This changeset indirectly improves performance of the commonly used `esc_url()` function by optimizing the low-level function `wp_kses_bad_protocol()` for the by far most common scenarios, which are URLs using either the `http` or `https` protocol.
For this common scenario, the changeset now avoids the `do while` loop. While for a single call to the `esc_url()` function the performance wins are negligible, given that `esc_url()` is often called many times in one page load, they can add up, making this a worthwhile improvement.
Props mukesh27, schlessera, markjaquith, azaozz, spacedmonkey.
Fixes#22951.
Built from https://develop.svn.wordpress.org/trunk@55053
git-svn-id: http://core.svn.wordpress.org/trunk@54586 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While using reserved PHP keywords as parameter name labels is allowed, in the context of function calls using named parameters in PHP 8.0+, this will easily lead to confusion. To avoid that, it is recommended not to use reserved keywords as function parameter names.
This commit:
* Renames the `$string` parameter to `$content` in:
* `wp_kses()`
* `wp_kses_hook()`
* `wp_kses_split()`
* `wp_kses_split2()`
* `wp_kses_bad_protocol()`
* `wp_kses_no_null()`
* `wp_kses_stripslashes()`
* `wp_kses_bad_protocol_once()`
* `wp_kses_normalize_entities()`
* `wp_kses_decode_entities()`
* Renames the `$string` parameter to `$attr` in:
* `wp_kses_one_attr()`
* `wp_kses_html_error()`
* Renames the `$match` parameter to `$matches` in:
* `_wp_kses_split_callback()`
* `_wp_kses_decode_entities_chr()`
* `_wp_kses_decode_entities_chr_hexdec()`
* Renames the `$string` parameter to `$scheme` in `wp_kses_bad_protocol_once2()`.
Follow-up to [52946], [52996], [52997], [52998], [53003], [53014], [53029], [53039], [53116], [53117], [53137], [53174], [53184], [53185], [53192], [53193], [53198], [53203], [53207], [53215], [53216], [53220], [53230], [53232], [53236], [53239], [53240], [53242], [53243], [53245], [53246], [53257], [53269], [53270], [53271], [53272], [53273], [53274], [53275], [53276], [53277], [53281], [53283], [53284], [53285], [53287], [53364], [53365], [54927], [54929], [54930], [54931], [54932].
Props jrf, aristath, poena, justinahinon, SergeyBiryukov.
See #56788.
Built from https://develop.svn.wordpress.org/trunk@54933
git-svn-id: http://core.svn.wordpress.org/trunk@54485 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This resolves a bug in Featured Image blocks where `object-fit` was being removed during the `render_callback`.
Props raduiason, pbiron, kebbet, SergeyBiryukov, bernhard-reiter, ironprogrammer, xknown, audrasjb, ckanderson22, ivanjeronimo, seriouslysenpai.
Fixes#56855.
Built from https://develop.svn.wordpress.org/trunk@54675
git-svn-id: http://core.svn.wordpress.org/trunk@54227 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When using the `CUSTOM_TAGS` constant, these global variables should be set to arrays:
* `$allowedposttags`
* `$allowedtags`
* `$allowedentitynames`
* `$allowedxmlentitynames`
This commit aims to improve developer experience by displaying a more helpful message to explain a PHP fatal error further in the code if any of these globals are either not set or not an array.
Note Using `CUSTOM_TAGS` is not recommended and should be considered deprecated. The `wp_kses_allowed_html` filter is more powerful and supplies context.
Follow-up to [832], [834], [2896], [13358], [21796], [28845], [43016], [48072].
Props doctorlai, pento, KnowingArt_com, bosconiandynamics, TJNowell, ironprogrammer, audrasjb, mukesh27, SergeyBiryukov.
Fixes#47357.
Built from https://develop.svn.wordpress.org/trunk@54672
git-svn-id: http://core.svn.wordpress.org/trunk@54224 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add a note that the parameter is optional and defaults to the result of `wp_allowed_protocols()`.
This affects:
* `wp_kses()`
* `filter_block_content()`
* `filter_block_kses()`
* `filter_block_kses_value()`
Includes synchronizing the `$allowed_html` parameter description for consistency.
