
used in core rather than the `remove_filter` craziness. This depends on
back-compat as to whether core can use it, but is a good path forward.
2. Let's also switch our behaviour ASAP, then use core's behaviour if/when
it exists.
----
This also came up again in [https://wordpress.slack.com/archives/core-
restapi/p1478010982010432 recent Slack discussion] regarding inserting
`data:` URIs, which requires `unfiltered_html`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38609>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list