Comments: Allow Notes @mention attributes in comment content (kses)#12503
Comments: Allow Notes @mention attributes in comment content (kses)#12503adamsilverstein wants to merge 8 commits into
Conversation
The notes @-mention completer stores a mention as `<a class="wp-note-mention" data-user-id="N" href="...">@name</a>`. The default comment kses allowlist only keeps `href` and `title` on links, so for users without `unfiltered_html` the attributes that make a mention a mention (the chip class and the mentioned user's ID) are stripped on save. Add a 'pre_comment_content' context to wp_kses_allowed_html() that allows `class` and `data-user-id` on links so saved mentions survive sanitization. Both attributes are inert markup. Backports the PHP changes from the Gutenberg mentions PR: WordPress/gutenberg#79604
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
Allowing class and data-user-id on links in the pre_comment_content context loosened sanitization for every comment, including anonymous front-end comments. Both attributes are CSS/JS selector hooks, so that would let any commenter publish links styled by theme classes or reachable by delegated script handlers. Attach the extended allowlist in wp_filter_comment() only while a note comment's content is being filtered instead. Notes can only be written by logged-in users who can edit the post and never render on the front end, and the sanitization of regular comments is unchanged.
Design review on the Gutenberg side changed the stored mention from a link to a plain span, since a mention marks a person rather than offering navigation. Allow span.class and span.data-user-id instead of the link attributes; the allowance is still attached only while a note comment is filtered.
… attribute The notes mention completer now stores a mention as `<span class="wp-note-mention user-N">@name</span>`, so the kses allowance for note comments shrinks to the single `class` attribute and no longer needs `data-user-id`. Add a test asserting that any other attribute is still stripped from note spans. Trac ticket: https://core.trac.wordpress.org/ticket/65622
1fc1250 to
f74c68b
Compare
Mentions are now inserted as links to the mentioned user's author page - <a class="wp-note-mention user-N" href="..."> - instead of spans, so the note allowance moves from span.class to a.class. Note content now also picks up wp_rel_ugc()'s rel="nofollow ugc" like any other comment link, which the tests cover with a deterministic external href.
|
Sorry, only have time for a surface review.
I think the general API for managing email (or other) notifications would be better for the project than handling each case individually. |
dc57c7f to
e31873f
Compare
Reducing this to the kses only changes which matches the merged PRs. Opening a follow up for the notifications part to dig deeper. |
|
Follow up: #12548 |
Backports the mention kses allowance from the Gutenberg Notes @mention work:
What
Allows the note mention markup (a
classattribute on links) in comment content, scoped tonotecomments only:_wp_kses_allow_note_mention_attributes()(new, private) extends thepre_comment_contentallowlist withclassonaelements.wp_filter_comment()attaches it immediately before applying thepre_comment_contentfilter and removes it immediately after, and only when$commentdata['comment_type']isnote.The
pre_comment_contentkses context itself is unchanged:wp_kses_allowed_html( 'pre_comment_content' )still returns the default$allowedtags, and regular (including anonymous front-end) comments are sanitized exactly as before.Because the scoping lives inside
wp_filter_comment()- the single choke point both REST write paths pass through withcomment_typealready resolved - core does not need the separate REST-create arming fix the plugin shim required (WordPress/gutenberg#80221).Why
The Notes @mention completer stores a mention as a link to the mentioned user's author page,
<a class="wp-note-mention user-N" href="…">@Name</a>, theuser-Nclass carrying the mentioned user's ID. The default comment kses allowlist ($allowedtags) permitsawith onlyhrefandtitle, so for users withoutunfiltered_htmlthe mention classes are stripped when the note is saved.An earlier revision added the attributes to the
pre_comment_contentcontext unconditionally. That loosened sanitization for every comment on every site:classis a CSS/JS selector hook, so any commenter - including anonymous visitors - could publish text styled by theme classes (e.g. disguised as a button) or reachable by delegated script handlers. Scoping the allowance to the moment anotecomment passes throughwp_filter_comment()avoids that: notes can only be written by logged-in users withedit_poston the target post and never render on the front end.Testing
Unit tests in
tests/phpunit/tests/kses.php:test_wp_kses_allowed_html_pre_comment_content_disallows_mention_attributesverifies thepre_comment_contentcontext still returns the stock$allowedtags.test_note_mention_markup_survives_note_content_sanitizationverifies the mentionclasssurvives on a note.test_note_mention_allows_only_class_on_note_linksverifies every attribute other thanclassand the default link attributes (e.g.onclick,style,data-*) is still stripped from note links.test_note_mention_markup_stripped_from_regular_comment_contentverifies theclassis stripped from the same markup in a regular comment.test_note_mention_allowance_does_not_leak_after_note_filteringverifies a regular comment filtered after a note gets the default rules and the allowlist is restored.Trac ticket: https://core.trac.wordpress.org/ticket/65622
Proposed commit message