From 09a6234ed38bcd20c2171f06b94bc7b96aaae320 Mon Sep 17 00:00:00 2001
From: Peter Wilson <peterwilsoncc@git.wordpress.org>
Date: Thu, 21 May 2020 04:52:33 +0000
Subject: [PATCH] KSES: Support the `video` element's `playsinline` attribute.

Allow users without the `unfiltered_html` capability to use the `playsinline` attribute when embedding videos.

Additionally this adds unit tests for passing the video element through kses.

Fixes #50167. See #29826.


git-svn-id: https://develop.svn.wordpress.org/trunk@47837 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/kses.php     | 19 +++++++------
 tests/phpunit/tests/kses.php | 55 ++++++++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+), 9 deletions(-)

diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
index ae7cc0f411..1aace6c4fa 100644
--- a/src/wp-includes/kses.php
+++ b/src/wp-includes/kses.php
@@ -397,15 +397,16 @@ if ( ! CUSTOM_TAGS ) {
 		),
 		'var'        => array(),
 		'video'      => array(
-			'autoplay' => true,
-			'controls' => true,
-			'height'   => true,
-			'loop'     => true,
-			'muted'    => true,
-			'poster'   => true,
-			'preload'  => true,
-			'src'      => true,
-			'width'    => true,
+			'autoplay'    => true,
+			'controls'    => true,
+			'height'      => true,
+			'loop'        => true,
+			'muted'       => true,
+			'playsinline' => true,
+			'poster'      => true,
+			'preload'     => true,
+			'src'         => true,
+			'width'       => true,
 		),
 	);
 
diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php
index a74903bd80..ab675abbc3 100644
--- a/tests/phpunit/tests/kses.php
+++ b/tests/phpunit/tests/kses.php
@@ -63,6 +63,61 @@ class Tests_Kses extends WP_UnitTestCase {
 		}
 	}
 
+	/**
+	 * Test video tag.
+	 *
+	 * @ticket 50167
+	 * @ticket 29826
+	 * @dataProvider data_wp_kses_video
+	 *
+	 * @param string $source   Source HTML.
+	 * @param string $context  Context to use for parsing source.
+	 * @param string $expected Expected output following KSES parsing.
+	 * @return void
+	 */
+	function test_wp_kses_video( $source, $context, $expected ) {
+		$actual = wp_kses( $source, $context );
+		$this->assertSame( $expected, $actual );
+	}
+
+	/**
+	 * Data provider for test_wp_kses_video
+	 *
+	 * @return array[] Array containing test data {
+	 *     @type string $source   Source HTML.
+	 *     @type string $context  Context to use for parsing source.
+	 *     @type string $expected Expected output following KSES parsing.
+	 * }
+	 */
+	function data_wp_kses_video() {
+		return array(
+			// Set 0: Valid post object params in post context.
+			array(
+				'<video src="movie.mov" autoplay controls height=9 loop muted poster="still.gif" playsinline preload width=16 />',
+				'post',
+				'<video src="movie.mov" autoplay controls height="9" loop muted poster="still.gif" playsinline preload width="16" />',
+			),
+			// Set 1: Valid post object params in data context.
+			array(
+				'<video src="movie.mov" autoplay controls height=9 loop muted poster="still.gif" playsinline preload width=16 />',
+				'data',
+				'',
+			),
+			// Set 2: Disallowed urls in post context.
+			array(
+				'<video src="bad://w.org/movie.mov" poster="bad://w.org/movie.jpg" />',
+				'post',
+				'<video src="//w.org/movie.mov" poster="//w.org/movie.jpg" />',
+			),
+			// Set 3: Disallowed attributes in post context.
+			array(
+				'<video onload="alert(1);" src="https://videos.files.wordpress.com/DZEMDKxc/video-0f9c363010.mp4" />',
+				'post',
+				'<video src="https://videos.files.wordpress.com/DZEMDKxc/video-0f9c363010.mp4" />',
+			),
+		);
+	}
+
 	/**
 	 * @ticket 20210
 	 */