Commit Graph

256 Commits

Author SHA1 Message Date
dmsnell
9c25b9d9b8 KSES: Fix tests and detection of HTML Bogus Comment spans.
In [58418] a test was added without the `test_` prefix in its function
name, and because of that, it wasn't run in the test suite.
The prefix has been added to ensure that it runs.

In the original patch, due to a logical bug, a recursive loop to
transform the inside contents of the bogus comments was never run
more than once. This has been fixed.

This patch also includes one more case where `kses` wasn't
properly detecting the bogus comment state, and adds a test case
to cover this. It limits itself to some but not all constructions
of invalid markup declaration so that it doesn't conflict with
existing behaviors around those and other kinds of invalid comments.

Props ellatrix, dmsnell.
See #61009.
Follow-up to [58418].

Built from https://develop.svn.wordpress.org/trunk@58424


git-svn-id: http://core.svn.wordpress.org/trunk@57873 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-17 12:04:12 +00:00
dmsnell
9ccb882ff0 KSES: Preserve some additional invalid HTML comment syntaxes.
When `wp_kses_split` processes a document it attempts to leave HTML comments
alone. It makes minor adjustments, but leaves the comments in the document in
its output. Unfortunately it only recognizes one kind of HTML comment and
rejects many others.

This patch makes a minor adjustment to the algorithm in `wp_kses_split` to
recognize and preserve an additional kind of HTML comment: closing tags with
an invalid tag name, e.g. `</%dolly>`.

These invalid closing tags must be interpreted as comments by a browser.
This bug fix aligns the implementation of `wp_kses_split()` more closely
with its stated goal of leaving HTML comments as comments.

It doesn't attempt to fully fix the mis-parsed comments, but it does propose a
minor fix that hopefully won't break any existing code or projects.

Developed in https://github.com/WordPress/wordpress-develop/pull/6395
Discussed in https://core.trac.wordpress.org/ticket/61009

Props ellatrix, dmsnell, joemcgill, jorbin, westonruter, zieladam.
See #61009.

Built from https://develop.svn.wordpress.org/trunk@58418


git-svn-id: http://core.svn.wordpress.org/trunk@57867 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-15 06:33:13 +00:00
oandregal
43dd91cdc6 Editor: code quality improvements for theme.json migrate API
Backports https://github.com/WordPress/gutenberg/pull/62305

Follow-up to [58328], #61282.

Props ajlende, oandregal, ramonopoly, mukesh27.
Fixes #61282.

Built from https://develop.svn.wordpress.org/trunk@58354


git-svn-id: http://core.svn.wordpress.org/trunk@57806 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-06 08:02:16 +00:00
dmsnell
5af7587e2b KSES: Allow leading trailing double hyphen in data attributes
Expand allowable set of custom data attribute names to include those containing
leading, trailing, and double `-` characters. Previously, WordPress was
removing data attributes that are used in the Interactivity API. By allowing
these additional custom data attributes, the related Interactivity API
directives will preserve through `kses`.

For example, the Interactivity API frequently relies on custom data attributes
such as `data-wp-on--click="..."`. The change in [43981] would strip these out
of the processed HTML, however.

Developed in https://github.com/WordPress/wordpress-develop/pull/6598
Discussed in https://core.trac.wordpress.org/ticket/61052

Props cbravobernal, dmsnell, gziolo, jonsurrell.
Follow-up to [43981].
Fixes #61052.

Built from https://develop.svn.wordpress.org/trunk@58294


git-svn-id: http://core.svn.wordpress.org/trunk@57754 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-03 13:26:09 +00:00
Sergey Biryukov
991a96b968 Docs: Add a @since note for the changes to safecss_filter_attr() in WP 6.6.
Follow-up to [58170].

See #61111.
Built from https://develop.svn.wordpress.org/trunk@58196


git-svn-id: http://core.svn.wordpress.org/trunk@57659 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-05-24 09:49:07 +00:00
isabel_brison
ab8cc6dce3 Editor: add column and row spans to grid children.
Adds support for setting spans using `grid-column` and `grid-row` properties on children of blocks with grid layout.

