[wp-trac] [WordPress Trac] #43215: Allow wp_kses to pass allowed CSS properties

WordPress Trac noreply at wordpress.org
Fri Jul 12 17:43:33 UTC 2024 

#43215: Allow wp_kses to pass allowed CSS properties
-----------------------------+------------------------------
 Reporter:  mclaurent        |       Owner:  (none)
     Type:  feature request  |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Security         |     Version:  4.9.2
 Severity:  normal           |  Resolution:
 Keywords:                   |     Focuses:
-----------------------------+------------------------------

Comment (by josephcscot):

 It seems that currently the only way to allow the "style" attribute from
 showing is to write a filter for "safe_style_css" to add in the "display"
 and "visibility" attributes, however this means that we are globally
 altering this behavior, which in other scenarios would allow unexpected
 HTML to appear (ie unsafe element properties). Even when removing the
 items immediately after executing the code will not work because the
 attribute may in the future be consider secure. This then causes an
 inconsistent execution.
 For example, imagine that if we wanted to make sure the "float" attribute
 was allowed in the attribute value. Currently this value is allowed, so us
 adding it in won't change the array. However when we're then undoing our
 action (ie removing the "float" attribute from the list of allowed
 attributes, we are actually removing one that was set as "safe" by
 WordPress themselves. It is easy to imaging how this could escalate
 further, when plugins blanket whitelist element attributes, then remove
 them from the list, then meaning that no attributes are allowed.
 Alternatively, in this same example if we removed our filter (with
 remove_filter) right after our wp_kses call, it would mean that our
 attribute whitelist would apply to all HTML attributes (display,
 visibility,...) and not only the one we would want to whitelist (style).

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/43215#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list