mirror_php/wordpress
1
0
Fork 0
mirror of git://develop.git.wordpress.org/ synced 2025-04-11 15:42:03 +02:00
Code Issues Actions11 Packages Projects Releases Wiki Activity

KSES: Allow leading trailing double hyphen in data attributes

Browse Source 
Expand allowable set of custom data attribute names to include those containing
leading, trailing, and double `-` characters. Previously, WordPress was
removing data attributes that are used in the Interactivity API. By allowing
these additional custom data attributes, the related Interactivity API
directives will preserve through `kses`.

For example, the Interactivity API frequently relies on custom data attributes
such as `data-wp-on--click="..."`. The change in [43981] would strip these out
of the processed HTML, however.

Developed in https://github.com/WordPress/wordpress-develop/pull/6598
Discussed in https://core.trac.wordpress.org/ticket/61052

Props cbravobernal, dmsnell, gziolo, jonsurrell.
Follow-up to [43981].
Fixes .


git-svn-id: https://develop.svn.wordpress.org/trunk@58294 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Dennis Snell 2024-06-03 13:24:25 +00:00
parent 86bfd17a8e
commit 89bec7acd8
2 changed files with 15 additions and 4 deletions
src/wp-includes
kses.php
tests/phpunit/tests
kses.php

5
src/wp-includes/kses.php

@ -1263,11 +1263,10 @@ function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowe
* `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
* https://www.w3.org/TR/html40/struct/objects.html#adef-data).
*
* Note: the attribute name should only contain `A-Za-z0-9_-` chars,
* double hyphens `--` are not accepted by WordPress.
* Note: the attribute name should only contain `A-Za-z0-9_-` chars.
*/
if ( str_starts_with( $name_low, 'data-' ) && ! empty( $allowed_attr['data-*'] )
&& preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match )
&& preg_match( '/^data-[a-z0-9_-]+$/', $name_low, $match )
) {
/*
* Add the whole attribute name to the allowed attributes and set any restrictions

14
tests/phpunit/tests/kses.php

@ -1362,12 +1362,24 @@ EOF;
* @ticket 33121
*/
public function test_wp_kses_attr_data_attribute_is_allowed() {
$test = '<div data-foo="foo" data-bar="bar" datainvalid="gone" data--invalid="gone" data-also-invalid-="gone" data-two-hyphens="remains">Pens and pencils</div>';
$test = '<div data-foo="foo" data-bar="bar" datainvalid="gone" data-two-hyphens="remains">Pens and pencils</div>';
$expected = '<div data-foo="foo" data-bar="bar" data-two-hyphens="remains">Pens and pencils</div>';
$this->assertSame( $expected, wp_kses_post( $test ) );
}
/**
* Data attributes with leading, trailing, and double "-" are globally accepted.
*
* @ticket 61052
*/
public function test_wp_kses_attr_data_attribute_hypens_allowed() {
$test = '<div data--leading="remains" data-trailing-="remains" data-middle--double="remains">Pens and pencils</div>';
$expected = '<div data--leading="remains" data-trailing-="remains" data-middle--double="remains">Pens and pencils</div>';
$this->assertSame( $expected, wp_kses_post( $test ) );
}
/**
* Ensure wildcard attributes block unprefixed wildcard uses.
*