Changeset 61418 for trunk/src/wp-includes/class-wp-styles.php

Timestamp:

12/30/2025 01:01:11 PM (3 months ago)

Author:

jonsurrell

Message:

Use the HTML API to generate style tags.

The HTML API escapes <style> tag contents to ensure the correct HTML structure. Common HTML escaping is unsuitable for <style> tags because they contain "raw text." The additional safety allows other restrictions, such as rejecting content with <>, to be relaxed or removed because the resulting tag will be well-formed.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/10656.

Props jonsurrell, westonruter, dmsnell, ramonopoly, soyebsalar01, drw158, sabernhardt.
See #64418.

File:

• trunk/src/wp-includes/class-wp-styles.php (modified) (2 diffs)

trunk/src/wp-includes/class-wp-styles.php

@@ -159 +159 @@
 
         if ( $inline_style ) {
-            $inline_style_tag = sprintf(
-                "<style id='%s-inline-css'>\n%s\n</style>\n",
-                esc_attr( $handle ),
-                $inline_style
-            );
+            $processor = new WP_HTML_Tag_Processor( '<style></style>' );
+            $processor->next_tag();
+            $processor->set_attribute( 'id', "{$handle}-inline-css" );
+            $processor->set_modifiable_text( "\n{$inline_style}\n" );
+            $inline_style_tag = "{$processor->get_updated_html()}\n";
         } else {
             $inline_style_tag = '';
@@ -337 +337 @@
         }
 
-        printf(
-            "<style id='%s-inline-css'>\n%s\n</style>\n",
-            esc_attr( $handle ),
-            $output
-        );
+        $processor = new WP_HTML_Tag_Processor( '<style></style>' );
+        $processor->next_tag();
+        $processor->set_attribute( 'id', "{$handle}-inline-css" );
+        $processor->set_modifiable_text( "\n{$output}\n" );
+        echo "{$processor->get_updated_html()}\n";
 
         return true;