WordPress MU

In http://trac.mu.wordpress.org/changeset/1235 I checked in changes to kses to allow the style attribute to be used in html tags.

The style attribute value is filtered using a perhaps overly generous list of styles which in turn can be filtered using the 'safe_style_css' WP filter.

I would really appreciate some feedback on this change, especially from a security perspective. The function safe_css_filter() does all the hard work, so please take it apart :)

In my opinion, this change is unnecessary and should be left to the WPMU owners to implement through a plugin (like the one I created to allow video embedding.)

But I don't see any obvious security issues here unless someone can do something funky using the float, height and width attributes to make an element appear like something it's not supposed to be. Perhaps you could leave out anything to do with positioning?

The new uploader uses styles for many things and unfortunately the old behaviour of MU would really screw that up.

I will chop that list way down though, and you're right. The site owner can use a plugin to add new styles via the filter I added.

See this bug report for more: http://trac.mu.wordpress.org/ticket/581

I would think the float would be one of the few things left, as many users might make use of it for image positioning.
Just sticking in two canadian cents, whatever they're worth these days. :D

It's looking good, but I agree for the default to be only the styles that the editor uses and leave it up to plugin developers or site owners to add any extra styles that their plugins/users would require.

My plugin adds a lot more than is really necessary, and I'll probably remove a lot of the un-needed stuff as my users generally only want to "float" things left or right,size images or make the text a different colour. All of which should be safe enough to let out in the wild.

Allowing absolute positioning of elements and changing the z-index are probably not recommended though.

Rgds
Barry

Canadian cents are worth more than ever these days... at least against the U.S. dollar! Guess it could be a travel year for Andrea!

Hey, I can *see* Maine from where I am. :D

Can someone clarify this - we no longer will be able to manipulate the list of allowed tags, just the style tag? Having a hard time understanding the code changes.

If we can't manipulate all the tags allowed I have to agree with Amanzi.

dbcohen - you can manipulate the style attributes using a filter, as well as changing any of the allowed tags using another filter.

so edit_allowedtags and edit_allowedposttags are out, what is in their place?

dbcohen: edit_allowedtags and edit_allowedposttags are still there and are used to filter the allowed tags and their attributes.
This functionality is in addition, so you can also filter the allowed styles for tags.