Changeset 61418 for trunk/src/wp-includes/fonts/class-wp-font-face.php

Timestamp:

12/30/2025 01:01:11 PM (2 months ago)

Author:

jonsurrell

Message:

Use the HTML API to generate style tags.

The HTML API escapes <style> tag contents to ensure the correct HTML structure. Common HTML escaping is unsuitable for <style> tags because they contain "raw text." The additional safety allows other restrictions, such as rejecting content with <>, to be relaxed or removed because the resulting tag will be well-formed.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/10656.

Props jonsurrell, westonruter, dmsnell, ramonopoly, soyebsalar01, drw158, sabernhardt.
See #64418.

File:

• trunk/src/wp-includes/fonts/class-wp-font-face.php (modified) (2 diffs)

trunk/src/wp-includes/fonts/class-wp-font-face.php

@@ -93 +93 @@
         }
 
-        printf( $this->get_style_element(), $css );
+        $processor = new WP_HTML_Tag_Processor( '<style class="wp-fonts-local"></style>' );
+        $processor->next_tag();
+        $processor->set_modifiable_text( "\n{$css}\n" );
+        echo "{$processor->get_updated_html()}\n";
     }
 
@@ -195 +198 @@
 
     /**
-     * Gets the style element for wrapping the `@font-face` CSS.
-     *
-     * @since 6.4.0
-     *
-     * @return string The style element.
-     */
-    private function get_style_element() {
-        return "<style class='wp-fonts-local'>\n%s\n</style>\n";
-    }
-
-    /**
      * Gets the `@font-face` CSS styles for locally-hosted font files.
      *