-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix allowed HTML tags declaration in wp_trigger_error()
#6671
Fix allowed HTML tags declaration in wp_trigger_error()
#6671
Conversation
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN:
To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Hey @hellofromtonya 👋🏼 Can you please review this PR? Thanks. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
src/wp-includes/functions.php
Outdated
'code', | ||
'em', | ||
'strong', | ||
'a' => array( 'href' ), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this right? I believe it should rather be:
'a' => array( 'href' ), | |
'a' => array( 'href' => true ), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is required. Error strings having <a href="/"></a>
are being stripped out without your suggestion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Humm, in core it shows it is supposed to be 'href' => true
:
wordpress-develop/src/wp-includes/kses.php
Lines 68 to 71 in 5115c7a
$allowedposttags = array( | |
'address' => array(), | |
'a' => array( | |
'href' => true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, you applied this suggestion in the end anyway?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I misread what you wrote. I thought you said with my suggestion not without 😊
'function_name' => 'some_function', | ||
'message' => '<script>alert("expected the function name and message")</script>', | ||
'expected_message' => 'some_function(): alert("expected the function name and message")', | ||
), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a test case with a link in it to check whether it survives the Kses sanitization mentioned in https://github.com/WordPress/wordpress-develop/pull/6671/files#r1628482559. Like try adding a test with a link to see if it fails then apply the above suggestion if it does.
c1f0364
to
7b0029c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
Update allowed HTML tags declaration in
wp_trigger_error()
.Trac ticket: https://core.trac.wordpress.org/ticket/61318
Commit Message
General: Fix array format for allowed HTML passed into wp_kses() for wp_trigger_error().
Kses requires an associative array of allowed HTML.
See #57686. Follow-up to [56707].
Props thelovekesh, westonruter.
Fixes #61318.
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.