New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new theme_support type: body-only #872
Conversation
Add 'body-only' to theme_support case statement. Add a check for 'body-only' themes to template-loader. Add output functions for top and bottom of HTML document, using a standard filtering function. Add new standard filtering function 'cp_attributes' to filter and escape attributes. Add test cases for new 'cp_attributes' function.
Hi @joyously! 👋 |
This pull request has been mentioned on ClassicPress Forums. There might be relevant details there: https://forums.classicpress.net/t/make-core-in-charge-of-front-end-output/3649/5 |
Does the |
Two things actually. ClassicPress/src/wp-includes/theme.php Lines 2527 to 2539 in 049fafa
|
Gotcha, so a theme which deferred to core to power header, footer would inherently get all the things the |
As mentioned on Slack, I was trying to figure a way to make sure that |
Not sure if this is the right place to ask this question, but it does seem germane. Why does the HTML5 version of the comment form add the |
I would guess (just a guess) that the validation is already being done on the server, and so to prevent two different experiences and/or extra scripting needed for legacy to look like HTML5 for client side validation which is unneeded anyway, it's better to put |
But wouldn't that be true of the HTML4 version of the comment form? Anyway, on a project where I'm adding other required fields to the comment form, I had to resort to using the HTML4 version so that I could get the form to be validated. Just to be clear, I am sanitizing server-side, but it would be very annoying for someone to lose their whole comment because the required field wasn't completed, when simple client-side validation would prevent this. |
I went ahead and looked for the ticket and found |
Thanks for finding that, @joyously . I read through that and related tickets, and it all seems a lot of "there be dragons" discussion where they seem unable to pin down what they're afraid of. Very odd. |
It does bring up a good point for how the HTML5 support is done, and what is the scope of back-compat that is desired for themes going forward. |
This makes sense to me. It's presumably not a breaking change either, because (a) the browsers that don't support HTML5 are browsers CP doesn't support anyway and (b) those browsers will just fall back to (As for the validation issue, having read all the threads about the issue, I reverted to using the HTML5 version of the comment form and then used an output buffer to capture the form and remove the |
Assuming "it" is removing the checks for the html5 option, let me just say that back-compat has less to do with the browser support than with older themes written to style the older markup. |
It occurred to me that there is code to load the wp-includes/theme-compat files for header.php and footer.php, which could be affected by this change. However, those are both deprecated since WP 3.0, so would it make sense to remove them or to check for the theme support? |
This pull request has been mentioned on ClassicPress Forums. There might be relevant details there: https://forums.classicpress.net/t/introduction-of-a-credit-function-in-the-theme/3976/11 |
This pull request has been mentioned on ClassicPress Forums. There might be relevant details there: |
We should bring this PR up at the next meeting. This seems reasonable and no one has said it's a bad idea. |
This pull request has been mentioned on ClassicPress Forums. There might be relevant details there: https://forums.classicpress.net/t/classicpress-specific-themes/4014/23 |
…evelop' into body-only
Today someone in the WP pluginreview Slack channel was talking about a function to output the attributes, and their snippet was similar to the last part of my function. Someone pointed out that |
We should make that change if that was the WP assertion, I wonder if the function name may need to be reconsidered too to more broadly describe what it is doing - it handles more than attributes if it takes the attribute names as inputs too. |
Since WP doesn't have this function (it was ignored when I proposed it there), so it's not a"WP assertion"; just a comment in Slack. As for the name, I'm open to suggestions if you think it is handling more than attributes. Lots of filters on arrays utilize the key and the value, but it's all attributes. |
I don't really see a semantic difference between an assertion and a comment, the word assertion means to state something positively to me, so I'm not sure why the need to be adversarial. If As for the function name, I honestly don't really know. I do like the Whatever we settle on (an it may not even change) the filter names may need amending too. |
I wasn't being adversarial. I was clarifying that it was not an official WP assertion (no code or document stating it), but simply one contributor's comment in Slack about some code for a plugin. The question is whether core functions need to sanitize the attribute name at all. There are core functions that filter attribute arrays, and don't modify them before using them. That could be amended with I don't see any point in adding another noun to the name. If anything, it should be a verb, but I didn't want it to be a long function name since it should be used a lot in themes and other functions that output HTML. And yes, if the name is changed, I have to change it everywhere in my PR. |
I would sound definitely yes. There is a filter in the code, and any nefarious theme or plugin may be able to leverage the filter, so anything passed though it should be sanitised and escaped. |
This sort of question has come up often at WP: should core escape translated text? They always answer no, even though translated text is filtered. The theme team nudges themes to escape their translations, though. A quick search shows I did see the |
Do you know the WP rationale for this? I'm presuming it is for backwards compatibility with the available themes they have open to them. If that is the case, perhaps we should have higher aspirations.
I can accept that logic but given we are going to allow plugins from anywhere with the Plugin URL header we cannot vet all plugins so security should arguably be stronger in the core.
It is worth adding that function into CP if it delivers something the project may find useful? |
No, I think it's mostly because it is not necessarily output at the point of translation. (escape on output, because you need context) Most core translations are seen in the admin, login screen, comments, admin bar. The theme doesn't do any of that and has its own translations for any options(admin) or rare front end stuff like Next, Previous, and screen reader text.
In this, we are no different from WP.
We might ought to investigate what else was added for KSES. |
Ah, that actually makes some sense based on the WP standards. There is no point doing any escaping in the
Maybe we can do better. I had not considered until now the risks this poses. Publish a plugin in the main repository that is reviewed and published, but include a header tag to enable updates from your own server. Then add a more recent version on your own server that contains pretty much the same plugin with the addition of a back door for you into any site your plugin is installed on - and with automatic updates you could have a lot of compromised site open to you.
Certainly worth looking at but probably shouldn't hold this PR up - for this we need to satisfy ourselves that we are escaping data immediately before it is output and with the most appropriate and efficient function. And decide what we are calling the function and filters. |
WP does not allow code updates from plugins in its repository. I have advocated for the same restriction for the CP directory. I refuse to use plugins that are self-updating. Please see discussion surrounding https://classicpress.slack.com/archives/C03N696QLRJ/p1664899139545299 and my comment on the recently merged PR for the |
Discussed at weekly review and agreed for merge. |
This is to implement the petition for core to have more control over the front end.
Motivation and context
The two main goals are
wp_head()
,wp_footer()
,wp_body_open()
are handled by core, not the themeThe approach used is to add a new theme_support called
'body-only'
with the intent that the theme is written to handle the HTML that goes in the body of the page, and expects core to do the rest (enqueuing scripts and styles is unaffected).The theme_support code calls for
'automatic-feed-links'
,'title-tag'
, and'html5'
.The template loader checks for
'body-only'
and calls two new functionsdo_html5_header
anddo_html5_footer
. It's important that theinclude
for the template file remains as-is, so that the scope of variables in the template file is not affected.To make the
<head>
section HTML flexible, the attributes are filtered using a new functioncp_attributes
. Themes would be able to use the same function to get a standardized way to filter HTML attributes. The existing filters are unaffected.Future enhancements can be made easily by using
cp_attributes
in core functions that generate HTML. (See #792 (comment))For themes:
There's no enforcement of using the
cp_attributes
function, but it would be expected if callingadd_theme_support('body-only')
.The changes needed for a
'body-only'
theme:add_theme_support('body-only')
<body>
tagwp_footer()
,</body>
, and</html>
'cp_attributes'
filterHow has this been tested?
PR includes tests for new cp_attributes function.
I made minor changes to a copy of Twenty Fifteen and ran it locally to test the other changes.
Types of changes
New feature