KSES: Allow HTML data-* attributes.

Add global support for HTML attributes prefixed `data-` for authors and contributors, as required by the new editor.

Merges [43727] to trunk.

Props azaozz, peterwilsoncc.
Fixes #33121.

Built from https://develop.svn.wordpress.org/trunk@43981


git-svn-id: http://core.svn.wordpress.org/trunk@43813 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Jeremy Felt 2018-12-12 02:39:25 +00:00
parent a0446fdfe8
commit a0309e80b6
2 changed files with 29 additions and 8 deletions

View File

@ -1076,6 +1076,7 @@ function wp_kses_attr( $element, $attr, $allowed_html, $allowed_protocols ) {
* Determines whether an attribute is allowed. * Determines whether an attribute is allowed.
* *
* @since 4.2.3 * @since 4.2.3
* @since 5.0.0 Add support for `data-*` wildcard attributes.
* *
* @param string $name The attribute name. Passed by reference. Returns empty string when not allowed. * @param string $name The attribute name. Passed by reference. Returns empty string when not allowed.
* @param string $value The attribute value. Passed by reference. Returns a filtered value. * @param string $value The attribute value. Passed by reference. Returns a filtered value.
@ -1090,9 +1091,27 @@ function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowe
$name_low = strtolower( $name ); $name_low = strtolower( $name );
if ( ! isset( $allowed_attr[ $name_low ] ) || '' == $allowed_attr[ $name_low ] ) { if ( ! isset( $allowed_attr[ $name_low ] ) || '' == $allowed_attr[ $name_low ] ) {
/*
* Allow `data-*` attributes.
*
* When specifying `$allowed_html`, the attribute name should be set as
* `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
* https://www.w3.org/TR/html40/struct/objects.html#adef-data).
*
* Note: the attribute name should only contain `A-Za-z0-9_-` chars,
* double hyphens `--` are not accepted by WordPress.
*/
if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] ) && preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match ) ) {
/*
* Add the whole attribute name to the allowed attributes and set any restrictions
* for the `data-*` attribute values for the current element.
*/
$allowed_attr[ $match[0] ] = $allowed_attr['data-*'];
} else {
$name = $value = $whole = ''; $name = $value = $whole = '';
return false; return false;
} }
}
if ( 'style' == $name_low ) { if ( 'style' == $name_low ) {
$new_value = safecss_filter_attr( $value ); $new_value = safecss_filter_attr( $value );
@ -2091,6 +2110,7 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
* Helper function to add global attributes to a tag in the allowed html list. * Helper function to add global attributes to a tag in the allowed html list.
* *
* @since 3.5.0 * @since 3.5.0
* @since 5.0.0 Add support for `data-*` wildcard attributes.
* @access private * @access private
* @ignore * @ignore
* *
@ -2104,6 +2124,7 @@ function _wp_add_global_attributes( $value ) {
'style' => true, 'style' => true,
'title' => true, 'title' => true,
'role' => true, 'role' => true,
'data-*' => true,
); );
if ( true === $value ) { if ( true === $value ) {

View File

@ -13,7 +13,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '5.1-alpha-43980'; $wp_version = '5.1-alpha-43981';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.