[wp-trac] [WordPress Trac] #44724: KSES: Allow 'download' attribute for links
WordPress Trac
noreply at wordpress.org
Tue Oct 16 02:50:35 UTC 2018
#44724: KSES: Allow 'download' attribute for links
--------------------------------------+------------------------
Reporter: SergeyBiryukov | Owner: chriscct7
Type: enhancement | Status: accepted
Priority: normal | Milestone: 5.0
Component: Formatting | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+------------------------
Changes (by pento):
* keywords: good-first-bug has-patch has-unit-tests commit => has-patch
has-unit-tests
Comment:
...not so fast. 😔
The `download` attribute doesn't work on cross-origin links (eg, any site
that uses a CDN for hosting `uploads`). I don't know that we necessarily
need to account for this, but it is something to consider.
It's also a risk to allow the download filename to be set: for example, an
author could upload `my_definitely_not_suspicious_file.txt`, but then set
the `download` attribute to be `CLICK_ME.bat`, which isn't great. If we do
allow the `download` attribute, it should only be allowed with no value.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44724#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list