mirrored from git://develop.git.wordpress.org/
-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add layout-related CSS properties to safe_style_css_filter in kses.php #2928
Closed
andrewserong
wants to merge
3
commits into
WordPress:trunk
from
andrewserong:add/layout-support-css-properties-to-safe-style-css-filter
Closed
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rather not allow
display
in it's entirety. I wasn't around for the original specification but I expect it was left out very deliberately to prevent authors and contributors from doing something like:Are you able to limit it to a set of values?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Peter, that's exactly the kind of feedback I was hoping for on this PR! I'll have a play, yes the goal is to allow a couple of particular kinds of layouts, not to expose
display: none
, so I'll see what we can do to limit this to just what's required for the current and shorter-term goals of different layouts. Or, alternately, if we need to specifically handledisplay
within the Layout support and not expose it in thekses
file. I'll give it some more thought! 🤔There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update: I had another look over the Layout work in the Gutenberg repo, and I think it makes more sense for the Layout code to use its own special handling for the
display
property (constructing the rule based on an allow list) rather than exposing it directly inkses.php
. Even if we limit the options here, the objective wasn't really to allowdisplay
to be used anywhere, it was really tied to this one use case. Whereas the goal for the other properties added in this PR is for them to be usable pretty much anywhere.I've removed
display
from this PR (and added special handling fordisplay
over in the Layout PR WordPress/gutenberg#40875). But, we can always revisit this in the future if we do think it makes more sense inkses.php
! 🙂There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any discussions you could point to that would help us understand this concern?
I mean, what's stopping authors and contributors doing that by assigning the background color to text and links?
E.g.,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And if it ends up that we have to constrain values for
display
, would it be okay to have a custom check withinsafecss_filter_attr
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@peterwilsoncc @andrewserong How do you think we could proceed with this one?
Would a compromise be a white list of display properties, excluding
none
, assuming the concern alluded to above is valid?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question, thanks for the ping @ramonjd! For 6.1, do we need
display
to be included? I believe the only place we're currently using it is in the layout support's rendering in the Theme JSON class (here: https://github.com/WordPress/gutenberg/blob/ffd75bd84e15b7ac611d3c25bc11e0fcd4840773/lib/compat/wordpress-6.1/class-wp-theme-json-6-1.php#L1410)To avoid being blocked on
display
, I was wondering if the current state of this PR is good enough to land as-is, given that it addresses the remaining layout properties that the style engine will need to validate?Alternately, if we think it's worth it to handle
display
as well, I think adding a list of allowed values sounds like a reasonable way to go 👍There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question! I assumed "yes" because of the eventual migration of class-wp-theme-json-6-1.php 🤷
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the current implementation, on this line the allow-listed display mode is output directly, rather than being parsed through
safecss_filter_attr
, so I didn't think it was needed until we move global styles output to being run through the style engine.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, thanks for clarifying! 🙇