Globally permit the `lang`, `xml:lang`, and `dir` attributes on all elements rather than a subset in accordance with the HTML specification.
Props upsuper, SergeyBiryukov, mukesh27, audrasjb.
Fixes#54699.
git-svn-id: https://develop.svn.wordpress.org/trunk@52968 602fd350-edb4-49c9-b593-d223f7449a82
From the conceptual point it makes sense to execute global styles filters before post filters. So the post filters are always the last.
Props xknown, sergey, audrasjb, vortfu, oandregal, get_dave.
git-svn-id: https://develop.svn.wordpress.org/trunk@52895 602fd350-edb4-49c9-b593-d223f7449a82
This updates the variable name in the DocBlock to the correct one.
Follow-up to [48072], [52229].
Props david.binda.
Fixes#54899.
git-svn-id: https://develop.svn.wordpress.org/trunk@52639 602fd350-edb4-49c9-b593-d223f7449a82
* `str_contains()`
* `str_ends_with()`
* `str_starts_with()`
Additionally, include a test for a PDF file in an `<object>` tag with an unsupported protocol.
Follow-up to [51963], [52039], [52040], [52304], [52309].
Props TobiasBg, ramonopoly.
See #54261.
git-svn-id: https://develop.svn.wordpress.org/trunk@52326 602fd350-edb4-49c9-b593-d223f7449a82
Improves the URL validation in `_wp_kses_allow_pdf_objects()` to account for sites using an upload path that contains a port, for example wp.org:8080.
Follow up to [51963], [52304].
Props ocean90, ramonopoly, talldanwp.
See #54261.
git-svn-id: https://develop.svn.wordpress.org/trunk@52309 602fd350-edb4-49c9-b593-d223f7449a82
Add callback validation to HTML tag attributes for increased flexibility over an array of values only.
In `object` tags, validate the `data` attribute via a callback to ensure it is a PDF and matches the `type` attribute. This prevents mime type mismatches in browsers.
Follow up to [51963].
Props Pento, dd32, swissspidy, xknown, peterwilsoncc.
Fixes#54261.
git-svn-id: https://develop.svn.wordpress.org/trunk@52304 602fd350-edb4-49c9-b593-d223f7449a82
* Support for an array of allowed values for attributes.
* Support for required attributes.
Follow-up to [51963].
See #54261.
git-svn-id: https://develop.svn.wordpress.org/trunk@52234 602fd350-edb4-49c9-b593-d223f7449a82
This fixes a discrepancy where the the global name used in the function did not match the one declared at the beginning of `kses.php`, and ensures that the function gets the correct array of allowed XML entity names.
Includes unit tests.
Follow-up to [48072].
Props ovidiul, costdev, peterwilsoncc, SergeyBiryukov.
Fixes#54060.
git-svn-id: https://develop.svn.wordpress.org/trunk@52229 602fd350-edb4-49c9-b593-d223f7449a82
Follow up to [52041,52049-52052,52054,52106,52108-52110].
Props swisspidy, TobiasBg, spacedmonkey, kebbet, oandregal.
See #54336.
git-svn-id: https://develop.svn.wordpress.org/trunk@52128 602fd350-edb4-49c9-b593-d223f7449a82
- First pass at adding the site editor from the Gutenberg plugin to
wp-admin/site-editor.php.
- Adds miscellaneous PHP changes from Gutenberg 10.1 - 11.9.
Follows [52042].
See #54337.
Props youknowriad, aristath, hellofromtonya, gziolo.
git-svn-id: https://develop.svn.wordpress.org/trunk@52069 602fd350-edb4-49c9-b593-d223f7449a82
This commit adds global styles user content escaping. In addition, it ports the logic on the Gutenberg plugin implemented on WordPress/gutenberg#28061 to the core.
The logic tries to follow what was done for standard post content.
See #54336.
Props oandregal.
git-svn-id: https://develop.svn.wordpress.org/trunk@52052 602fd350-edb4-49c9-b593-d223f7449a82
This commit ports to core the changes to the classes that deal with theme.json code.
See #54336.
Props oandregal, spacedmonkey, noisysocks, hellofromtonya, youknowriad.
git-svn-id: https://develop.svn.wordpress.org/trunk@52049 602fd350-edb4-49c9-b593-d223f7449a82
This change adds two now attribute-related config options to KSES:
- An array of allowed values can be defined for attributes. If the attribute value doesn't fall into the list, the attribute will be removed from the tag.
- Attributes can be marked as required. If a required attribute is not present, KSES will remove all attributes from the tag. As KSES doesn't match opening and closing tags, it's not possible to safely remove the tag itself, the safest fallback is to strip all attributes from the tag, instead.
Included with this change is an implementation of these options, allowing the `<object>` tag to be stored in posts, but only when it has a `type` attribute set to `application/pdf`.
Props pento, swissspidy, peterwilsoncc, dd32, jorbin.
Fixes#54261.
git-svn-id: https://develop.svn.wordpress.org/trunk@51963 602fd350-edb4-49c9-b593-d223f7449a82
The filter allows to modify the list of allowed CSS attributes, however support for specific CSS attributes is added to the function rather than the filter.