Props isabel_brison, andrewserong, peterwilsoncc, mukesh27.
Fixes #61111.

Built from https://develop.svn.wordpress.org/trunk@58170


git-svn-id: http://core.svn.wordpress.org/trunk@57633 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-05-18 20:32:17 +00:00
Sergey Biryukov
ae1c461ed5 KSES: Add background-repeat to the list of safe CSS properties.
Follow-up to [45242], [46235].

Props andrewserong, ramonopoly, mukesh27.
Fixes #60132.
Built from https://develop.svn.wordpress.org/trunk@57228


git-svn-id: http://core.svn.wordpress.org/trunk@56734 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-12-26 14:24:21 +00:00
Sergey Biryukov
522656ed2b Coding Standards: Remove unnecessary ignore annotations in dbDelta().
It is perfectly possible to write a commented regex with layout for readability by using the `x` modifier.

As per the manual:
> x (`PCRE_EXTENDED`)
>
> If this modifier is set, whitespace data characters in the pattern are totally ignored except when escaped or inside a character class, and characters between an unescaped # outside a character class and the next newline character, inclusive, are also ignored. This is equivalent to Perl's /x modifier, and makes it possible to include commentary inside complicated patterns.
>
> Note, however, that this applies only to data characters. Whitespace characters may never appear within special character sequences in a pattern, for example within the sequence (?( which introduces a conditional subpattern.

Reference: [https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php PHP Manual: Pattern Modifiers].

This commit rewrites these two regexes to use the `x` modifier and gets rid of the unnecessary `phpcs:disable` comments.

The tests in the `tests/phpunit/tests/db/dbDelta.php` file cover this change.

Follow-up to [42249].

Props jrf.
See #59650.
Built from https://develop.svn.wordpress.org/trunk@57061


git-svn-id: http://core.svn.wordpress.org/trunk@56572 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-11-04 00:26:20 +00:00
Sergey Biryukov
0768c65310 Coding Standards: Remove unnecessary ignore annotation in wp_kses_hair_parse().
It is perfectly possible to write a commented regex with layout for readability by using the `x` modifier.

As per the manual:
> x (`PCRE_EXTENDED`)
>
> If this modifier is set, whitespace data characters in the pattern are totally ignored except when escaped or inside a character class, and characters between an unescaped # outside a character class and the next newline character, inclusive, are also ignored. This is equivalent to Perl's /x modifier, and makes it possible to include commentary inside complicated patterns.
>
> Note, however, that this applies only to data characters. Whitespace characters may never appear within special character sequences in a pattern, for example within the sequence (?( which introduces a conditional subpattern.

Reference: [https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php PHP Manual: Pattern Modifiers].

This commit rewrites these two regexes to use the `x` modifier and gets rid of the unnecessary `phpcs:disable` comments.

The tests in the `tests/phpunit/tests/db/dbDelta.php` file cover this change.

Follow-up to [42249].

Props jrf.
See #59650.
Built from https://develop.svn.wordpress.org/trunk@57056


git-svn-id: http://core.svn.wordpress.org/trunk@56567 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-11-03 15:33:22 +00:00
Sergey Biryukov
8b18bab4e6 KSES: Add writing-mode to the list of safe CSS properties.
Original PR from Gutenberg repository:
* [https://github.com/WordPress/gutenberg/pull/54581 #54581 Gutenberg Plugin: Add hook to allow `writing-mode` as a safe CSS property]

Reference: [https://developer.mozilla.org/en-US/docs/Web/CSS/writing-mode MDN Web Docs: writing-mode].

Follow-up to [56605].

Props wildworks, mukesh27, poena, andrewserong.
Fixes #59387.
Built from https://develop.svn.wordpress.org/trunk@56617


git-svn-id: http://core.svn.wordpress.org/trunk@56129 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-09-19 12:30:14 +00:00
costdev
cc1bb87546 Docs: Document aria-live and hidden in safecss_filter_attr().
In [56603], support was added for `aria-live` and `hidden` attributes in `safecss_filter_attr()`.

This adds a `@since` annotation to document this change.

Follow-up to [56603].

