Fix link color for roles without unfiltered_html capabilities

[oandregal]

Fixes #25151

[github-actions]

Size Change: 0 B

Total Size: 1.2 MB

ℹ️ View Unchanged

Filename	Size	Change
build/a11y/index.js	1.14 kB	0 B
build/annotations/index.js	3.52 kB	0 B
build/api-fetch/index.js	3.33 kB	0 B
build/autop/index.js	2.72 kB	0 B
build/blob/index.js	620 B	0 B
build/block-directory/index.js	8.41 kB	0 B
build/block-directory/style-rtl.css	943 B	0 B
build/block-directory/style.css	942 B	0 B
build/block-editor/index.js	128 kB	0 B
build/block-editor/style-rtl.css	11.1 kB	0 B
build/block-editor/style.css	11.1 kB	0 B
build/block-library/editor-rtl.css	8.59 kB	0 B
build/block-library/editor.css	8.59 kB	0 B
build/block-library/index.js	134 kB	0 B
build/block-library/style-rtl.css	7.6 kB	0 B
build/block-library/style.css	7.59 kB	0 B
build/block-library/theme-rtl.css	741 B	0 B
build/block-library/theme.css	741 B	0 B
build/block-serialization-default-parser/index.js	1.77 kB	0 B
build/block-serialization-spec-parser/index.js	3.1 kB	0 B
build/blocks/index.js	47.5 kB	0 B
build/components/index.js	202 kB	0 B
build/components/style-rtl.css	15.5 kB	0 B
build/components/style.css	15.4 kB	0 B
build/compose/index.js	9.42 kB	0 B
build/core-data/index.js	12 kB	0 B
build/data-controls/index.js	1.27 kB	0 B
build/data/index.js	8.43 kB	0 B
build/date/index.js	31.9 kB	0 B
build/deprecated/index.js	772 B	0 B
build/dom-ready/index.js	568 B	0 B
build/dom/index.js	4.44 kB	0 B
build/edit-navigation/index.js	10.4 kB	0 B
build/edit-navigation/style-rtl.css	868 B	0 B
build/edit-navigation/style.css	871 B	0 B
build/edit-post/index.js	306 kB	0 B
build/edit-post/style-rtl.css	6.24 kB	0 B
build/edit-post/style.css	6.22 kB	0 B
build/edit-site/index.js	19.6 kB	0 B
build/edit-site/style-rtl.css	3.3 kB	0 B
build/edit-site/style.css	3.3 kB	0 B
build/edit-widgets/index.js	17 kB	0 B
build/edit-widgets/style-rtl.css	2.79 kB	0 B
build/edit-widgets/style.css	2.79 kB	0 B
build/editor/editor-styles-rtl.css	492 B	0 B
build/editor/editor-styles.css	493 B	0 B
build/editor/index.js	45.3 kB	0 B
build/editor/style-rtl.css	3.8 kB	0 B
build/editor/style.css	3.8 kB	0 B
build/element/index.js	4.45 kB	0 B
build/escape-html/index.js	733 B	0 B
build/format-library/index.js	7.49 kB	0 B
build/format-library/style-rtl.css	547 B	0 B
build/format-library/style.css	548 B	0 B
build/hooks/index.js	1.74 kB	0 B
build/html-entities/index.js	622 B	0 B
build/i18n/index.js	3.54 kB	0 B
build/is-shallow-equal/index.js	711 B	0 B
build/keyboard-shortcuts/index.js	2.39 kB	0 B
build/keycodes/index.js	1.85 kB	0 B
build/list-reusable-blocks/index.js	3.02 kB	0 B
build/list-reusable-blocks/style-rtl.css	476 B	0 B
build/list-reusable-blocks/style.css	476 B	0 B
build/media-utils/index.js	5.12 kB	0 B
build/notices/index.js	1.69 kB	0 B
build/nux/index.js	3.27 kB	0 B
build/nux/style-rtl.css	671 B	0 B
build/nux/style.css	668 B	0 B
build/plugins/index.js	2.44 kB	0 B
build/primitives/index.js	1.34 kB	0 B
build/priority-queue/index.js	789 B	0 B
build/redux-routine/index.js	2.85 kB	0 B
build/rich-text/index.js	13.7 kB	0 B
build/server-side-render/index.js	2.61 kB	0 B
build/shortcode/index.js	1.7 kB	0 B
build/token-list/index.js	1.24 kB	0 B
build/url/index.js	4.06 kB	0 B
build/viewport/index.js	1.74 kB	0 B
build/warning/index.js	1.13 kB	0 B
build/wordcount/index.js	1.17 kB	0 B

_{compressed-size-action}

[oandregal]

kses has several checks when filtering post content, this is the relevant function when it comes to filter the style attribute:

• check whether the property name is one of the allowed (see)
• check that the property value doesn't have extraneous characters (checks for parentheses for example) (see)

[jorgefilipecosta]

In the core, we already have a good testing infrastructure for kses rule changes. And we will need to port this change to core anyways. Would it make sense the create a core patch with the change here and adding some kses rule test cases there? Similar to the patch we previously implemented for gradients https://github.com/WordPress/wordpress-develop/pull/110/files.

[oandregal]

In the core, we already have a good testing infrastructure for kses rule changes. And we will need to port this change to core anyways. Would it make sense the create a core patch with the change here and adding some kses rule test cases there?

I can do that as a follow-up to this. I'd also want to merge this as it is to make sure the link color is no longer broken in the plugin without having to wait for a core release that is still a few months away.

What I'm unsure about is: when to prepare/merge that core patch. Is the 5.6 window a good time? I know there's uncertainty about whether link color is going to be merged into core in 5.6 (it doesn't look like it) so I wonder if we should wait to the 5.7 window instead. To my understanding, people have talked about that a few things can change (the general approach -classes instead of css vars-, the name of the var, the name of the value). I haven't done a core patch before so I don't have a good sense of whether this is a good idea or not (things like how difficult would it be to remove/update the patch, should we need it). So, essentially, I'm happy to take any advice here. What do you think?

[jorgefilipecosta]

LGTM 👍
The reason I referred the core patch was to be able to test this kses changes against the core kses tests to increase the confidence we have on this change given that it may have a security impact. It would be good to test the patch before the next Gutenberg release.

[oandregal]

I'm trying to figure out who can provide a sanity check from a security point of view before this is merged.

[oandregal]

I've run this by some security folks and they aren't wild about serializing CSS Custom Properties in the post content. They'd rather keep the behavior as it is (not allowing CSS vars in the post content) or allow any in core, as it was done for data-* attributes in the past.

So we're back at the drawing board. Going to close this for the moment. Perhaps we can revisit Riad's #21420