In [56603], support was added for `aria-live` and `hidden` attributes in `safecss_filter_attr()`.
This adds a `@since` annotation to document this change.
Follow-up to [56603].
Props mukesh27.
See #57791.
git-svn-id: https://develop.svn.wordpress.org/trunk@56608 602fd350-edb4-49c9-b593-d223f7449a82
Allow admin notices to be created with additional attributes. Test attributes include `hidden`, `data-*`, and `role="*"` values, which are all in use in various admin notices across core.
This commit adds `aria-live` and `hidden` to the KSES global attributes array to support core usages.
Follow up to [56408], [56409], [56410], [56518], [56570], [56571], [56572], [56573], [56576], [56589], [56590], [56597], [56599], [56600], [56601], [56602].
Props costdev, joedolson.
See #57791.
git-svn-id: https://develop.svn.wordpress.org/trunk@56603 602fd350-edb4-49c9-b593-d223f7449a82
Adds the ability for blocks to declare support for CSS box-shadow and processing of necessary styles.
Props madhudollu, sabernhardt, ramonopoly, spacedmonkey, mukesh27.
Fixes#58590.
git-svn-id: https://develop.svn.wordpress.org/trunk@56046 602fd350-edb4-49c9-b593-d223f7449a82
`str_starts_with()` and `str_ends_with()` were introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins or ends with the given substring (needle).
WordPress core includes a polyfill for these functions on PHP < 8.0 as of WordPress 5.9.
Follow-up to [55990], [56014], [56019].
See #58220.
git-svn-id: https://develop.svn.wordpress.org/trunk@56020 602fd350-edb4-49c9-b593-d223f7449a82
`str_starts_with()` and `str_ends_with()` were introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins or ends with the given substring (needle).
WordPress core includes a polyfill for these functions on PHP < 8.0 as of WordPress 5.9.
This commit uses `str_starts_with()` and `str_ends_with()` in core files where appropriate:
* `$needle === substr( $string, 0, $length )`, where `$length` is the length of `$needle`, is replaced with `str_starts_with( $haystack, $needle )`.
* `$needle === substr( $string, $offset )`, where `$offset` is negative and the absolute value of `$offset` is the length of `$needle`, is replaced with `str_ends_with( $haystack, $needle )`.
This aims to make the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987], [55988].
Props Soean, spacedmonkey, Clorith, ocean90, azaozz, sabernhardt, SergeyBiryukov.
Fixes#58220.
git-svn-id: https://develop.svn.wordpress.org/trunk@55990 602fd350-edb4-49c9-b593-d223f7449a82
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).
WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987].
Props Soean, spacedmonkey, costdev, dingo_d, azaozz, mikeschroder, flixos90, peterwilsoncc, SergeyBiryukov.
Fixes#58206.
git-svn-id: https://develop.svn.wordpress.org/trunk@55988 602fd350-edb4-49c9-b593-d223f7449a82
Introduces support for the CSS `repeat()` function to support complex grid layouts.
Props isabel_brison, azaozz.
Fixes#58551.
git-svn-id: https://develop.svn.wordpress.org/trunk@55944 602fd350-edb4-49c9-b593-d223f7449a82
`str_starts_with()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins with the given substring (needle).
WordPress core includes a polyfill for `str_starts_with()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `0 === strpos( ... )` with `str_starts_with()` in core files, making the code more readable and consistent, as well as improving performance.
While `strpos()` is slightly faster than the polyfill on PHP < 8.0, `str_starts_with()` is noticeably faster on PHP 8.0+, as it is optimized to avoid unnecessarily searching along the whole haystack if it does not find the needle.
Follow-up to [52039], [52040], [52326].
Props spacedmonkey, costdev, sabernhardt, mukesh27, desrosj, jorbin, TobiasBg, ayeshrajans, lgadzhev, SergeyBiryukov.
Fixes#58012.
git-svn-id: https://develop.svn.wordpress.org/trunk@55703 602fd350-edb4-49c9-b593-d223f7449a82
This changeset adds support for the `aspect-ratio` CSS property, which is considered safe for inline CSS.
Props ajlende, peterwilsoncc.
Fixes#57664.
git-svn-id: https://develop.svn.wordpress.org/trunk@55309 602fd350-edb4-49c9-b593-d223f7449a82
This changeset indirectly improves performance of the commonly used `esc_url()` function by optimizing the low-level function `wp_kses_bad_protocol()` for the by far most common scenarios, which are URLs using either the `http` or `https` protocol.
For this common scenario, the changeset now avoids the `do while` loop. While for a single call to the `esc_url()` function the performance wins are negligible, given that `esc_url()` is often called many times in one page load, they can add up, making this a worthwhile improvement.
Props mukesh27, schlessera, markjaquith, azaozz, spacedmonkey.
Fixes#22951.
git-svn-id: https://develop.svn.wordpress.org/trunk@55053 602fd350-edb4-49c9-b593-d223f7449a82
While using reserved PHP keywords as parameter name labels is allowed, in the context of function calls using named parameters in PHP 8.0+, this will easily lead to confusion. To avoid that, it is recommended not to use reserved keywords as function parameter names.
This commit:
* Renames the `$string` parameter to `$content` in:
* `wp_kses()`
* `wp_kses_hook()`
* `wp_kses_split()`
* `wp_kses_split2()`
* `wp_kses_bad_protocol()`
* `wp_kses_no_null()`
* `wp_kses_stripslashes()`
* `wp_kses_bad_protocol_once()`
* `wp_kses_normalize_entities()`
* `wp_kses_decode_entities()`
* Renames the `$string` parameter to `$attr` in:
* `wp_kses_one_attr()`
* `wp_kses_html_error()`
* Renames the `$match` parameter to `$matches` in:
* `_wp_kses_split_callback()`
* `_wp_kses_decode_entities_chr()`
* `_wp_kses_decode_entities_chr_hexdec()`
* Renames the `$string` parameter to `$scheme` in `wp_kses_bad_protocol_once2()`.
Follow-up to [52946], [52996], [52997], [52998], [53003], [53014], [53029], [53039], [53116], [53117], [53137], [53174], [53184], [53185], [53192], [53193], [53198], [53203], [53207], [53215], [53216], [53220], [53230], [53232], [53236], [53239], [53240], [53242], [53243], [53245], [53246], [53257], [53269], [53270], [53271], [53272], [53273], [53274], [53275], [53276], [53277], [53281], [53283], [53284], [53285], [53287], [53364], [53365], [54927], [54929], [54930], [54931], [54932].
Props jrf, aristath, poena, justinahinon, SergeyBiryukov.
See #56788.
git-svn-id: https://develop.svn.wordpress.org/trunk@54933 602fd350-edb4-49c9-b593-d223f7449a82
This resolves a bug in Featured Image blocks where `object-fit` was being removed during the `render_callback`.
Props raduiason, pbiron, kebbet, SergeyBiryukov, bernhard-reiter, ironprogrammer, xknown, audrasjb, ckanderson22, ivanjeronimo, seriouslysenpai.
Fixes#56855.
git-svn-id: https://develop.svn.wordpress.org/trunk@54675 602fd350-edb4-49c9-b593-d223f7449a82
When using the `CUSTOM_TAGS` constant, these global variables should be set to arrays:
* `$allowedposttags`
* `$allowedtags`
* `$allowedentitynames`
* `$allowedxmlentitynames`
This commit aims to improve developer experience by displaying a more helpful message to explain a PHP fatal error further in the code if any of these globals are either not set or not an array.
Note Using `CUSTOM_TAGS` is not recommended and should be considered deprecated. The `wp_kses_allowed_html` filter is more powerful and supplies context.
Follow-up to [832], [834], [2896], [13358], [21796], [28845], [43016], [48072].
Props doctorlai, pento, KnowingArt_com, bosconiandynamics, TJNowell, ironprogrammer, audrasjb, mukesh27, SergeyBiryukov.
Fixes#47357.
git-svn-id: https://develop.svn.wordpress.org/trunk@54672 602fd350-edb4-49c9-b593-d223f7449a82
Add a note that the parameter is optional and defaults to the result of `wp_allowed_protocols()`.
This affects:
* `wp_kses()`
* `filter_block_content()`
* `filter_block_kses()`
* `filter_block_kses_value()`
Includes synchronizing the `$allowed_html` parameter description for consistency.
Follow-up to [649], [6630], [18826], [32603], [43016], [46896], [48478].
Props armondal, SergeyBiryukov.
