This change adds two now attribute-related config options to KSES:
- An array of allowed values can be defined for attributes. If the attribute value doesn't fall into the list, the attribute will be removed from the tag.
- Attributes can be marked as required. If a required attribute is not present, KSES will remove all attributes from the tag. As KSES doesn't match opening and closing tags, it's not possible to safely remove the tag itself, the safest fallback is to strip all attributes from the tag, instead.
Included with this change is an implementation of these options, allowing the `<object>` tag to be stored in posts, but only when it has a `type` attribute set to `application/pdf`.
Props pento, swissspidy, peterwilsoncc, dd32, jorbin.
Fixes#54261.
Built from https://develop.svn.wordpress.org/trunk@51963
git-svn-id: http://core.svn.wordpress.org/trunk@51552 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The filter allows to modify the list of allowed CSS attributes, however support for specific CSS attributes is added to the function rather than the filter.
Follow-up to [37931], [38121], [42880], [44136], [44531], [45242], [45363], [46235], [46793], [50634], [50923].
Props tmatsuur, muhammadfaizanhaidar, sabernhardt.
Fixes#53731.
Built from https://develop.svn.wordpress.org/trunk@51729
git-svn-id: http://core.svn.wordpress.org/trunk@51335 1a063a9b-81f0-0310-95a4-ce76da25c4cd
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”
With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).
Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.
Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.
Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes#50413.
Built from https://develop.svn.wordpress.org/trunk@48121
git-svn-id: http://core.svn.wordpress.org/trunk@47890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Enables developers to determine whether a section of CSS should be allowed or discarded. By default, the value will be false if the part contains \ ( & } = or comments. Returning true allows the CSS part to be included in the output.
Replaces the `safe_style_disallowed_chars` filter introduced in r47891.
Props azaozz.
Fixes#37134.
Built from https://develop.svn.wordpress.org/trunk@48086
git-svn-id: http://core.svn.wordpress.org/trunk@47853 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While web crawlers are able to discover pages from links within the site and from other sites, XML sitemaps supplement this approach by allowing crawlers to quickly and comprehensively identify all URLs included in the sitemap and learn other signals about those URLs using the associated metadata.
See https://make.wordpress.org/core/2020/06/10/merge-announcement-extensible-core-sitemaps/ for more details.
This feature exposes the sitemap index via `/wp-sitemap.xml` and exposes a variety of new filters and hooks for developers to modify the behavior. Users can disable sitemaps completely by turning off search engine visibility in WordPress admin.
This change also introduces a new `esc_xml()` function to escape strings for output in XML, as well as XML support to `wp_kses_normalize_entities()`.
Props Adrian McShane, afragen, adamsilverstein, casiepa, flixos90, garrett-eclipse, joemcgill, kburgoine, kraftbj, milana_cap, pacifika, pbiron, pfefferle, Ruxandra Gradina, swissspidy, szepeviktor, tangrufus, tweetythierry.
Fixes#50117.
See #3670. See #19998.
Built from https://develop.svn.wordpress.org/trunk@48072
git-svn-id: http://core.svn.wordpress.org/trunk@47839 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.
Props: xknown, nickdaugherty, peterwilsoncc.
Built from https://develop.svn.wordpress.org/trunk@46895
git-svn-id: http://core.svn.wordpress.org/trunk@46695 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds support for `flex`, `grid` and `column` layout techniques to the list of CSS attributes considered safe for inline CSS. The `\` character and CSS functions, eg `minmax()` are not yet supported.
Extends support of `border` properties to include `border-radius` and individual `background` properties to include all those implicitly supported by the shorthand attribute.
Props mrahmadawais, marybaum, birgire, peterwilsoncc, azaozz.
Fixes#37248.
See #47367.
Built from https://develop.svn.wordpress.org/trunk@46235
git-svn-id: http://core.svn.wordpress.org/trunk@46047 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit introduces the `wp_kses_uri_attributes` function and filter. The function centralizes the list of attributes, in order to prevent inconsistency, and the filter provides a way for plugins to customize the attributes.
Merges [44014] and [44017] to `trunk`.
Built from https://develop.svn.wordpress.org/trunk@44207
git-svn-id: http://core.svn.wordpress.org/trunk@44037 1a063a9b-81f0-0310-95a4-ce76da25c4cd
To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.
Merges [43813] from the 5.0 branch to trunk.
Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
Fixes#44724.
Built from https://develop.svn.wordpress.org/trunk@44156
git-svn-id: http://core.svn.wordpress.org/trunk@43986 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The cover image block uses the `url()` function in its inline CSS, to show the cover image. KSES didn't allow this, causing the block to not save correctly for Author and Contributor users. As KSES does already check each attribute name against an allowed list, we're able to add an extra check for certain attributes to be able to use the `url()` function, too.
Merges [43781] from the 5.0 branch to core.
Props peterwilsoncc, azaozz, pento, dd32.
Fixes#45067.
Built from https://develop.svn.wordpress.org/trunk@44136
git-svn-id: http://core.svn.wordpress.org/trunk@43966 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Allow low-privileged users to use the ARIA attributes `aria-describedby`, `aria-details`, `aria-label`, `aria-labelledby` and `aria-hidden`.
Merges [43731] to trunk.
Props mattheu, swissspidy, rianrietveld, afercia, GaryJ.
See #30421.
Built from https://develop.svn.wordpress.org/trunk@43984
git-svn-id: http://core.svn.wordpress.org/trunk@43816 1a063a9b-81f0-0310-95a4-ce76da25c4cd
WPCS 1.0.0 includes a bunch of new auto-fixers, which drops the number of coding standards issues across WordPress significantly. Prior to running the auto-fixers, there were 15,312 issues detected. With this commit, we now drop to 4,769 issues.
This change includes three notable additions:
- Multiline function calls must now put each parameter on a new line.
- Auto-formatting files is now part of the `grunt precommit` script.
- Auto-fixable coding standards issues will now cause Travis failures.
Fixes#44600.
Built from https://develop.svn.wordpress.org/trunk@43571
git-svn-id: http://core.svn.wordpress.org/trunk@43400 1a063a9b-81f0-0310-95a4-ce76da25c4cd