Props mukesh27.
See #57791.
Built from https://develop.svn.wordpress.org/trunk@56608


git-svn-id: http://core.svn.wordpress.org/trunk@56120 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-09-18 10:57:16 +00:00
joedolson
a73260baf4 Administration: Add support for attributes in wp_admin_notice().
Allow admin notices to be created with additional attributes. Test attributes include `hidden`, `data-*`, and `role="*"` values, which are all in use in various admin notices across core. 

This commit adds `aria-live` and `hidden` to the KSES global attributes array to support core usages.

Follow up to [56408], [56409], [56410], [56518], [56570], [56571], [56572], [56573], [56576], [56589], [56590], [56597], [56599], [56600], [56601], [56602].

Props costdev, joedolson.
See #57791.
Built from https://develop.svn.wordpress.org/trunk@56603


git-svn-id: http://core.svn.wordpress.org/trunk@56115 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-09-18 00:30:18 +00:00
Sergey Biryukov
e5490118af Coding Standards: Include one space after function keyword for closures.
Note: This is enforced by WPCS 3.0.0.

Reference: [https://github.com/WordPress/WordPress-Coding-Standards/pull/2328 WPCS: PR #2328 Core: properly check formatting of function declaration statements].

Props jrf.
See #59161, #58831.
Built from https://develop.svn.wordpress.org/trunk@56559


git-svn-id: http://core.svn.wordpress.org/trunk@56071 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-09-12 15:23:18 +00:00
Sergey Biryukov
ba52c45385 Coding Standards: Use strict comparison in wp-includes/kses.php.
Follow-up to [649], [2896], [3418], [8386], [20540], [47219], [54933].

Props aristath, poena, afercia, SergeyBiryukov.
See #58831.
Built from https://develop.svn.wordpress.org/trunk@56377


git-svn-id: http://core.svn.wordpress.org/trunk@55889 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-08-09 11:01:24 +00:00
audrasjb
321158f726 Docs: Replace multiple single line comments with multi-line comments.
This changeset updates various comments as per WordPress PHP Inline Documentation Standards.
See https://developer.wordpress.org/coding-standards/inline-documentation-standards/php/#5-inline-comments.

Follow-up to [56174], [56175], [56176], [56177], [56178], [56179], [56180].

Props costdev, audrasjb.
See #58459.



Built from https://develop.svn.wordpress.org/trunk@56191


git-svn-id: http://core.svn.wordpress.org/trunk@55703 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-07-10 22:38:25 +00:00
isabel_brison
4e0fbeb04c Editor: add box shadow support to blocks.
Adds the ability for blocks to declare support for CSS box-shadow and processing of necessary styles.

Props madhudollu, sabernhardt, ramonopoly, spacedmonkey, mukesh27.
Fixes #58590.

Built from https://develop.svn.wordpress.org/trunk@56046


git-svn-id: http://core.svn.wordpress.org/trunk@55558 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-06-26 23:44:29 +00:00
Sergey Biryukov
e28f97b887 Code Modernization: Use str_starts_with() and str_ends_with() in a few more places.
`str_starts_with()` and `str_ends_with()` were introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins or ends with the given substring (needle).

WordPress core includes a polyfill for these functions on PHP < 8.0 as of WordPress 5.9.

Follow-up to [55990], [56014], [56019].

See #58220.
Built from https://develop.svn.wordpress.org/trunk@56020


git-svn-id: http://core.svn.wordpress.org/trunk@55532 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-06-24 17:17:23 +00:00
Sergey Biryukov
84e9601e5a Code Modernization: Replace usage of substr() with str_starts_with() and str_ends_with().
`str_starts_with()` and `str_ends_with()` were introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins or ends with the given substring (needle).

WordPress core includes a polyfill for these functions on PHP < 8.0 as of WordPress 5.9.

This commit uses `str_starts_with()` and `str_ends_with()` in core files where appropriate:
* `$needle === substr( $string, 0, $length )`, where `$length` is the length of `$needle`, is replaced with `str_starts_with( $haystack, $needle )`.
* `$needle === substr( $string, $offset )`, where `$offset` is negative and the absolute value of `$offset` is the length of `$needle`, is replaced with `str_ends_with( $haystack, $needle )`.

