[wp-trac] [WordPress Trac] #43215: Allow wp_kses to pass allowed CSS properties
WordPress Trac
noreply at wordpress.org
Sun Oct 6 20:00:32 UTC 2024
#43215: Allow wp_kses to pass allowed CSS properties
-----------------------------+------------------------------
Reporter: mclaurent | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 4.9.2
Severity: normal | Resolution:
Keywords: | Focuses:
-----------------------------+------------------------------
Comment (by boceksumuklu):
Introducing a more granular approach where the allowed_output_html array
can define both allowed elements and specific attributes (including CSS
properties for style) on a per-element basis would indeed provide much
more flexibility. This would allow developers to safely whitelist certain
style properties on a case-by-case basis without needing to rely on global
hooks like safe_style_css.
For example, it makes sense for the allowed_output_html array to support
this depth:
{{{#!php
$allowed_output_html = array(
'script' => array(),
'noscript' => array(),
'iframe' => array(
'src' => array(),
'width' => array(),
'height' => array(),
'style' => array(
'display', 'visibility'
),
),
);
}}}
This way, you could fine-tune exactly which styles are allowed for
specific elements like iframe, without globally affecting the handling of
CSS attributes across the entire WordPress instance.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43215#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list