[wp-trac] [WordPress Trac] #33121: wp_kses_attr_check fails to process html data-* attributes
WordPress Trac
noreply at wordpress.org
Fri Oct 12 13:26:46 UTC 2018
#33121: wp_kses_attr_check fails to process html data-* attributes
--------------------------------------+-----------------------
Reporter: isoftware | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 5.0
Component: Editor | Version: 4.2.3
Severity: major | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+-----------------------
Comment (by azaozz):
Thinking more about this, a "middle point" between the two approaches
would be to tweak `_wp_add_global_attributes()` so it can return just the
array of `$global_attributes`. Then check the prefix against it. That way
only hard-coded wildcard attributes will be allowed. (That would still
require sanity checking/security auditing of all `aria-*` attributes if we
decide to add them.)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33121#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list