Send entire templates in Reader/Classic mode through the sanitizers #2202
Description
Currently only content (and the featured image) are sent through the sanitizers. This is the classic approach, and it is why there's the content in amp_content_sanitizers. However, limiting the sanitizers to the content has some problems which would be fixed by sanitizing the entire page:
- Markup that is output outside the content (such as in
amp_post_template_headoramp_post_template_footer) is not sent through the sanitizers, resulting in the possibility of invalid AMP pages when plugins don't implement AMP properly. This has come up frequently in the support forums. By sanitizing the entire document, this would no longer happen frequently. - The CSS in the Reader mode templates is output in a
style.phptemplate and theamp_post_template_cssaction. The style rules are not sent through the CSS sanitizer. This means that they are neither minified nor tree-shaken. If the entire template were sent through the sanitizers, then this would be a key benefit (and would resolve CSS in Reader mode is not minified #688). - By sending the entire reader mode templates through the sanitizers, this closer aligns with traditional theme templates and will facilitate transitioning from those classic post templates to standard theme templates (e.g. where
$this->load_parts()is not used). - There are currently two entirely different code-paths for Reader vs non-Reader modes. There are opportunities to better harmonize the two, if we can use the code in
AMP_Theme_Supportfor both.
This should make Reader mode templates available for Polylang to translate (topic).
By making Reader mode templates regular WordPress templates, we'll also be able to avoid situations where users copy Reader mode templates to be used in Transitional mode, only to find that they start getting fatal errors due to $this. (Examples: 1, 2, 3).
Update: This is probably a bit out of scope here. I think we should take the existing Reader mode post templates and port them to regular WordPress theme templates, but when we do so we need to introduce generic amp_head and amp_footer actions (and the like) which run instead of amp_post_template_head (à la wp_head) and amp_post_template_footer (à la wp_footer), similar to what we did for stories with amp_story_head. The amp_post_template_* actions should be deprecated because they are passed a AMP_Post_Template instance which is not relevant when templates can render any WordPress query, including index pages.