This aims to make the code more readable and consistent, as well as better aligned with modern development practices.

Follow-up to [52039], [52040], [52326], [55703], [55710], [55987], [55988].

Props Soean, spacedmonkey, Clorith, ocean90, azaozz, sabernhardt, SergeyBiryukov.
Fixes #58220.
Built from https://develop.svn.wordpress.org/trunk@55990


git-svn-id: http://core.svn.wordpress.org/trunk@55502 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-06-22 14:57:24 +00:00
Sergey Biryukov
1ce5dc7444 Code Modernization: Replace usage of strpos() with str_contains().
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).

WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.

This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.

Follow-up to [52039], [52040], [52326], [55703], [55710], [55987].

Props Soean, spacedmonkey, costdev, dingo_d, azaozz, mikeschroder, flixos90, peterwilsoncc, SergeyBiryukov.
Fixes #58206.
Built from https://develop.svn.wordpress.org/trunk@55988


git-svn-id: http://core.svn.wordpress.org/trunk@55500 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-06-22 14:36:26 +00:00
Peter Wilson
7f4337121a KSES: Add support for CSS repeat() function.
Introduces support for the CSS `repeat()` function to support complex grid layouts.

Props isabel_brison, azaozz.
Fixes #58551.

Built from https://develop.svn.wordpress.org/trunk@55944


git-svn-id: http://core.svn.wordpress.org/trunk@55456 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-06-20 02:31:18 +00:00
joedolson
2d2791b5be Formatting: Support aria content attributes.
Add `aria-controls`, `aria-expanded`, and `aria-current` to allowed attributes in KSES.

Props crs1138, rsiddharth, mukesh27, SergeyBiryukov, joedolson, ryokuhi, peterwilsoncc, audrasjb, nataliat2004.
Fixes #55370.
Built from https://develop.svn.wordpress.org/trunk@55937


git-svn-id: http://core.svn.wordpress.org/trunk@55449 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-06-18 16:41:20 +00:00
Weston Ruter
4c2394eed5 General: Use static on closures whenever $this is not used to avoid memory leaks.
Props westonruter, jrf, spacedmonkey.
Fixes #58323.

Built from https://develop.svn.wordpress.org/trunk@55822


git-svn-id: http://core.svn.wordpress.org/trunk@55334 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-05-17 22:46:24 +00:00
Sergey Biryukov
2ec23a82ed Code Modernization: Replace usage of strpos() with str_starts_with().
`str_starts_with()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins with the given substring (needle).

WordPress core includes a polyfill for `str_starts_with()` on PHP < 8.0 as of WordPress 5.9.

This commit replaces `0 === strpos( ... )` with `str_starts_with()` in core files, making the code more readable and consistent, as well as improving performance.

While `strpos()` is slightly faster than the polyfill on PHP < 8.0, `str_starts_with()` is noticeably faster on PHP 8.0+, as it is optimized to avoid unnecessarily searching along the whole haystack if it does not find the needle.

Follow-up to [52039], [52040], [52326].

Props spacedmonkey, costdev, sabernhardt, mukesh27, desrosj, jorbin, TobiasBg, ayeshrajans, lgadzhev, SergeyBiryukov.
Fixes #58012.
Built from https://develop.svn.wordpress.org/trunk@55703


git-svn-id: http://core.svn.wordpress.org/trunk@55215 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-05-02 15:45:22 +00:00
Sergey Biryukov
0c5a04d541 Coding Standards: Use strict comparison where strtolower() is involved.
Follow-up to [649], [7736], [18821], [19444], [20886], [20893], [23303], [55642], [55652], [55653], [55654].

Props aristath, poena, afercia, SergeyBiryukov.
See #57839.
Built from https://develop.svn.wordpress.org/trunk@55677


git-svn-id: http://core.svn.wordpress.org/trunk@55189 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-04-22 15:19:22 +00:00
Sergey Biryukov
800b2b4261 Coding Standards: Use strict comparison where substr() is involved.
Follow-up to [3606], [10738], [33359], [55642], [55652].

