Make WordPress Core


Ignore:
Timestamp:
06/15/2024 06:31:24 AM (8 months ago)
Author:
dmsnell
Message:

KSES: Preserve some additional invalid HTML comment syntaxes.

When wp_kses_split processes a document it attempts to leave HTML comments
alone. It makes minor adjustments, but leaves the comments in the document in
its output. Unfortunately it only recognizes one kind of HTML comment and
rejects many others.

This patch makes a minor adjustment to the algorithm in wp_kses_split to
recognize and preserve an additional kind of HTML comment: closing tags with
an invalid tag name, e.g. </%dolly>.

These invalid closing tags must be interpreted as comments by a browser.
This bug fix aligns the implementation of wp_kses_split() more closely
with its stated goal of leaving HTML comments as comments.

It doesn't attempt to fully fix the mis-parsed comments, but it does propose a
minor fix that hopefully won't break any existing code or projects.

Developed in https://github.com/WordPress/wordpress-develop/pull/6395
Discussed in https://core.trac.wordpress.org/ticket/61009

Props ellatrix, dmsnell, joemcgill, jorbin, westonruter, zieladam.
See #61009.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/kses.php

    r58294 r58418  
    19331933
    19341934    /**
     1935     * Ensures that `wp_kses()` preserves various kinds of HTML comments, both valid and invalid.
     1936     *
     1937     * @ticket 61009
     1938     *
     1939     * @param string $html_comment    HTML containing a comment; must not be a valid comment
     1940     *                                but must be syntax which a browser interprets as a comment.
     1941     * @param string $expected_output How `wp_kses()` ought to transform the comment.
     1942     */
     1943    public function wp_kses_preserves_html_comments( $html_comment, $expected_output ) {
     1944        $this->assertSame(
     1945            $expected_output,
     1946            wp_kses( $html_comment, array() ),
     1947            'Failed to properly preserve HTML comment.'
     1948        );
     1949    }
     1950
     1951    /**
     1952     * Data provider.
     1953     *
     1954     * @return array[].
     1955     */
     1956    public static function data_html_containing_various_kinds_of_html_comments() {
     1957        return array(
     1958            'Normative HTML comment'            => array( 'before<!-- this is a comment -->after', 'before<!-- this is a comment -->after' ),
     1959            'Closing tag with invalid tag name' => array( 'before<//not a tag>after', 'before<//not a tag>after' ),
     1960        );
     1961    }
     1962
     1963    /**
    19351964     * Test that attributes with a list of allowed values are filtered correctly.
    19361965     *
Note: See TracChangeset for help on using the changeset viewer.