[wp-trac] [WordPress Trac] #45067: Add CSS URL sanitization to kses.
WordPress Trac
noreply at wordpress.org
Tue Oct 16 11:51:41 UTC 2018
#45067: Add CSS URL sanitization to kses.
--------------------------------------+---------------------
Reporter: peterwilsoncc | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 5.0
Component: Editor | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+---------------------
Comment (by azaozz):
Replying to [comment:10 peterwilsoncc]:
> `[[gallery]]` is a valid relative URL
Hmmm, looking at https://tools.ietf.org/html/rfc3986#section-2.2 `[` and
`]` seem "reserved" as "general delimiters", together with `:`, `/`, `?`,
`@`, and `#`. So for `[[gallery]]` to be a valid relative URL the `[` and
`]` will have to be ulrencoded, or if they are used as delimiters, they
will have to be after `?` char?
> It looks like it is getting stripped in
`do_shortcodes_in_html_tags()`...
Ugh, shortcodes again!! :(
Yeah, we do a lot of sanitization for all kinds of weird uses of
shortcodes, wil try to figure out what's going on there.
This actually brings a valid question: do we want to support shortcodes in
style attributes for users without `unfiltered_html`? Currently they are
not supported and seems we should keep it that way.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45067#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list