Props aristath, poena, afercia, SergeyBiryukov.
See #57839.
Built from https://develop.svn.wordpress.org/trunk@55653


git-svn-id: http://core.svn.wordpress.org/trunk@55165 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-04-16 10:48:22 +00:00
Sergey Biryukov
4d6f46401f Coding Standards: Use strict comparison where strlen() is involved.
Follow-up to [649], [1345], [3034], [6132], [6314], [6974], [55642].

Props aristath, poena, afercia, SergeyBiryukov.
See #57839.
Built from https://develop.svn.wordpress.org/trunk@55652


git-svn-id: http://core.svn.wordpress.org/trunk@55164 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-04-15 12:11:24 +00:00
Sergey Biryukov
bdfe3d5a46 Coding Standards: Use strict comparison where count() is involved.
Follow-up to [1636], [6974], [8114], [10322], [13326], [14760], [18006], [18541], [19743], [23249], [24115], [33359].

Props aristath, poena, afercia, SergeyBiryukov.
See #57839.
Built from https://develop.svn.wordpress.org/trunk@55642


git-svn-id: http://core.svn.wordpress.org/trunk@55154 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-04-10 12:56:21 +00:00
Sergey Biryukov
6740fd5821 KSES: Allow filter property to accept a URL in safecss_filter_attr().
CSS filters can accept `url()` as a reference to an SVG filter element:
{{{
filter: url( file.svg#filter-element-id );
}}}
This commit allows for that syntax to be used in inline CSS.

Original PR from Gutenberg repository:
* [https://github.com/WordPress/gutenberg/pull/48281 #48281 Duotone: Use the style engine to generate CSS for Duotone]

References:
* [https://developer.mozilla.org/en-US/docs/Web/CSS/filter MDN Web Docs: filter()]
* [https://developer.mozilla.org/en-US/docs/Web/CSS/url MDN Web Docs: url()]

Follow-up to [44136], [52049].

Props scruffian, jeryj, ironprogrammer, azaozz, hellofromTonya, SergeyBiryukov.
Fixes #57780.
Built from https://develop.svn.wordpress.org/trunk@55564


git-svn-id: http://core.svn.wordpress.org/trunk@55076 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-03-20 08:25:22 +00:00
audrasjb
125d3fd72e Formatting: Add aspect-ratio as valid CSS property in KSES.
This changeset adds support for the `aspect-ratio` CSS property, which is considered safe for inline CSS.

Props ajlende, peterwilsoncc.
Fixes #57664.

Built from https://develop.svn.wordpress.org/trunk@55309


git-svn-id: http://core.svn.wordpress.org/trunk@54842 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-02-13 08:47:21 +00:00
hellofromTonya
1056e0175c KSES: Allow position-related CSS properties.
Adds support for the following CSS properties considered safe for inline CSS:
* `position`
* `top`
* `right`
* `bottom`
* `left`
* `z-index`

References:
* [https://github.com/WordPress/gutenberg/pull/46142 Gutenberg PR 46142].

Follow-up to [54117].

Props andrewserong, mukesh27.
Fixes #57504.
Built from https://develop.svn.wordpress.org/trunk@55184


git-svn-id: http://core.svn.wordpress.org/trunk@54717 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-02-01 22:52:14 +00:00
Felix Arntz
de505f0eac Formatting: Improve performance of esc_url().
This changeset indirectly improves performance of the commonly used `esc_url()` function by optimizing the low-level function `wp_kses_bad_protocol()` for the by far most common scenarios, which are URLs using either the `http` or `https` protocol.

For this common scenario, the changeset now avoids the `do while` loop. While for a single call to the `esc_url()` function the performance wins are negligible, given that `esc_url()` is often called many times in one page load, they can add up, making this a worthwhile improvement.

Props mukesh27, schlessera, markjaquith, azaozz, spacedmonkey.
Fixes #22951.

Built from https://develop.svn.wordpress.org/trunk@55053


git-svn-id: http://core.svn.wordpress.org/trunk@54586 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-01-11 15:23:13 +00:00
Sergey Biryukov
613091bce5 Code Modernization: Rename parameters that use reserved keywords in wp-includes/kses.php.
While using reserved PHP keywords as parameter name labels is allowed, in the context of function calls using named parameters in PHP 8.0+, this will easily lead to confusion. To avoid that, it is recommended not to use reserved keywords as function parameter names.

