Support » Requests and Feedback » KSES strips class and id attributes unnecessarily

  • An opinion: The kses module seems overly aggressive about stripping the class and id attributes. Why would a tool for stripping evil scripts ever need to remove the class and id attributes?

    A bug: The kses module sometimes accepts class but not id. Why would it ever be necessary to strip one but not the other? I know I can override this design decision in my own code, but this feels like a bug in kses. The most important examples are the div and span tags:

    $allowedposttags = array(
      [...]
      'div' => array(
        'align' => array (),
        'class' => array (),
        'dir' => array (),
        'lang' => array(),
        'style' => array (),
        'xml:lang' => array()),
      [...]
      'span' => array (
        'class' => array (),
        'dir' => array (),
        'align' => array (),
        'lang' => array (),
        'style' => array (),
        'title' => array (),
        'xml:lang' => array()),
      [...]
      );
  • The topic ‘KSES strips class and id attributes unnecessarily’ is closed to new replies.