File Block: Set the download attribute as empty

[Copons]

Description

Replaces #10693

Set the File Block's "Download" button's download attribute as empty.

The addition of the download attribute for a tags to the wp_kses whitelist has been recently blocked (cc @pento):

The download attribute doesn't work on cross-origin links (eg, any site that uses a CDN for hosting uploads). I don't know that we necessarily need to account for this, but it is something to consider.

It's also a risk to allow the download filename to be set: for example, an author could upload my_definitely_not_suspicious_file.txt, but then set the download attribute to be CLICK_ME.bat, which isn't great. If we do allow the download attribute, it should only be allowed with no value.

Note

The attribute has been set as empty string (download="") instead of valueless (download or download={ true }) because in the latter case it was always stripped away at the first block update, breaking it altogether.

How has this been tested?

Manually on a local environment, checking for regressions.

Checklist:

• My code is tested.
• My code follows the WordPress code style.
• My code follows the accessibility standards.
• My code has proper inline documentation.

[tofumatt]

A test here would be appreciated, but looks good to me.

[tofumatt]

(Oh, never mind: you'll need to fix your snapshot test though; that test failure is legitimate.)

[pento]

This isn't going to work, KSES expects a valueless attribute to not have a value at all, not to have an empty value. (eg, <a download> is allowed, <a download=""> is not.)

[Copons]

@pento I'm not familiar with the serialization process of a block, but here for some reasons <a download> is stripped away on save/reload, while <a download=""> isn't (also see the inline comment in the previous version).

EDIT: scratch everything, this is why.