[wp-trac] [WordPress Trac] #61719: WP_HTML_Tag_Processor doesn't allow to set a valid image src
WordPress Trac
noreply at wordpress.org
Fri Aug 2 23:58:42 UTC 2024
#61719: WP_HTML_Tag_Processor doesn't allow to set a valid image src
------------------------------------+-----------------------
Reporter: ivanzhuck | Owner: dmsnell
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 6.6.2
Component: HTML API | Version: 6.6
Severity: normal | Resolution:
Keywords: has-patch dev-feedback | Focuses:
------------------------------------+-----------------------
Comment (by dmsnell):
@ivanzhuck that's correct, but as for now it's relying on WordPress' own
sanitization. the plan is to improve that sanitization with time, but I
believe that this is no worse than running this code, or am I missing
something?
{{{#!php
<?php
echo '<img src="' . esc_url( $data_uri ) . '">';
}}}
Eventually there will be a split between something like a
`HTML_Tag_Processor`/`HTML_Processor` and
`WP_HTML_Tag_Processor`/`WP_HTML_Processor` will become subclasses of
those, which apply WordPress' own rules. or maybe we'll be able to fix
`kses` to ensure safe data URIs.
The overarching goal leading to the delayed //full support// is ensuring
that the default behaviors are safe. Today that's done by running the
attributes through WordPress' sanitization.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61719#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list