This commit:
* Renames the `$string` parameter to `$content` in:
 * `wp_kses()`
 * `wp_kses_hook()`
 * `wp_kses_split()`
 * `wp_kses_split2()`
 * `wp_kses_bad_protocol()`
 * `wp_kses_no_null()`
 * `wp_kses_stripslashes()`
 * `wp_kses_bad_protocol_once()`
 * `wp_kses_normalize_entities()`
 * `wp_kses_decode_entities()`
* Renames the `$string` parameter to `$attr` in:
 * `wp_kses_one_attr()`
 * `wp_kses_html_error()`
* Renames the `$match` parameter to `$matches` in:
 * `_wp_kses_split_callback()`
 * `_wp_kses_decode_entities_chr()`
 * `_wp_kses_decode_entities_chr_hexdec()`
* Renames the `$string` parameter to `$scheme` in `wp_kses_bad_protocol_once2()`.

Follow-up to [52946], [52996], [52997], [52998], [53003], [53014], [53029], [53039], [53116], [53117], [53137], [53174], [53184], [53185], [53192], [53193], [53198], [53203], [53207], [53215], [53216], [53220], [53230], [53232], [53236], [53239], [53240], [53242], [53243], [53245], [53246], [53257], [53269], [53270], [53271], [53272], [53273], [53274], [53275], [53276], [53277], [53281], [53283], [53284], [53285], [53287], [53364], [53365], [54927], [54929], [54930], [54931], [54932].

Props jrf, aristath, poena, justinahinon, SergeyBiryukov.
See #56788.
Built from https://develop.svn.wordpress.org/trunk@54933


git-svn-id: http://core.svn.wordpress.org/trunk@54485 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-12-05 13:57:16 +00:00
Sergey Biryukov
c7f6abe9f4 Docs: Add a @since note for object-fit support in safecss_filter_attr().
Follow-up to [54675].

Props peterwilsoncc.
See #56855.
Built from https://develop.svn.wordpress.org/trunk@54698


git-svn-id: http://core.svn.wordpress.org/trunk@54250 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-10-26 14:22:16 +00:00
davidbaumwald
a5213e123f Media: Add object-fit to the allowed list of CSS properties.
This resolves a bug in Featured Image blocks where `object-fit` was being removed during the `render_callback`.

Props raduiason, pbiron, kebbet, SergeyBiryukov, bernhard-reiter, ironprogrammer, xknown, audrasjb, ckanderson22, ivanjeronimo, seriouslysenpai.
Fixes #56855.
Built from https://develop.svn.wordpress.org/trunk@54675


git-svn-id: http://core.svn.wordpress.org/trunk@54227 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-10-24 15:36:13 +00:00
Sergey Biryukov
89e665383f KSES: Display a notice if any of the required globals are not set.
When using the `CUSTOM_TAGS` constant, these global variables should be set to arrays:

* `$allowedposttags`
* `$allowedtags`
* `$allowedentitynames`
* `$allowedxmlentitynames`

This commit aims to improve developer experience by displaying a more helpful message to explain a PHP fatal error further in the code if any of these globals are either not set or not an array.

Note Using `CUSTOM_TAGS` is not recommended and should be considered deprecated. The `wp_kses_allowed_html` filter is more powerful and supplies context.

Follow-up to [832], [834], [2896], [13358], [21796], [28845], [43016], [48072].

Props doctorlai, pento, KnowingArt_com, bosconiandynamics, TJNowell, ironprogrammer, audrasjb, mukesh27, SergeyBiryukov.
Fixes #47357.
Built from https://develop.svn.wordpress.org/trunk@54672


git-svn-id: http://core.svn.wordpress.org/trunk@54224 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-10-24 14:49:15 +00:00
Sergey Biryukov
21eb7900b3 Docs: Clarify the $allowed_protocols default value in various KSES functions.
Add a note that the parameter is optional and defaults to the result of `wp_allowed_protocols()`.

