WordPress.org

Ready to get started?Download WordPress

Forums

KSES strips class and id attributes unnecessarily (1 post)

  1. Mark Tuttle
    Member
    Posted 2 years ago #

    An opinion: The kses module seems overly aggressive about stripping the class and id attributes. Why would a tool for stripping evil scripts ever need to remove the class and id attributes?

    A bug: The kses module sometimes accepts class but not id. Why would it ever be necessary to strip one but not the other? I know I can override this design decision in my own code, but this feels like a bug in kses. The most important examples are the div and span tags:

    $allowedposttags = array(
      [...]
      'div' => array(
        'align' => array (),
        'class' => array (),
        'dir' => array (),
        'lang' => array(),
        'style' => array (),
        'xml:lang' => array()),
      [...]
      'span' => array (
        'class' => array (),
        'dir' => array (),
        'align' => array (),
        'lang' => array (),
        'style' => array (),
        'title' => array (),
        'xml:lang' => array()),
      [...]
      );

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.