[wp-trac] [WordPress Trac] #61719: WP_HTML_Tag_Processor doesn't allow to set a valid image src

WordPress Trac noreply at wordpress.org
Fri Aug 2 23:58:42 UTC 2024


#61719: WP_HTML_Tag_Processor doesn't allow to set a valid image src
------------------------------------+-----------------------
 Reporter:  ivanzhuck               |       Owner:  dmsnell
     Type:  defect (bug)            |      Status:  reopened
 Priority:  normal                  |   Milestone:  6.6.2
Component:  HTML API                |     Version:  6.6
 Severity:  normal                  |  Resolution:
 Keywords:  has-patch dev-feedback  |     Focuses:
------------------------------------+-----------------------

Comment (by dmsnell):

 @ivanzhuck that's correct, but as for now it's relying on WordPress' own
 sanitization. the plan is to improve that sanitization with time, but I
 believe that this is no worse than running this code, or am I missing
 something?

 {{{#!php
 <?php

 echo '<img src="' . esc_url( $data_uri ) . '">';
 }}}

 Eventually there will be a split between something like a
 `HTML_Tag_Processor`/`HTML_Processor` and
 `WP_HTML_Tag_Processor`/`WP_HTML_Processor` will become subclasses of
 those, which apply WordPress' own rules. or maybe we'll be able to fix
 `kses` to ensure safe data URIs.

 The overarching goal leading to the delayed //full support// is ensuring
 that the default behaviors are safe. Today that's done by running the
 attributes through WordPress' sanitization.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61719#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list