[wp-trac] [WordPress Trac] #43215: Allow wp_kses to pass allowed CSS properties
WordPress Trac
noreply at wordpress.org
Fri Jul 12 17:43:33 UTC 2024
#43215: Allow wp_kses to pass allowed CSS properties
-----------------------------+------------------------------
Reporter: mclaurent | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 4.9.2
Severity: normal | Resolution:
Keywords: | Focuses:
-----------------------------+------------------------------
Comment (by josephcscot):
It seems that currently the only way to allow the "style" attribute from
showing is to write a filter for "safe_style_css" to add in the "display"
and "visibility" attributes, however this means that we are globally
altering this behavior, which in other scenarios would allow unexpected
HTML to appear (ie unsafe element properties). Even when removing the
items immediately after executing the code will not work because the
attribute may in the future be consider secure. This then causes an
inconsistent execution.
For example, imagine that if we wanted to make sure the "float" attribute
was allowed in the attribute value. Currently this value is allowed, so us
adding it in won't change the array. However when we're then undoing our
action (ie removing the "float" attribute from the list of allowed
attributes, we are actually removing one that was set as "safe" by
WordPress themselves. It is easy to imaging how this could escalate
further, when plugins blanket whitelist element attributes, then remove
them from the list, then meaning that no attributes are allowed.
Alternatively, in this same example if we removed our filter (with
remove_filter) right after our wp_kses call, it would mean that our
attribute whitelist would apply to all HTML attributes (display,
visibility,...) and not only the one we would want to whitelist (style).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43215#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list