Changeset 58897

Timestamp:

08/14/2024 07:49:03 PM (13 months ago)

Author:

dmsnell

Message:

HTML API: Use strict in_array comparison for checking URI attributes.

This patch modifies the URL-escaping code in the HTML API to rely on strict comparisons. This prevents accidental matching via type-coercion.

Developed in ​https://github.com/wordpress/wordpress-develop/pull/7196

Follow-up to [58473].
Props jonsurrell.

File:

• trunk/src/wp-includes/html-api/class-wp-html-tag-processor.php (modified) (1 diff)

trunk/src/wp-includes/html-api/class-wp-html-tag-processor.php

@@ -3668 +3668 @@
              * @see https://html.spec.whatwg.org/#attributes-3
              */
-            $escaped_new_value = in_array( $comparable_name, wp_kses_uri_attributes() ) ? esc_url( $value ) : esc_attr( $value );
+            $escaped_new_value = in_array( $comparable_name, wp_kses_uri_attributes(), true ) ? esc_url( $value ) : esc_attr( $value );
 
             // If the escaping functions wiped out the update, reject it and indicate it was rejected.