Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix link color for roles without unfiltered_html capabilities #25411

Closed
wants to merge 9 commits into from

Conversation

oandregal
Copy link
Member

Fixes #25151

@oandregal oandregal self-assigned this Sep 17, 2020
@oandregal oandregal added [Type] Bug An existing feature does not function as intended Global Styles Anything related to the broader Global Styles efforts, including Styles Engine and theme.json labels Sep 17, 2020
@github-actions
Copy link

github-actions bot commented Sep 17, 2020

Size Change: 0 B

Total Size: 1.2 MB

ℹ️ View Unchanged
Filename Size Change
build/a11y/index.js 1.14 kB 0 B
build/annotations/index.js 3.52 kB 0 B
build/api-fetch/index.js 3.33 kB 0 B
build/autop/index.js 2.72 kB 0 B
build/blob/index.js 620 B 0 B
build/block-directory/index.js 8.41 kB 0 B
build/block-directory/style-rtl.css 943 B 0 B
build/block-directory/style.css 942 B 0 B
build/block-editor/index.js 128 kB 0 B
build/block-editor/style-rtl.css 11.1 kB 0 B
build/block-editor/style.css 11.1 kB 0 B
build/block-library/editor-rtl.css 8.59 kB 0 B
build/block-library/editor.css 8.59 kB 0 B
build/block-library/index.js 134 kB 0 B
build/block-library/style-rtl.css 7.6 kB 0 B
build/block-library/style.css 7.59 kB 0 B
build/block-library/theme-rtl.css 741 B 0 B
build/block-library/theme.css 741 B 0 B
build/block-serialization-default-parser/index.js 1.77 kB 0 B
build/block-serialization-spec-parser/index.js 3.1 kB 0 B
build/blocks/index.js 47.5 kB 0 B
build/components/index.js 202 kB 0 B
build/components/style-rtl.css 15.5 kB 0 B
build/components/style.css 15.4 kB 0 B
build/compose/index.js 9.42 kB 0 B
build/core-data/index.js 12 kB 0 B
build/data-controls/index.js 1.27 kB 0 B
build/data/index.js 8.43 kB 0 B
build/date/index.js 31.9 kB 0 B
build/deprecated/index.js 772 B 0 B
build/dom-ready/index.js 568 B 0 B
build/dom/index.js 4.44 kB 0 B
build/edit-navigation/index.js 10.4 kB 0 B
build/edit-navigation/style-rtl.css 868 B 0 B
build/edit-navigation/style.css 871 B 0 B
build/edit-post/index.js 306 kB 0 B
build/edit-post/style-rtl.css 6.24 kB 0 B
build/edit-post/style.css 6.22 kB 0 B
build/edit-site/index.js 19.6 kB 0 B
build/edit-site/style-rtl.css 3.3 kB 0 B
build/edit-site/style.css 3.3 kB 0 B
build/edit-widgets/index.js 17 kB 0 B
build/edit-widgets/style-rtl.css 2.79 kB 0 B
build/edit-widgets/style.css 2.79 kB 0 B
build/editor/editor-styles-rtl.css 492 B 0 B
build/editor/editor-styles.css 493 B 0 B
build/editor/index.js 45.3 kB 0 B
build/editor/style-rtl.css 3.8 kB 0 B
build/editor/style.css 3.8 kB 0 B
build/element/index.js 4.45 kB 0 B
build/escape-html/index.js 733 B 0 B
build/format-library/index.js 7.49 kB 0 B
build/format-library/style-rtl.css 547 B 0 B
build/format-library/style.css 548 B 0 B
build/hooks/index.js 1.74 kB 0 B
build/html-entities/index.js 622 B 0 B
build/i18n/index.js 3.54 kB 0 B
build/is-shallow-equal/index.js 711 B 0 B
build/keyboard-shortcuts/index.js 2.39 kB 0 B
build/keycodes/index.js 1.85 kB 0 B
build/list-reusable-blocks/index.js 3.02 kB 0 B
build/list-reusable-blocks/style-rtl.css 476 B 0 B
build/list-reusable-blocks/style.css 476 B 0 B
build/media-utils/index.js 5.12 kB 0 B
build/notices/index.js 1.69 kB 0 B
build/nux/index.js 3.27 kB 0 B
build/nux/style-rtl.css 671 B 0 B
build/nux/style.css 668 B 0 B
build/plugins/index.js 2.44 kB 0 B
build/primitives/index.js 1.34 kB 0 B
build/priority-queue/index.js 789 B 0 B
build/redux-routine/index.js 2.85 kB 0 B
build/rich-text/index.js 13.7 kB 0 B
build/server-side-render/index.js 2.61 kB 0 B
build/shortcode/index.js 1.7 kB 0 B
build/token-list/index.js 1.24 kB 0 B
build/url/index.js 4.06 kB 0 B
build/viewport/index.js 1.74 kB 0 B
build/warning/index.js 1.13 kB 0 B
build/wordcount/index.js 1.17 kB 0 B

