Add needed attributes to kses allowed tags for the Gallery block #9875
Conversation
| if ( isset( $tags['img'] ) ) { | ||
| $tags['img']['data-link'] = true; | ||
| $tags['img']['data-id'] = true; | ||
| } |
There was a problem hiding this comment.
It's too bad that we have to explicitly allow given data attributes, rather than accept all data-*. It begs the question: are we doing things wrong in Gallery? Is WordPress/KSES approaching this the wrong way with a blanket exclusion of data attributes?
There was a problem hiding this comment.
My opinion is that data-* should be allowed, and WordPress/KSES is doing it wrong when it comes to those attributes.
But others might know better...
There was a problem hiding this comment.
We can patch this specifically for Gallery, but if so we need a proper solution in the very near future. I also wonder if this a change that can be effected directly in core as part of 5.0 work. Pinging @pento, curious if you have thoughts.
There was a problem hiding this comment.
Is WordPress/KSES approaching this the wrong way with a blanket exclusion of data attributes?
For that matter, I'm not totally sure what's being accomplished by stripping any attribute. Without considering its value, I can't see any security-related issue with an attribute presence alone.
There was a problem hiding this comment.
I can't think of anything off the top of my head, I suspect it's just something that hasn't been added: KSES is built on an allow list of individual attributes, adding a wildcard would require a little more care to implement.
I'm going to float it with the security team, but it's probably going to take some time to explore and create a patch, so let's just go with this PR to fix the immediate issue for now.
|
@notnownikki: For testing this, it'd be good to have a test that ran over each
|
mcsf
added
[Type] Bug
|
@pento that sounds like a good idea. Will get that added to this PR! |
|
@pento ok, I wrote the test, and we have other failures. I'd like to get this in to 3.9 and address the other failures in a different PR. Some of the failures are just simple spacing fails, but some are aria attributes that kses is stripping out, which I don't think affects the block loading/saving functionality like it does with the gallery, but will take more time to go through and fix. |
|
@notnownikki: that seems fair, given the circumstances. Seems like we've uncovered something bigger, especially considering a11y in WordPress. :) As for the spacing, that might be OK: we already have some clever diffing with |
|
@mcsf fantastic, I'm working on the new test now, there are a few elements getting stripped out that affect bits of functionality. PR coming when they're fixed! |
|
I was a little curious about whether the test would uncover similar issues. 😉 Thank you for diving into this, @notnownikki! |
Description
The Gallery block uses
data-idanddata-linkon the images,and for non-admin users,
ksesstrips these out, which makes Gutenbergerror when loading a post with a Gallery that's been authored by a non-admin
user.
This PR adds a filter function that adds the attributes we need.
How has this been tested?
Log in with a user with the author role.
Make a new post, add a gallery block.
Save the post.
Reload the editor.
The gallery block should load and be editable as expected.
Types of changes
Bug fix
Checklist: