From ed29edf5a04a3f7ce38ab4929a34a9649136c2a1 Mon Sep 17 00:00:00 2001 From: Aki Hamano Date: Sat, 13 Jun 2026 22:59:30 +0900 Subject: [PATCH 1/2] KSES: Allow SVG presentation attributes in safe_style_css. `safecss_filter_attr()` only keeps an allowlist of CSS properties, so SVG presentation attributes such as `fill` and `stroke` are stripped from inline styles when SVG markup is sanitized with `wp_kses()`. Add the SVG-specific presentation attributes to the `safe_style_css` allowlist so they are preserved. Co-Authored-By: Claude --- src/wp-includes/kses.php | 50 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php index a45d1697ea40a..82c6d1924a129 100644 --- a/src/wp-includes/kses.php +++ b/src/wp-includes/kses.php @@ -2579,6 +2579,7 @@ function safecss_filter_attr( $css, $deprecated = '' ) { * Filters the list of allowed CSS attributes. * * @since 2.8.1 + * @since 7.1.0 Added support for SVG presentation attributes. * * @param string[] $attr Array of allowed CSS attributes. */ @@ -2737,6 +2738,55 @@ function safecss_filter_attr( $css, $deprecated = '' ) { 'aspect-ratio', 'container-type', + 'fill', + 'fill-opacity', + 'fill-rule', + + 'stroke', + 'stroke-dasharray', + 'stroke-dashoffset', + 'stroke-linecap', + 'stroke-linejoin', + 'stroke-miterlimit', + 'stroke-opacity', + 'stroke-width', + + 'color-interpolation', + 'color-interpolation-filters', + 'paint-order', + 'stop-color', + 'stop-opacity', + 'flood-color', + 'flood-opacity', + 'lighting-color', + + 'marker', + 'marker-start', + 'marker-mid', + 'marker-end', + + 'clip-rule', + 'mask-type', + + 'cx', + 'cy', + 'r', + 'rx', + 'ry', + 'x', + 'y', + 'd', + + 'alignment-baseline', + 'baseline-shift', + 'dominant-baseline', + 'glyph-orientation-horizontal', + 'glyph-orientation-vertical', + 'text-anchor', + + 'shape-rendering', + 'vector-effect', + // Custom CSS properties. '--*', ) From 8703f791a98b6ff740880a027a388b137de0024d Mon Sep 17 00:00:00 2001 From: Aki Hamano Date: Sat, 13 Jun 2026 23:05:26 +0900 Subject: [PATCH 2/2] KSES: Add tests for SVG presentation attributes in safe_style_css. Cover the SVG presentation attributes added to the `safe_style_css` allowlist to ensure they are preserved by `safecss_filter_attr()`. Co-Authored-By: Claude --- tests/phpunit/tests/kses.php | 38 ++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index db507a6b26550..871723b98361c 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -1000,6 +1000,7 @@ public function test_wp_kses_attr_no_attributes_allowed_with_false() { * @ticket 58551 * @ticket 60132 * @ticket 64414 + * @ticket 65457 * * @dataProvider data_safecss_filter_attr * @@ -1473,6 +1474,43 @@ public function data_safecss_filter_attr() { 'css' => 'display: grid', 'expected' => 'display: grid', ), + // SVG presentation attributes introduced in 7.1.0. + array( + 'css' => 'fill: none', + 'expected' => 'fill: none', + ), + array( + 'css' => 'fill-rule: evenodd', + 'expected' => 'fill-rule: evenodd', + ), + array( + 'css' => 'stroke: red', + 'expected' => 'stroke: red', + ), + array( + 'css' => 'stroke-width: 2', + 'expected' => 'stroke-width: 2', + ), + array( + 'css' => 'stroke-linecap: round', + 'expected' => 'stroke-linecap: round', + ), + array( + 'css' => 'paint-order: stroke', + 'expected' => 'paint-order: stroke', + ), + array( + 'css' => 'vector-effect: non-scaling-stroke', + 'expected' => 'vector-effect: non-scaling-stroke', + ), + array( + 'css' => 'clip-rule: evenodd', + 'expected' => 'clip-rule: evenodd', + ), + array( + 'css' => 'text-anchor: middle', + 'expected' => 'text-anchor: middle', + ), ); }