Follow-up to [37931], [38121], [42880], [44136], [44531], [45242], [45363], [46235], [46793], [50634], [50923].
Props tmatsuur, muhammadfaizanhaidar, sabernhardt.
Fixes#53731.
git-svn-id: https://develop.svn.wordpress.org/trunk@51729 602fd350-edb4-49c9-b593-d223f7449a82
As part of some recent changes, the property was added to the list of safe CSS properties twice.
Follow-up to [50634], [50761].
See #52991.
git-svn-id: https://develop.svn.wordpress.org/trunk@50922 602fd350-edb4-49c9-b593-d223f7449a82
This resolves an issue with the Cover block, where the `object-position` property is removed from the content when a non-admin user saves the post, leading to block recovery loop.
Props Mamaduka, aristath.
Fixes#52961.
git-svn-id: https://develop.svn.wordpress.org/trunk@50634 602fd350-edb4-49c9-b593-d223f7449a82
With loading="lazy" being added to all images in [47554], let's ensure that it passes kses attributes too.
Fixes#50731.
Props TimothyBlynJacobs, peterwilsoncc, azaozz.
git-svn-id: https://develop.svn.wordpress.org/trunk@48572 602fd350-edb4-49c9-b593-d223f7449a82
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”
With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).
Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.
Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.
Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes#50413.
git-svn-id: https://develop.svn.wordpress.org/trunk@48121 602fd350-edb4-49c9-b593-d223f7449a82
Enables developers to determine whether a section of CSS should be allowed or discarded. By default, the value will be false if the part contains \ ( & } = or comments. Returning true allows the CSS part to be included in the output.
Replaces the `safe_style_disallowed_chars` filter introduced in r47891.
Props azaozz.
Fixes#37134.
git-svn-id: https://develop.svn.wordpress.org/trunk@48086 602fd350-edb4-49c9-b593-d223f7449a82
While web crawlers are able to discover pages from links within the site and from other sites, XML sitemaps supplement this approach by allowing crawlers to quickly and comprehensively identify all URLs included in the sitemap and learn other signals about those URLs using the associated metadata.
See https://make.wordpress.org/core/2020/06/10/merge-announcement-extensible-core-sitemaps/ for more details.
This feature exposes the sitemap index via `/wp-sitemap.xml` and exposes a variety of new filters and hooks for developers to modify the behavior. Users can disable sitemaps completely by turning off search engine visibility in WordPress admin.
This change also introduces a new `esc_xml()` function to escape strings for output in XML, as well as XML support to `wp_kses_normalize_entities()`.
Props Adrian McShane, afragen, adamsilverstein, casiepa, flixos90, garrett-eclipse, joemcgill, kburgoine, kraftbj, milana_cap, pacifika, pbiron, pfefferle, Ruxandra Gradina, swissspidy, szepeviktor, tangrufus, tweetythierry.
Fixes#50117.
See #3670. See #19998.
git-svn-id: https://develop.svn.wordpress.org/trunk@48072 602fd350-edb4-49c9-b593-d223f7449a82
Enable developers to change the regex used in `safecss_filter_attr` to limit characters in the parsed CSS.
Props paulschreiber, swissspidy, rmccue, bartekcholewa, miinasikk.
Fixes#37134.
git-svn-id: https://develop.svn.wordpress.org/trunk@47891 602fd350-edb4-49c9-b593-d223f7449a82
Allow users without the `unfiltered_html` capability to use the `playsinline` attribute when embedding videos.
Additionally this adds unit tests for passing the video element through kses.
Fixes#50167. See #29826.
git-svn-id: https://develop.svn.wordpress.org/trunk@47837 602fd350-edb4-49c9-b593-d223f7449a82
This reduces the number of `WordPress.PHP.StrictComparisons.LooseComparison` issues in half, from 1897 to 890.
Includes minor code layout fixes for better readability.
See #49542.
git-svn-id: https://develop.svn.wordpress.org/trunk@47808 602fd350-edb4-49c9-b593-d223f7449a82
This reduces the number of `WordPress.PHP.StrictInArray.MissingTrueStrict` issues from 486 to 50.
Includes minor code layout fixes for better readability.
See #49542.
git-svn-id: https://develop.svn.wordpress.org/trunk@47550 602fd350-edb4-49c9-b593-d223f7449a82
`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.
Props: xknown, nickdaugherty, peterwilsoncc.
git-svn-id: https://develop.svn.wordpress.org/trunk@46895 602fd350-edb4-49c9-b593-d223f7449a82
Adds support for `flex`, `grid` and `column` layout techniques to the list of CSS attributes considered safe for inline CSS. The `\` character and CSS functions, eg `minmax()` are not yet supported.
Extends support of `border` properties to include `border-radius` and individual `background` properties to include all those implicitly supported by the shorthand attribute.
Props mrahmadawais, marybaum, birgire, peterwilsoncc, azaozz.
Fixes#37248.
See #47367.
git-svn-id: https://develop.svn.wordpress.org/trunk@46235 602fd350-edb4-49c9-b593-d223f7449a82
