List disallowed HTML tags when user cannot unfiltered_html

WordPress · Jul 1, 2017 · 98b8959 · 98b8959
1 parent e129e78
commit 98b8959
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/blocks/library/html/index.js b/blocks/library/html/index.js
@@ -41,6 +41,9 @@ registerBlockType( 'core/html', {
 			this.state = {
 				preview: false,
 			};
+			const allowedHtmlTags = new Set( Object.keys( wp.editor.allowedPostHtml ) );
+			const unsafeHtmlTags = [ 'script', 'iframe', 'form', 'input', 'style' ];
+			this.disallowedHtmlTags = unsafeHtmlTags.filter( tag => ! allowedHtmlTags.has( tag ) );
 		}
 
 		preview() {
@@ -77,6 +80,17 @@ registerBlockType( 'core/html', {
 						<InspectorControls key="inspector">
 							<BlockDescription>
 								<p>{ __( 'Arbitrary HTML code.' ) }</p>
+								{ ! wp.editor.canUnfilteredHtml && this.disallowedHtmlTags.length > 0 &&
+									<p>
+										<span>{ __( 'Some HTML tags are not permitted, including:' ) }</span>
+										{ ' ' }
+										{ this.disallowedHtmlTags.map( ( tag, i ) => <span key={ i }>
+											{ 0 !== i && ', ' }
+											<code>{ tag }</code>
+										</span> ) }
+										{ '.' }
+									</p>
+								}
 							</BlockDescription>
 						</InspectorControls>
 					}

diff --git a/lib/client-assets.php b/lib/client-assets.php
@@ -445,6 +445,10 @@ function gutenberg_scripts_and_styles( $hook ) {
 		'before'
 	);
 
+	// Export data required by the Custom HTML block.
+	wp_add_inline_script( 'wp-editor', sprintf( 'wp.editor.canUnfilteredHtml = %s;', wp_json_encode( current_user_can( 'unfiltered_html' ) ) ) );
+	wp_add_inline_script( 'wp-editor', sprintf( 'wp.editor.allowedPostHtml = %s;', wp_json_encode( wp_kses_allowed_html( 'post' ) ) ) );
+
 	// Initialize the editor.
 	wp_add_inline_script( 'wp-editor', 'wp.api.init().done( function() { wp.editor.createEditorInstance( \'editor\', window._wpGutenbergPost ); } );' );