Fixes#56580.
git-svn-id: https://develop.svn.wordpress.org/trunk@54181 602fd350-edb4-49c9-b593-d223f7449a82
The `safecss_filter_attr()` function allows using custom CSS variables like `color: var(--color)`. However, it did not allow assigning values to CSS variables like `--color: #F00`, which is common in Global Styles and Gutenberg.
This commit adds support for assigning values to CSS variables, so that the function can be used consistently in Global Styles and the future Style Engine in Gutenberg.
Follow-up to [50923], [54100].
Props aristath, ramonopoly, SergeyBiryukov.
Fixes#56353.
git-svn-id: https://develop.svn.wordpress.org/trunk@54117 602fd350-edb4-49c9-b593-d223f7449a82
Adds support for the following CSS properties considered safe for inline CSS:
* `flex-wrap`
* `gap`
* `column-gap`
* `row-gap`
Extends support for `margin` and `padding` to include logical properties:
* `margin-block-start`
* `margin-block-end`
* `margin-inline-start`
* `margin-inline-end`
* `padding-block-start`
* `padding-block-end`
* `padding-inline-start`
* `padding-inline-end`
Follow-up to [46235].
Props andrewserong, peterwilsoncc, ramonopoly, bernhard-reiter.
Fixes#56122.
git-svn-id: https://develop.svn.wordpress.org/trunk@54102 602fd350-edb4-49c9-b593-d223f7449a82
Additionally, this commit updates `safecss_filter_attr()` to add support for nested `var()` functions, so that a fallback value can be another CSS variable.
Follow-up to [50923].
Props johnregan3, noisysocks, cbravobernal, uxl, isabel_brison, andrewserong, ramonopoly, joyously, bernhard-reiter, peterwilsoncc.
Fixes#55966.
git-svn-id: https://develop.svn.wordpress.org/trunk@54100 602fd350-edb4-49c9-b593-d223f7449a82
Expand documentation of the `wp_kses_allowed_html` hook to indicate that developers must add permitted HTML tags and attributes in lowercase for KSES to recognise they are permitted.
Props r-a-y, SergeyBiryukov, peterwilsoncc.
Fixes#55407.
See #53399.
git-svn-id: https://develop.svn.wordpress.org/trunk@53034 602fd350-edb4-49c9-b593-d223f7449a82
`<ruby>` element and its friends are used to attach annotation text onto a piece of text. This is especially commonly used in Japanese content, but it can also been seen in content of other languages like Chinese.
The set of elements to enable such functionality consists of `<ruby>`, `<rt>`, and `<rp>` in the [https://html.spec.whatwg.org/multipage/text-level-semantics.html#the-ruby-element HTML Standard], while some browsers (like Firefox) additionally support `<rb>` and `<rtc>` for more advanced formatting, which are not yet included in the official HTML spec, but can be found in a [https://www.w3.org/TR/html-ruby-extensions/ W3C extension].
Props upsuper, mukesh27, SergeyBiryukov.
Fixes#54698.
git-svn-id: https://develop.svn.wordpress.org/trunk@52969 602fd350-edb4-49c9-b593-d223f7449a82
Globally permit the `lang`, `xml:lang`, and `dir` attributes on all elements rather than a subset in accordance with the HTML specification.
Props upsuper, SergeyBiryukov, mukesh27, audrasjb.
Fixes#54699.
git-svn-id: https://develop.svn.wordpress.org/trunk@52968 602fd350-edb4-49c9-b593-d223f7449a82
From the conceptual point it makes sense to execute global styles filters before post filters. So the post filters are always the last.
Props xknown, sergey, audrasjb, vortfu, oandregal, get_dave.
git-svn-id: https://develop.svn.wordpress.org/trunk@52895 602fd350-edb4-49c9-b593-d223f7449a82
This updates the variable name in the DocBlock to the correct one.
Follow-up to [48072], [52229].
Props david.binda.
Fixes#54899.
git-svn-id: https://develop.svn.wordpress.org/trunk@52639 602fd350-edb4-49c9-b593-d223f7449a82
* `str_contains()`
* `str_ends_with()`
* `str_starts_with()`
Additionally, include a test for a PDF file in an `<object>` tag with an unsupported protocol.
Follow-up to [51963], [52039], [52040], [52304], [52309].
Props TobiasBg, ramonopoly.