compressed-size-action

@oandregal oandregal changed the title Fix link control for roles without unfiltered_html capabilities Fix link color for roles without unfiltered_html capabilities Sep 17, 2020
add_action( 'init', 'gutenberg_experimental_global_styles_register_cpt' );
add_filter( 'block_editor_settings', 'gutenberg_experimental_global_styles_settings' );
add_action( 'wp_enqueue_scripts', 'gutenberg_experimental_global_styles_enqueue_assets' );
add_filter( 'safe_style_css', 'gutenberg_experimental_global_styles_allow_css_var_name' );
Copy link
Member Author

@oandregal oandregal Sep 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kses has several checks when filtering post content, this is the relevant function when it comes to filter the style attribute:

  • check whether the property name is one of the allowed (see)
  • check that the property value doesn't have extraneous characters (checks for parentheses for example) (see)

lib/global-styles.php Outdated Show resolved Hide resolved
Copy link
Member

@jorgefilipecosta jorgefilipecosta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the core, we already have a good testing infrastructure for kses rule changes. And we will need to port this change to core anyways. Would it make sense the create a core patch with the change here and adding some kses rule test cases there? Similar to the patch we previously implemented for gradients https://github.com/WordPress/wordpress-develop/pull/110/files.

lib/global-styles.php Outdated Show resolved Hide resolved
lib/global-styles.php Outdated Show resolved Hide resolved
lib/global-styles.php Outdated Show resolved Hide resolved
@oandregal oandregal force-pushed the fix/link-control-author-role branch from 7b0b3f2 to 7b94a13 Compare September 18, 2020 18:12
@oandregal
Copy link
Member Author

In the core, we already have a good testing infrastructure for kses rule changes. And we will need to port this change to core anyways. Would it make sense the create a core patch with the change here and adding some kses rule test cases there?

I can do that as a follow-up to this. I'd also want to merge this as it is to make sure the link color is no longer broken in the plugin without having to wait for a core release that is still a few months away.

What I'm unsure about is: when to prepare/merge that core patch. Is the 5.6 window a good time? I know there's uncertainty about whether link color is going to be merged into core in 5.6 (it doesn't look like it) so I wonder if we should wait to the 5.7 window instead. To my understanding, people have talked about that a few things can change (the general approach -classes instead of css vars-, the name of the var, the name of the value). I haven't done a core patch before so I don't have a good sense of whether this is a good idea or not (things like how difficult would it be to remove/update the patch, should we need it). So, essentially, I'm happy to take any advice here. What do you think?

Copy link
Member

@jorgefilipecosta jorgefilipecosta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍
The reason I referred the core patch was to be able to test this kses changes against the core kses tests to increase the confidence we have on this change given that it may have a security impact. It would be good to test the patch before the next Gutenberg release.

@oandregal
Copy link
Member Author

I'm trying to figure out who can provide a sanity check from a security point of view before this is merged.

@oandregal
Copy link
Member Author

I've run this by some security folks and they aren't wild about serializing CSS Custom Properties in the post content. They'd rather keep the behavior as it is (not allowing CSS vars in the post content) or allow any in core, as it was done for data-* attributes in the past.

So we're back at the drawing board. Going to close this for the moment. Perhaps we can revisit Riad's #21420

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Global Styles Anything related to the broader Global Styles efforts, including Styles Engine and theme.json [Type] Bug An existing feature does not function as intended
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Link color doesn't work for author role
2 participants