This affects:
* `wp_kses()`
* `filter_block_content()`
* `filter_block_kses()`
* `filter_block_kses_value()`

Includes synchronizing the `$allowed_html` parameter description for consistency.

Follow-up to [649], [6630], [18826], [32603], [43016], [46896], [48478].

Props armondal, SergeyBiryukov.
Fixes #56580.
Built from https://develop.svn.wordpress.org/trunk@54181


git-svn-id: http://core.svn.wordpress.org/trunk@53740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-15 13:29:13 +00:00
Sergey Biryukov
9ba0095255 KSES: Allow assigning values to CSS variables.
The `safecss_filter_attr()` function allows using custom CSS variables like `color: var(--color)`. However, it did not allow assigning values to CSS variables like `--color: #F00`, which is common in Global Styles and Gutenberg.

This commit adds support for assigning values to CSS variables, so that the function can be used consistently in Global Styles and the future Style Engine in Gutenberg.

Follow-up to [50923], [54100].

Props aristath, ramonopoly, SergeyBiryukov.
Fixes #56353.
Built from https://develop.svn.wordpress.org/trunk@54117


git-svn-id: http://core.svn.wordpress.org/trunk@53676 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-09 12:39:11 +00:00
Sergey Biryukov
ffaf3da76f KSES: Allow more layout-related CSS properties.
Adds support for the following CSS properties considered safe for inline CSS:
* `flex-wrap`
* `gap`
* `column-gap`
* `row-gap`

Extends support for `margin` and `padding` to include logical properties:
* `margin-block-start`
* `margin-block-end`
* `margin-inline-start`
* `margin-inline-end`
* `padding-block-start`
* `padding-block-end`
* `padding-inline-start`
* `padding-inline-end`

Follow-up to [46235].

Props andrewserong, peterwilsoncc, ramonopoly, bernhard-reiter.
Fixes #56122.
Built from https://develop.svn.wordpress.org/trunk@54102


git-svn-id: http://core.svn.wordpress.org/trunk@53661 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-08 15:06:09 +00:00
Sergey Biryukov
b65fba9742 KSES: Allow min(), max(), minmax(), and clamp() values to be used in inline CSS.
Additionally, this commit updates `safecss_filter_attr()` to add support for nested `var()` functions, so that a fallback value can be another CSS variable.

Follow-up to [50923].

Props johnregan3, noisysocks, cbravobernal, uxl, isabel_brison, andrewserong, ramonopoly, joyously, bernhard-reiter, peterwilsoncc.
Fixes #55966.
Built from https://develop.svn.wordpress.org/trunk@54100


git-svn-id: http://core.svn.wordpress.org/trunk@53659 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-08 13:26:14 +00:00
Sergey Biryukov
ca1a756ff2 KSES: Revert [54092] for now to address unit test failures.
See #55966.
Built from https://develop.svn.wordpress.org/trunk@54093


git-svn-id: http://core.svn.wordpress.org/trunk@53652 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-07 15:24:13 +00:00
Sergey Biryukov
a15d6fd15b KSES: Allow min(), max(), minmax(), and clamp() values to be used in inline CSS.
Follow-up to [50923].

Props johnregan3, uxl, isabel_brison, andrewserong, ramonopoly, noisysocks, joyously.
See #55966.
Built from https://develop.svn.wordpress.org/trunk@54092


git-svn-id: http://core.svn.wordpress.org/trunk@53651 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-09-07 14:40:10 +00:00
Peter Wilson
18ace8bef4 KSES: Document HTML allow list is in lowercase.
Expand documentation of the `wp_kses_allowed_html` hook to indicate that developers must add permitted HTML tags and attributes in lowercase for KSES to recognise they are permitted.

Props r-a-y, SergeyBiryukov, peterwilsoncc.
Fixes #55407.
See #53399.


Built from https://develop.svn.wordpress.org/trunk@53034


git-svn-id: http://core.svn.wordpress.org/trunk@52623 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-03-31 03:54:02 +00:00
Sergey Biryukov
dcf9c33bc6 KSES: Add support for <ruby> and related elements.
`<ruby>` element and its friends are used to attach annotation text onto a piece of text. This is especially commonly used in Japanese content, but it can also been seen in content of other languages like Chinese.