Follow-up to [649], [6630], [18826], [32603], [43016], [46896], [48478].
Props armondal, SergeyBiryukov.
Fixes#56580.
Built from https://develop.svn.wordpress.org/trunk@54181
git-svn-id: http://core.svn.wordpress.org/trunk@53740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `safecss_filter_attr()` function allows using custom CSS variables like `color: var(--color)`. However, it did not allow assigning values to CSS variables like `--color: #F00`, which is common in Global Styles and Gutenberg.
This commit adds support for assigning values to CSS variables, so that the function can be used consistently in Global Styles and the future Style Engine in Gutenberg.
Follow-up to [50923], [54100].
Props aristath, ramonopoly, SergeyBiryukov.
Fixes#56353.
Built from https://develop.svn.wordpress.org/trunk@54117
git-svn-id: http://core.svn.wordpress.org/trunk@53676 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds support for the following CSS properties considered safe for inline CSS:
* `flex-wrap`
* `gap`
* `column-gap`
* `row-gap`
Extends support for `margin` and `padding` to include logical properties:
* `margin-block-start`
* `margin-block-end`
* `margin-inline-start`
* `margin-inline-end`
* `padding-block-start`
* `padding-block-end`
* `padding-inline-start`
* `padding-inline-end`
Follow-up to [46235].
Props andrewserong, peterwilsoncc, ramonopoly, bernhard-reiter.
Fixes#56122.
Built from https://develop.svn.wordpress.org/trunk@54102
git-svn-id: http://core.svn.wordpress.org/trunk@53661 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Additionally, this commit updates `safecss_filter_attr()` to add support for nested `var()` functions, so that a fallback value can be another CSS variable.
Follow-up to [50923].
Props johnregan3, noisysocks, cbravobernal, uxl, isabel_brison, andrewserong, ramonopoly, joyously, bernhard-reiter, peterwilsoncc.
Fixes#55966.
Built from https://develop.svn.wordpress.org/trunk@54100
git-svn-id: http://core.svn.wordpress.org/trunk@53659 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Expand documentation of the `wp_kses_allowed_html` hook to indicate that developers must add permitted HTML tags and attributes in lowercase for KSES to recognise they are permitted.
Props r-a-y, SergeyBiryukov, peterwilsoncc.
Fixes#55407.
See #53399.
Built from https://develop.svn.wordpress.org/trunk@53034
git-svn-id: http://core.svn.wordpress.org/trunk@52623 1a063a9b-81f0-0310-95a4-ce76da25c4cd
From the conceptual point it makes sense to execute global styles filters before post filters. So the post filters are always the last.
Props xknown, sergey, audrasjb, vortfu, oandregal, get_dave.
Built from https://develop.svn.wordpress.org/trunk@52895
git-svn-id: http://core.svn.wordpress.org/trunk@52484 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* `str_contains()`
* `str_ends_with()`
* `str_starts_with()`
Additionally, include a test for a PDF file in an `<object>` tag with an unsupported protocol.
Follow-up to [51963], [52039], [52040], [52304], [52309].
Props TobiasBg, ramonopoly.
See #54261.
Built from https://develop.svn.wordpress.org/trunk@52326
git-svn-id: http://core.svn.wordpress.org/trunk@51918 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Improves the URL validation in `_wp_kses_allow_pdf_objects()` to account for sites using an upload path that contains a port, for example wp.org:8080.
Follow up to [51963], [52304].
Props ocean90, ramonopoly, talldanwp.
See #54261.
Built from https://develop.svn.wordpress.org/trunk@52309
git-svn-id: http://core.svn.wordpress.org/trunk@51901 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add callback validation to HTML tag attributes for increased flexibility over an array of values only.
In `object` tags, validate the `data` attribute via a callback to ensure it is a PDF and matches the `type` attribute. This prevents mime type mismatches in browsers.
Follow up to [51963].
Props Pento, dd32, swissspidy, xknown, peterwilsoncc.
Fixes#54261.
