Changeset 61346

Timestamp:

12/03/2025 05:25:34 PM (less than one hour ago)

Author:

jonsurrell

Message:

HTML API: Ensure correct encoding of modified class names.

Some class names with HTML character references could be mishandled, for example:

• Failure to remove an existing class like & with ::remove_class( '&' )
• Double-encoding of an existing class like & after a modification, becoming &

The second case manifested after double-encoding prevention was removed from ::set_attribute() in [60919].

Developed in ​https://github.com/WordPress/wordpress-develop/pull/10591.

Props jonsurrell, dmsnell.
Fixes #64340.

Location:

trunk

Files:

• src/wp-includes/html-api/class-wp-html-tag-processor.php (modified) (1 diff)
• tests/phpunit/tests/html-api/wpHtmlTagProcessor.php (modified) (2 diffs)

trunk/src/wp-includes/html-api/class-wp-html-tag-processor.php

@@ -2343 +2343 @@
 
         if ( false === $existing_class && isset( $this->attributes['class'] ) ) {
-            $existing_class = substr(
-                $this->html,
-                $this->attributes['class']->value_starts_at,
-                $this->attributes['class']->value_length
+            $existing_class = WP_HTML_Decoder::decode_attribute(
+                substr(
+                    $this->html,
+                    $this->attributes['class']->value_starts_at,
+                    $this->attributes['class']->value_length
+                )
             );
         }

trunk/tests/phpunit/tests/html-api/wpHtmlTagProcessor.php

@@ -2888 +2888 @@
             'HTML tag opening inside attribute value'      => array(
                 'input'    => '<pre id="<code" class="wp-block-code <code is poetry&gt;"><code>This &lt;is> a &lt;strong is="true">thing.</code></pre><span>test</span>',
-                'expected' => '<pre foo="bar" id="<code" class="wp-block-code &lt;code is poetry&amp;gt; firstTag"><code class="secondTag">This &lt;is> a &lt;strong is="true">thing.</code></pre><span>test</span>',
+                'expected' => '<pre foo="bar" id="<code" class="wp-block-code &lt;code is poetry&gt; firstTag"><code class="secondTag">This &lt;is> a &lt;strong is="true">thing.</code></pre><span>test</span>',
             ),
             'HTML tag brackets in attribute values and data markup' => array(
                 'input'    => '<pre id="<code-&gt;-block-&gt;" class="wp-block-code <code is poetry&gt;"><code>This &lt;is> a &lt;strong is="true">thing.</code></pre><span>test</span>',
-                'expected' => '<pre foo="bar" id="<code-&gt;-block-&gt;" class="wp-block-code &lt;code is poetry&amp;gt; firstTag"><code class="secondTag">This &lt;is> a &lt;strong is="true">thing.</code></pre><span>test</span>',
+                'expected' => '<pre foo="bar" id="<code-&gt;-block-&gt;" class="wp-block-code &lt;code is poetry&gt; firstTag"><code class="secondTag">This &lt;is> a &lt;strong is="true">thing.</code></pre><span>test</span>',
             ),
             'Single and double quotes in attribute value'  => array(
@@ -3030 +3030 @@
 
     /**
+     * @ticket 64340
+     */
+    public function test_class_changes_produce_correct_html() {
+        $processor = new WP_HTML_Tag_Processor( '<div class="&amp;">' );
+        $processor->next_tag();
+
+        $processor->add_class( '"' );
+        $processor->get_updated_html();
+
+        $processor->add_class( 'OK' );
+        $processor->get_updated_html();
+
+        $this->assertTrue( $processor->has_class( '&' ), 'Missing expected "&" class.' );
+        $this->assertTrue( $processor->has_class( '"' ), 'Missing expected \'"\' class.' );
+        $this->assertTrue( $processor->has_class( 'OK' ), 'Missing expected "OK" class.' );
+
+        $expected = '<div class="&amp; &quot; OK">';
+        $this->assertEqualHTML(
+            $expected,
+            $processor->get_updated_html(),
+            '<body>',
+            'HTML was not correctly updated after adding classes.'
+        );
+
+        $processor->remove_class( '&' );
+        $processor->get_updated_html();
+
+        $processor->remove_class( '"' );
+        $processor->get_updated_html();
+
+        $this->assertFalse( $processor->has_class( '&' ) );
+        $this->assertFalse( $processor->has_class( '"' ) );
+        $this->assertTrue( $processor->has_class( 'OK' ) );
+
+        $expected = '<div class="OK">';
+        $this->assertEqualHTML(
+            $expected,
+            $processor->get_updated_html(),
+            '<body>',
+            'HTML was not correctly updated after removing classes.'
+        );
+    }
+
+    /**
      * @covers WP_HTML_Tag_Processor::next_tag
      */