[wp-trac] [WordPress Trac] #61052: WP_KSES data attributes: Allow double dash
WordPress Trac
noreply at wordpress.org
Tue May 21 15:40:57 UTC 2024
#61052: WP_KSES data attributes: Allow double dash
----------------------------------------------------+---------------------
Reporter: cbravobernal | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 6.6
Component: Security | Version: 6.5
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests needs-testing | Focuses:
----------------------------------------------------+---------------------
Comment (by jonsurrell):
I checked into some history about why double dashes (or other characters)
are not allowed in data attributes. The change landed in r43981 and was
discussed in #33121, especially starting
[https://core.trac.wordpress.org/ticket/33121#comment:16 after this
comment]:
> > This (two hyphens or end hyphen) is true but it does some strange
things to the `element.dataset` property available in JavaScript
> Good point. Lets not allow it :)
The reasoning does not seem to be related to any security issues, but more
around the potential for strange behavior when accessed via
[https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/dataset
dataset] thanks to its automatic dash-style to camelCase conversion.
Given the immediate need to allow double-dashes, the history, and the fact
that more restrictive data attribute handling does not seem to have been
an issue, I'd try to move ahead with a minimal PR that just allows
leading, trailing, or double-dashes.
Ping @azaozz and @peterwilsoncc as the folks involved in the original data
attributes with `--` decision.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61052#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list