KSES: Allow the download attribute on <a> tags.

To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value. Merges [43813] from the 5.0 branch to trunk. Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento. Fixes #44724. git-svn-id: https://develop.svn.wordpress.org/trunk@44156 602fd350-edb4-49c9-b593-d223f7449a82
2026-04-04 12:44:31 +00:00 · 2018-12-14 03:27:55 +00:00
parent 466ec7483a
commit 524f5be4c6
2 changed files with 26 additions and 16 deletions
--- a/src/wp-includes/kses.php
+++ b/src/wp-includes/kses.php
@@ -61,11 +61,14 @@ if ( ! CUSTOM_TAGS ) {
 	$allowedposttags = array(
 		'address'    => array(),
 		'a'          => array(
-			'href'   => true,
-			'rel'    => true,
-			'rev'    => true,
-			'name'   => true,
-			'target' => true,
+			'href'     => true,
+			'rel'      => true,
+			'rev'      => true,
+			'name'     => true,
+			'target'   => true,
+			'download' => array(
+				'valueless' => 'y',
+			),
 		),
 		'abbr'       => array(),
 		'acronym'    => array(),