Ticket #40680: 40680.patch

src/wp-includes/kses.php

@@ -828 +828 @@
                 $xhtml_slash = ' /';
 
         // Are any attributes allowed at all for this element?
-        if ( ! isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0 )
+        if ( ! isset( $allowed_html[ strtolower( $element ) ] ) || true === $allowed_html[ strtolower( $element ) ] || count( $allowed_html[ strtolower( $element ) ] ) == 0 ) {
                 return "<$element$xhtml_slash>";
+        }
 
         // Split it
         $attrarr = wp_kses_hair($attr, $allowed_protocols);

tests/phpunit/tests/kses.php

@@ -678 +678 @@
 
                 $this->assertEquals( $input, wp_kses( $input, $allowedposttags ) );
         }
+
+        /**
+         * @ticket 40680
+         */
+        function test_wp_kses_attr_no_attributes_allowed_with_empty_array() {
+                $element = 'foo';
+                $attribute = 'title="foo" class="bar"';
+
+                $this->assertEquals( "<{$element}>", wp_kses_attr( $element, $attribute, array( 'foo' => array() ), array() ) );
+        }
+
+        /**
+         * @ticket 40680
+         */
+        function test_wp_kses_attr_no_attributes_allowed_with_true() {
+                $element = 'foo';
+                $attribute = 'title="foo" class="bar"';
+
+                $this->assertEquals( "<{$element}>", wp_kses_attr( $element, $attribute, array( 'foo' => true ), array() ) );
+        }
+
+        /**
+         * @ticket 40680
+         */
+        function test_wp_kses_attr_single_attribute_is_allowed() {
+                $element = 'foo';
+                $attribute = 'title="foo" class="bar"';
+
+                $this->assertEquals( "<{$element} title=\"foo\">", wp_kses_attr( $element, $attribute, array( 'foo' => array( 'title' => true ) ), array() ) );
+        }
 }