The set of elements to enable such functionality consists of `<ruby>`, `<rt>`, and `<rp>` in the [https://html.spec.whatwg.org/multipage/text-level-semantics.html#the-ruby-element HTML Standard], while some browsers (like Firefox) additionally support `<rb>` and `<rtc>` for more advanced formatting, which are not yet included in the official HTML spec, but can be found in a [https://www.w3.org/TR/html-ruby-extensions/ W3C extension].

Props upsuper, mukesh27, SergeyBiryukov.
Fixes #54698.
Built from https://develop.svn.wordpress.org/trunk@52969


git-svn-id: http://core.svn.wordpress.org/trunk@52558 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-03-21 00:30:04 +00:00
Peter Wilson
d89f6097c4 KSES: Allow lang, xml:lang, dir attributes globally.
Globally permit the `lang`, `xml:lang`, and `dir` attributes on all elements rather than a subset in accordance with the HTML specification.

Props upsuper, SergeyBiryukov, mukesh27, audrasjb.
Fixes #54699.

Built from https://develop.svn.wordpress.org/trunk@52968


git-svn-id: http://core.svn.wordpress.org/trunk@52557 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-03-21 00:13:05 +00:00
jorgefilipecosta
28b6093061 Block Editor: Improve Global Styles filtering order.
From the conceptual point it makes sense to execute global styles filters before post filters. So the post filters are always the last.

Props xknown, sergey, audrasjb, vortfu, oandregal, get_dave.
Built from https://develop.svn.wordpress.org/trunk@52895


git-svn-id: http://core.svn.wordpress.org/trunk@52484 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-03-10 23:27:04 +00:00
audrasjb
22c9355e2d Docs: Fix an error in wp_kses_attr() docblock.
Props kebbet.
See #54729.

Built from https://develop.svn.wordpress.org/trunk@52693


git-svn-id: http://core.svn.wordpress.org/trunk@52282 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-02-08 16:25:01 +00:00
Sergey Biryukov
6329aacac8 Docs: Correct @global tag in wp_kses_xml_named_entities().
This updates the variable name in the DocBlock to the correct one.

Follow-up to [48072], [52229].

Props david.binda.
Fixes #54899.
Built from https://develop.svn.wordpress.org/trunk@52639


git-svn-id: http://core.svn.wordpress.org/trunk@52228 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-01-25 11:16:05 +00:00
Sergey Biryukov
18d741be37 KSES: Use the polyfilled PHP 8 string functions in _wp_kses_allow_pdf_objects():
* `str_contains()`
* `str_ends_with()`
* `str_starts_with()`

Additionally, include a test for a PDF file in an `<object>` tag with an unsupported protocol.

Follow-up to [51963], [52039], [52040], [52304], [52309].

Props TobiasBg, ramonopoly.
See #54261.
Built from https://develop.svn.wordpress.org/trunk@52326


git-svn-id: http://core.svn.wordpress.org/trunk@51918 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-12-06 11:08:01 +00:00
Peter Wilson
37180741b4 KSES: Accept port number in PDF upload paths.
Improves the URL validation in `_wp_kses_allow_pdf_objects()` to account for sites using an upload path that contains a port, for example wp.org:8080.

Follow up to [51963], [52304].

Props ocean90, ramonopoly, talldanwp.
See #54261.


Built from https://develop.svn.wordpress.org/trunk@52309


git-svn-id: http://core.svn.wordpress.org/trunk@51901 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-12-03 02:44:00 +00:00
Peter Wilson
2d944ca1d9 KSES: Allow attributes to be restricted via callbacks.
Add callback validation to HTML tag attributes for increased flexibility over an array of values only.

In `object` tags, validate the `data` attribute via a callback to ensure it is a PDF and matches the `type` attribute. This prevents mime type mismatches in browsers.

Follow up to [51963].

Props Pento, dd32, swissspidy, xknown, peterwilsoncc.
Fixes #54261.


Built from https://develop.svn.wordpress.org/trunk@52304


git-svn-id: http://core.svn.wordpress.org/trunk@51896 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-12-02 00:56:01 +00:00