BP Nouveau: restrict Messages UI editor buttons and allowed tags.

[imath]

Today the Messages UI editor loads default buttons, and allows the same tags than WordPress Posts. I think we should restrict this a little more.

NB: conparing to the src/bp-messages/bp-messages-filters.php where wp_filter_kses is used, i suggest something more permissive (eg: img) to justify the use of the editor.

I think as it's specific to BP Nouveau, we shouldn't edit src/bp-messages/bp-messages-filters.php to avoid possible impacts on BP Legacy so close to release though.

See attached patch, I'm basically allowing the same html tags than Activity content

[DJPaul]

Why is Nouveau allowing HTML in this panel? I assume the rest of BuddyPress and/or Legacy isn't?

[imath]

The idea was to improve the user experience when writing messages.

And yes you're right about the rest of BuddyPress and Legacy. Another option can be to remove the editor completely and stay with existing way of filtering the content.

I'm fine with both options ;)

[DJPaul]

Why make it in Nouveau, only, and not in BuddyPress core? Messing about with the sanitisation filters suggests something has been done wrong.

I think we need to remove lines 106-119 in ​https://buddypress.trac.wordpress.org/browser/trunk/src/bp-templates/bp-nouveau/includes/messages/loader.php#L106 and set those filters in bp-messages/filters.php (whatever the file is called, etc).

[DJPaul]

We can keep the TinyMCE in Nouveau only, that's fine, but if we're enhancing private messages to support HTML, let's do that in BuddyPress, proper.

[imath]

You're right. I'm going to update the patch this way.

[DJPaul]

I like it, much better, thanks.

Where did you get the whitelist of allowed HTML attributes from, by the way?

[imath]

yw :) From bp_activity_filter_kses(). Do you think having a bp_core_filter_kses() that would be used for activity and messages content would be a better idea to avoid duplicate code ?

[imath]

7795.3.patch introduces bp_get_allowedtags() that bp_activity_filter_kses() and bp_messages_filter_kses() are using to filter their activity/message content. Both of the functions are including a filter bp_[component]_allowed_tags in case developers want to extend one or the other or both.

[DJPaul]

looks good!

[imath]

Thanks a lot for your feedback 👍

[imath]

In 12067:

BP Nouveau: restrict the allowed HTML tags for Messages.

BP Nouveau is using the WP Editor to improve the user experience of the Messages component when people are writing a new message or replying to a thread. So far allowed HTML tags for the messages content *when BP Nouveau is the active template pack* were the same than WordPress Posts. When BP Nouveau is not the active template pack, the allowed tags are those of the WordPress global .

This commit is introducing a new function that is used to filter the allowed HTML tags for activity content and message content. It extends the with new tags (img, span, ul, ol & li) and leaves specific functions to the 2 components to include filters so that it is possible to restrict/extend allowed HTML tags for both content types or one of them. It also restricts the WP Editor available buttons when used into the BP Nouveau Messages UI so that they are consistent with the allowed HTML tags.

Props DJPaul

Fixes #7795