WordPress.org
Get WordPress

Make WordPress Core

Changeset 58969


Ignore:
Timestamp:
09/02/2024 10:26:22 PM (10 months ago)
Author:
dmsnell
Message:

HTML API: Replace null-bytes in class_list class names

As part of an audit of HTML API CSS behaviors, this patch resolves an issue with how the HTML API reports class names containing the NULL byte. NULL bytes should be replaced by the Unicode replacement character, U+FFFD, but previously weren't. This patch performs that replacement.

Developed in https://github.com/WordPress/wordpress-develop/pull/7187
Discussed in https://core.trac.wordpress.org/ticket/61531

Follow-up to [56703].

Props dmsnell, jonsurrell.
See #61531.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/html-api/class-wp-html-tag-processor.php

    r58925 r58969  
    11611161             * @see https://www.w3.org/TR/CSS2/syndata.html#x1
    11621162             */
    1163             $name = strtolower( substr( $class, $at, $length ) );
     1163            $name = str_replace( "\x00", "\u{FFFD}", strtolower( substr( $class, $at, $length ) ) );
    11641164            $at  += $length;
    11651165

  • trunk/tests/phpunit/tests/html-api/wpHtmlTagProcessor.php

    r58925 r58969  
    22352235
    22362236        $this->assertSame( array( 'one' ), $found_classes, 'Visited multiple copies of the same class name when it should have skipped the duplicates.' );
     2237    }
     2238
     2239    /**
     2240     * Ensures that null bytes are replaced with the replacement character (U+FFFD) in class_list.
     2241     *
     2242     * @ticket 61531
     2243     *
     2244     * @covers WP_HTML_Tag_Processor::class_list
     2245     */
     2246    public function test_class_list_null_bytes_replaced() {
     2247        $processor = new WP_HTML_Tag_Processor( "<div class='a \0 b\0 \0c\0'>" );
     2248        $processor->next_tag();
     2249
     2250        $found_classes = iterator_to_array( $processor->class_list() );
     2251
     2252        $this->assertSame( array( 'a', "\u{FFFD}", "b\u{FFFD}", "\u{FFFD}c\u{FFFD}" ), $found_classes );
     2253    }
     2254
     2255    /**
     2256     * Ensures that the tag processor matches class names with null bytes correctly.
     2257     *
     2258     * @ticket 61531
     2259     *
     2260     * @covers WP_HTML_Tag_Processor::has_class
     2261     */
     2262    public function test_has_class_null_byte_class_name() {
     2263        $processor = new WP_HTML_Tag_Processor( "<div class='null-byte-\0-there'>" );
     2264        $processor->next_tag();
     2265        $this->assertTrue( $processor->has_class( 'null-byte-�-there' ) );
    22372266    }
    22382267
Note: See TracChangeset for help on using the changeset viewer.