Changeset 61346 for trunk/src/wp-includes/html-api/class-wp-html-tag-processor.php

Timestamp:

12/03/2025 05:25:34 PM (8 hours ago)

Author:

jonsurrell

Message:

HTML API: Ensure correct encoding of modified class names.

Some class names with HTML character references could be mishandled, for example:

• Failure to remove an existing class like & with ::remove_class( '&' )
• Double-encoding of an existing class like & after a modification, becoming &

The second case manifested after double-encoding prevention was removed from ::set_attribute() in [60919].

Developed in ​https://github.com/WordPress/wordpress-develop/pull/10591.

Props jonsurrell, dmsnell.
Fixes #64340.

File:

• trunk/src/wp-includes/html-api/class-wp-html-tag-processor.php (modified) (1 diff)

trunk/src/wp-includes/html-api/class-wp-html-tag-processor.php

@@ -2343 +2343 @@
 
         if ( false === $existing_class && isset( $this->attributes['class'] ) ) {
-            $existing_class = substr(
-                $this->html,
-                $this->attributes['class']->value_starts_at,
-                $this->attributes['class']->value_length
+            $existing_class = WP_HTML_Decoder::decode_attribute(
+                substr(
+                    $this->html,
+                    $this->attributes['class']->value_starts_at,
+                    $this->attributes['class']->value_length
+                )
             );
         }