KSES: Support the video element's playsinline attribute.

Allow users without the `unfiltered_html` capability to use the `playsinline` attribute when embedding videos. Additionally this adds unit tests for passing the video element through kses. Fixes #50167. See #29826. git-svn-id: https://develop.svn.wordpress.org/trunk@47837 602fd350-edb4-49c9-b593-d223f7449a82
WordPress · May 21, 2020 · 09a6234 · 09a6234
1 parent e834dc8
commit 09a6234
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 9 deletions.
diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
@@ -397,15 +397,16 @@
 		),
 		'var'        => array(),
 		'video'      => array(
-			'autoplay' => true,
-			'controls' => true,
-			'height'   => true,
-			'loop'     => true,
-			'muted'    => true,
-			'poster'   => true,
-			'preload'  => true,
-			'src'      => true,
-			'width'    => true,
+			'autoplay'    => true,
+			'controls'    => true,
+			'height'      => true,
+			'loop'        => true,
+			'muted'       => true,
+			'playsinline' => true,
+			'poster'      => true,
+			'preload'     => true,
+			'src'         => true,
+			'width'       => true,
 		),
 	);
 

diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php
@@ -63,6 +63,61 @@ function test_wp_filter_post_kses_a() {
 		}
 	}
 
+	/**
+	 * Test video tag.
+	 *
+	 * @ticket 50167
+	 * @ticket 29826
+	 * @dataProvider data_wp_kses_video
+	 *
+	 * @param string $source   Source HTML.
+	 * @param string $context  Context to use for parsing source.
+	 * @param string $expected Expected output following KSES parsing.
+	 * @return void
+	 */
+	function test_wp_kses_video( $source, $context, $expected ) {
+		$actual = wp_kses( $source, $context );
+		$this->assertSame( $expected, $actual );
+	}
+
+	/**
+	 * Data provider for test_wp_kses_video
+	 *
+	 * @return array[] Array containing test data {
+	 *     @type string $source   Source HTML.
+	 *     @type string $context  Context to use for parsing source.
+	 *     @type string $expected Expected output following KSES parsing.
+	 * }
+	 */
+	function data_wp_kses_video() {
+		return array(
+			// Set 0: Valid post object params in post context.
+			array(
+				'<video src="movie.mov" autoplay controls height=9 loop muted poster="still.gif" playsinline preload width=16 />',
+				'post',
+				'<video src="movie.mov" autoplay controls height="9" loop muted poster="still.gif" playsinline preload width="16" />',
+			),
+			// Set 1: Valid post object params in data context.
+			array(
+				'<video src="movie.mov" autoplay controls height=9 loop muted poster="still.gif" playsinline preload width=16 />',
+				'data',
+				'',
+			),
+			// Set 2: Disallowed urls in post context.
+			array(
+				'<video src="bad://w.org/movie.mov" poster="bad://w.org/movie.jpg" />',
+				'post',
+				'<video src="//w.org/movie.mov" poster="//w.org/movie.jpg" />',
+			),
+			// Set 3: Disallowed attributes in post context.
+			array(
+				'<video onload="alert(1);" src="https://videos.files.wordpress.com/DZEMDKxc/video-0f9c363010.mp4" />',
+				'post',
+				'<video src="https://videos.files.wordpress.com/DZEMDKxc/video-0f9c363010.mp4" />',
+			),
+		);
+	}
+
 	/**
 	 * @ticket 20210
 	 */