开发者 |
websevendev
jimedwards |
---|---|
更新时间 | 2024年9月7日 12:23 |
PHP版本: | 7.4 及以上 |
WordPress版本: | 6.6 |
版权: | GPLv2 or later |
版权网址: | 版权信息 |
onclick
, onchange
or onload
.
Demo
attributes-for-blocks.zip
file.attributes-for-blocks.zip
file to your WordPress installations ../wp-content/plugins
folder.In your selected block's inspector controls (Block settings) scroll all the way to the bottom and click on "Advanced". It should contain a section called "Additional attributes".
Type an attribute name into the "Add attribute" field and press "Add" to add an attribute for the block. A new input with the attribute's name should appear below, into which you can optionally insert the attribute value.
Example attributes: style
, title
, target
, class
, id
, onclick
, data-*
, aria-*
.
When the current user doesn't have unfiltered_html
capabilities attributes cannot be added and all existing attributes are stripped when the post is updated.
For regular blocks, attributes are added to the block save content's root element, meaning they will be rendered only on the front end and not in the editor. For dynamic blocks the attributes are added via render_callback
function and they may also be applied in the editor, depending if the block is rendered server or client side.
It should work with normal blocks that render a valid WP Element that can utilize the blocks.getSaveContent.extraProps
filter as well as dynamic blocks that utilize a render_callback
. Third party blocks that do something unorthodox may not work.
Known unsupported blocks
@
prefix in an attribute name is used for "override" mode in this plugin, for Alpine.js attributes use x-on:click
instead of @click
or use the shorthand syntax with two @
characters instead of one: @@click
.
The afb_unsupported_blocks
filter can be used in your child theme's functions.php
file to disable block support for adding additional attributes.
add_filter('afb_unsupported_blocks', function($blocks) {
$blocks[] = 'core/button';
return $blocks;
});
Blocks with custom attributes may become invalid, depending on which attributes you've added. From there you can recover the block without the custom attributes by clicking "Attempt Block Recovery" or keep the block with custom attributes as HTML by choosing "Convert to HTML". If you don't want to risk blocks becoming invalid you need to remove all custom attributes before disabling the plugin.
You can modify which roles have the unfiltered_html
capability using custom code in your theme's functions.php
file or via a custom plugin. Only grant this capability if you trust the current and future users of that role to not do anything malicious.
add_action('init', function() {
if($role = get_role('contributor')) {
$role->add_cap('unfiltered_html');
}
});
current_user_can
check in pre_kses
when SECURE_AUTH_COOKIE
isn't defined.current_user_can
check in pre_kses
when WP pluggable functions aren't loaded.unfiltered_html
capability can no longer add attributes. When a user without the capability updates a post all existing attributes are stripped. Issue discovered by Francesco Carlucci (CVE ID: CVE-2024-8318, CVSS Severity Score: 6.4 (Medium)). The vulnerability made it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accessed an injected page.@wordpress/*
packages.@wordpress/*
packages.WP_HTML_Tag_Processor
for adding HTML attributes.afb_sanitize_attribute_key
and afb_sanitize_attribute_value
filters (now handled by WP_HTML_Tag_Processor
).render_block
filter to apply attributes instead of overriding block's render_callback
.$attribute
param to afb_attribute_separator
filter.@wordpress/*
packages.afb_sanitize_attribute_key
and afb_sanitize_attribute_value
filters.@wordpress/*
packages.@wordpress/*
packages.src
folder from plugin.