Built from https://develop.svn.wordpress.org/trunk@52304
git-svn-id: http://core.svn.wordpress.org/trunk@51896 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This fixes a discrepancy where the the global name used in the function did not match the one declared at the beginning of `kses.php`, and ensures that the function gets the correct array of allowed XML entity names.
Includes unit tests.
Follow-up to [48072].
Props ovidiul, costdev, peterwilsoncc, SergeyBiryukov.
Fixes#54060.
Built from https://develop.svn.wordpress.org/trunk@52229
git-svn-id: http://core.svn.wordpress.org/trunk@51821 1a063a9b-81f0-0310-95a4-ce76da25c4cd
- First pass at adding the site editor from the Gutenberg plugin to
wp-admin/site-editor.php.
- Adds miscellaneous PHP changes from Gutenberg 10.1 - 11.9.
Follows [52042].
See #54337.
Props youknowriad, aristath, hellofromtonya, gziolo.
Built from https://develop.svn.wordpress.org/trunk@52069
git-svn-id: http://core.svn.wordpress.org/trunk@51661 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit adds global styles user content escaping. In addition, it ports the logic on the Gutenberg plugin implemented on WordPress/gutenberg#28061 to the core.
The logic tries to follow what was done for standard post content.
See #54336.
Props oandregal.
Built from https://develop.svn.wordpress.org/trunk@52052
git-svn-id: http://core.svn.wordpress.org/trunk@51644 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change adds two now attribute-related config options to KSES:
- An array of allowed values can be defined for attributes. If the attribute value doesn't fall into the list, the attribute will be removed from the tag.
- Attributes can be marked as required. If a required attribute is not present, KSES will remove all attributes from the tag. As KSES doesn't match opening and closing tags, it's not possible to safely remove the tag itself, the safest fallback is to strip all attributes from the tag, instead.
Included with this change is an implementation of these options, allowing the `<object>` tag to be stored in posts, but only when it has a `type` attribute set to `application/pdf`.
Props pento, swissspidy, peterwilsoncc, dd32, jorbin.
Fixes#54261.
Built from https://develop.svn.wordpress.org/trunk@51963
git-svn-id: http://core.svn.wordpress.org/trunk@51552 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The filter allows to modify the list of allowed CSS attributes, however support for specific CSS attributes is added to the function rather than the filter.
Follow-up to [37931], [38121], [42880], [44136], [44531], [45242], [45363], [46235], [46793], [50634], [50923].
Props tmatsuur, muhammadfaizanhaidar, sabernhardt.
Fixes#53731.
Built from https://develop.svn.wordpress.org/trunk@51729
git-svn-id: http://core.svn.wordpress.org/trunk@51335 1a063a9b-81f0-0310-95a4-ce76da25c4cd
“The WordPress open source community cares about diversity. We strive to maintain a welcoming environment where everyone can feel included.”
With this commit, all occurrences of “whitelist” and “blacklist” (with the single exception of the `$new_whitelist_options` global variable) are removed. A new ticket has been opened to explore renaming the `$new_whitelist_options` variable (#50434).
Changing to more specific names or rewording sentences containing these terms not only makes the code more inclusive, but also helps provide clarity. These terms are often ambiguous. What is being blocked or allowed is not always immediately clear. This can make it more difficult for non-native English speakers to read through the codebase.
Words matter. If one contributor feels more welcome because these terms are removed, this was worth the effort.
Props strangerstudios, jorbin, desrosj, joemcgill, timothyblynjacobs, ocean90, ayeshrajans, davidbaumwald, earnjam.
See #48900, #50434.
Fixes#50413.
Built from https://develop.svn.wordpress.org/trunk@48121
git-svn-id: http://core.svn.wordpress.org/trunk@47890 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Enables developers to determine whether a section of CSS should be allowed or discarded. By default, the value will be false if the part contains \ ( & } = or comments. Returning true allows the CSS part to be included in the output.
Replaces the `safe_style_disallowed_chars` filter introduced in r47891.
Props azaozz.
Fixes#37134.
Built from https://develop.svn.wordpress.org/trunk@48086
git-svn-id: http://core.svn.wordpress.org/trunk@47853 1a063a9b-81f0-0310-95a4-ce76da25c4cd