[wp-trac] [WordPress Trac] #45067: Add CSS URL sanitization to kses.
WordPress Trac
noreply at wordpress.org
Tue Oct 16 15:39:29 UTC 2018
#45067: Add CSS URL sanitization to kses.
--------------------------------------+---------------------
Reporter: peterwilsoncc | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 5.0
Component: Editor | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+---------------------
Comment (by azaozz):
Replying to [comment:11 peterwilsoncc]:
> It looks like it is getting stripped in `do_shortcodes_in_html_tags()`
Right, think I figured it out. It is in `do_shortcodes_in_html_tags()` at
https://core.trac.wordpress.org/browser/branches/5.0/src/wp-
includes/shortcodes.php#L415.
The first thing `do_shortcode_tag()` (from `preg_replace_callback(
"/$pattern/", 'do_shortcode_tag', $attr, -1, $count );`) does is to check
if the shortcode was "escaped" by using `[[` and `]]`. If it is, it strips
the extra `[` and `]` and returns the remaining shortcode without
executing the callback for it. Then the shortcode output is additionally
filtered with `wp_kses_one_attr( $new_attr, $elname );`.
The failing test is for escaped shortcode `[[gallery]]`, so the expected
behavior is to get `[gallery]` back. That's what happens, however until
now the whole `background:url([gallery])` was stripped by
`safecss_filter_attr()`, and because of
{{{
if ( '' !== trim( $new_attr ) ) {
// The shortcode is safe to use now.
$attr = $new_attr;
}
}}}
the `$attr` remained unchanged (it's safe as it already has passed through
kses when saving) and no shortcode is "executed".
After the patch here we keep `background:url(*)` which is replaced in the
above code and shows as test error when in fact is the proper output.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45067#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list