Media: Prevent decoding attribute corrupting JSON data.

Workaround `wp_img_tag_add_decoding_attr()` potentially breaking JavaScript and JSON data by limiting the addition of the decoding attribute to image tags using unescaped double quoted attributes `src` attributes.

Props rodricus, TimothyBlynJacobs, joelmadigan, mw108, adamsilverstein, flixos90, desrosj, mukesh27, peterwilsoncc.
Merges [54802] to the 6.1 branch.
Fixes #56969.

git-svn-id: https://develop.svn.wordpress.org/branches/6.1@54807 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/media.php

@@ -1962,6 +1962,12 @@ function wp_img_tag_add_loading_attr( $image, $context ) {
  * @return string Converted `img` tag with `decoding` attribute added.
  */
 function wp_img_tag_add_decoding_attr( $image, $context ) {
+	// Only apply the decoding attribute to images that have a src attribute that
+	// starts with a double quote, ensuring escaped JSON is also excluded.
+	if ( false === strpos( $image, ' src="' ) ) {
+		return $image;
+	}
+
 	/**
 	 * Filters the `decoding` attribute value to add to an image. Default `async`.
 	 *

tests/phpunit/tests/media.php

@@ -3162,6 +3162,28 @@ EOF;
 		$this->assertStringNotContainsString( ' loading=', $img );
 	}
 
+	/**
+	 * Test that decoding="async" is not applied to img tags with single quotes.
+	 *
+	 * @ticket 56969
+	 */
+	public function test_wp_img_tag_add_decoding_attr_with_single_quotes() {
+		$img = "<img src='example.png' alt='' width='300' height='225' />";
+		$img = wp_img_tag_add_decoding_attr( $img, 'test' );
+		$this->assertStringNotContainsString( ' decoding="async"', $img );
+	}
+
+	/**
+	 * Test that decoding="async" is not applied to img tags inside JSON.
+	 *
+	 * @ticket 56969
+	 */
+	public function test_decoding_async_not_applied_to_json() {
+		$content = '{"image": "<img src=\"example.png\" alt=\"\" width=\"300\" height=\"225\" />"}';
+		$content = wp_filter_content_tags( $content );
+		$this->assertStringNotContainsString( ' decoding="async"', $content );
+	}
+
 	/**
 	 * @ticket 50756
 	 */