Make WordPress Core

Changeset 58980


Ignore:
Timestamp:
09/03/2024 08:13:38 PM (2 months ago)
Author:
hellofromTonya
Message:

HTML API: Indicate when WordPress rejects attribute updates.

When setting an an attribute value in the HTML API, WordPress may reject
an update based on rules in kses. In these cases, the return value from
an escaping function will be an empty string, and the HTML API should
reject the update. Unfortunately, it currently reports that it updates the
attribute but sets an empty string value, which is misleading.

In this changeset, the HTML API will refuse the attribute update and return
false to indicate as much when WordPress rejects the updates.

Reviewed by jorbin, hellofromTonya.
Merges [58844] to the 6.6 branch.

Follow-up to [58472].

Props amitraj2203, dmsnell, mukesh27.
Fixes #61719.

Location:
branches/6.6
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/6.6

  • branches/6.6/src/wp-includes/html-api/class-wp-html-tag-processor.php

    r58559 r58980  
    29812981             */
    29822982            $escaped_new_value = in_array( $comparable_name, wp_kses_uri_attributes() ) ? esc_url( $value ) : esc_attr( $value );
     2983
     2984            // If the escaping functions wiped out the update, reject it and indicate it was rejected.
     2985            if ( '' === $escaped_new_value && '' !== $value ) {
     2986                return false;
     2987            }
     2988
    29832989            $updated_attribute = "{$name}=\"{$escaped_new_value}\"";
    29842990        }
Note: See TracChangeset for help on using the changeset viewer.