See #54261.
git-svn-id: https://develop.svn.wordpress.org/trunk@52326 602fd350-edb4-49c9-b593-d223f7449a82
Improves the URL validation in `_wp_kses_allow_pdf_objects()` to account for sites using an upload path that contains a port, for example wp.org:8080.
Follow up to [51963], [52304].
Props ocean90, ramonopoly, talldanwp.
See #54261.
git-svn-id: https://develop.svn.wordpress.org/trunk@52309 602fd350-edb4-49c9-b593-d223f7449a82
Add callback validation to HTML tag attributes for increased flexibility over an array of values only.
In `object` tags, validate the `data` attribute via a callback to ensure it is a PDF and matches the `type` attribute. This prevents mime type mismatches in browsers.
Follow up to [51963].
Props Pento, dd32, swissspidy, xknown, peterwilsoncc.
Fixes#54261.
git-svn-id: https://develop.svn.wordpress.org/trunk@52304 602fd350-edb4-49c9-b593-d223f7449a82
* Support for an array of allowed values for attributes.
* Support for required attributes.
Follow-up to [51963].
See #54261.
git-svn-id: https://develop.svn.wordpress.org/trunk@52234 602fd350-edb4-49c9-b593-d223f7449a82
This fixes a discrepancy where the the global name used in the function did not match the one declared at the beginning of `kses.php`, and ensures that the function gets the correct array of allowed XML entity names.
Includes unit tests.
Follow-up to [48072].
Props ovidiul, costdev, peterwilsoncc, SergeyBiryukov.
Fixes#54060.
git-svn-id: https://develop.svn.wordpress.org/trunk@52229 602fd350-edb4-49c9-b593-d223f7449a82
Follow up to [52041,52049-52052,52054,52106,52108-52110].
Props swisspidy, TobiasBg, spacedmonkey, kebbet, oandregal.
See #54336.
git-svn-id: https://develop.svn.wordpress.org/trunk@52128 602fd350-edb4-49c9-b593-d223f7449a82
- First pass at adding the site editor from the Gutenberg plugin to
wp-admin/site-editor.php.
- Adds miscellaneous PHP changes from Gutenberg 10.1 - 11.9.
Follows [52042].
See #54337.
Props youknowriad, aristath, hellofromtonya, gziolo.
git-svn-id: https://develop.svn.wordpress.org/trunk@52069 602fd350-edb4-49c9-b593-d223f7449a82
This commit adds global styles user content escaping. In addition, it ports the logic on the Gutenberg plugin implemented on WordPress/gutenberg#28061 to the core.
The logic tries to follow what was done for standard post content.
See #54336.
Props oandregal.
git-svn-id: https://develop.svn.wordpress.org/trunk@52052 602fd350-edb4-49c9-b593-d223f7449a82
This commit ports to core the changes to the classes that deal with theme.json code.
See #54336.
Props oandregal, spacedmonkey, noisysocks, hellofromtonya, youknowriad.
git-svn-id: https://develop.svn.wordpress.org/trunk@52049 602fd350-edb4-49c9-b593-d223f7449a82
This change adds two now attribute-related config options to KSES:
- An array of allowed values can be defined for attributes. If the attribute value doesn't fall into the list, the attribute will be removed from the tag.
- Attributes can be marked as required. If a required attribute is not present, KSES will remove all attributes from the tag. As KSES doesn't match opening and closing tags, it's not possible to safely remove the tag itself, the safest fallback is to strip all attributes from the tag, instead.
Included with this change is an implementation of these options, allowing the `<object>` tag to be stored in posts, but only when it has a `type` attribute set to `application/pdf`.
Props pento, swissspidy, peterwilsoncc, dd32, jorbin.
Fixes#54261.
git-svn-id: https://develop.svn.wordpress.org/trunk@51963 602fd350-edb4-49c9-b593-d223f7449a82
The filter allows to modify the list of allowed CSS attributes, however support for specific CSS attributes is added to the function rather than the filter.
Follow-up to [37931], [38121], [42880], [44136], [44531], [45242], [45363], [46235], [46793], [50634], [50923].
Props tmatsuur, muhammadfaizanhaidar, sabernhardt.
Fixes#53731.
git-svn-id: https://develop.svn.wordpress.org/trunk@51729 602fd350-edb4-49c9-b593-d223f7449a82
