Changeset 62433

Timestamp:

05/31/2026 07:30:28 AM (20 hours ago)

Author:

dmsnell

Message:

KSES: Decode style attribute before sending to safecss_filter_attr().

safecss_filter_attr() assumes that it receives already-unescaped HTML
attribute values. For example, consider the raw HTML string:

style="background:url("bg.png")"

This should be decoded and passed into safecss_filter_attr() as:

background:url("bg.png")

Unfortuantely this hasn’t been done in wp_kses_attr_check(), which
takes the output from wp_kses_hair() and sends it directly to the
filtering function.

In this patch, wp_kses_attr_check() unescapes the style attribute,
filters it, and then re-escapes it when updating the style value.

Tests added by Codex

Developed in: ​https://github.com/WordPress/wordpress-develop/pull/11868
Discussed in: https://core.trac.wordpress.org/ticket/65270

Props dmsnell, westonruter.
Fixes #65270.

Location:

trunk

Files:

• src/wp-includes/kses.php (modified) (4 diffs)
• tests/phpunit/tests/kses.php (modified) (1 diff)

trunk/src/wp-includes/kses.php

@@ -1557 +1557 @@
 
     if ( 'style' === $name_low ) {
-        $new_value = safecss_filter_attr( $value );
+        $decoded_value = WP_HTML_Decoder::decode_attribute( $value );
+        $new_value     = safecss_filter_attr( $decoded_value );
 
         if ( empty( $new_value ) ) {
@@ -1566 +1567 @@
         }
 
-        $whole = str_replace( $value, $new_value, $whole );
-        $value = $new_value;
+        if ( $new_value !== $decoded_value ) {
+            $encoded_value = esc_attr( $new_value );
+            $whole         = str_replace( $value, $encoded_value, $whole );
+            $value         = $encoded_value;
+        }
     }
 
@@ -2555 +2559 @@
  * @since 6.9.0 Added support for `white-space`.
  *
- * @param string $css        A string of CSS rules.
+ * @param string $css        A string of CSS rules, decoded from an HTML `style` attribute.
  * @param string $deprecated Not used.
- * @return string Filtered string of CSS rules.
+ * @return string Filtered string of CSS rules, needing HTML escaping before sending back to a `style` attribute.
  */
 function safecss_filter_attr( $css, $deprecated = '' ) {
@@ -2569 +2573 @@
     $allowed_protocols = wp_allowed_protocols();
 
+    /** @todo Parse enough CSS to split rules without breaking on things like quoted strings. */
     $css_array = explode( ';', trim( $css ) );
 

trunk/tests/phpunit/tests/kses.php

@@ -1585 +1585 @@
 
     /**
+     * Tests that style attribute values are decoded before CSS filtering.
+     *
+     * @ticket 65270
+     *
+     * @dataProvider data_wp_kses_style_attr_decodes_entities_before_css_filtering
+     *
+     * @param string $content  A string of HTML to test.
+     * @param string $expected Expected result after passing through KSES.
+     */
+    public function test_wp_kses_style_attr_decodes_entities_before_css_filtering( $content, $expected ) {
+        $allowed_html = array(
+            'div' => array(
+                'style' => true,
+            ),
+        );
+
+        $this->assertEqualHTML( $expected, wp_kses( $content, $allowed_html ) );
+    }
+
+    /**
+     * Data provider for test_wp_kses_style_attr_decodes_entities_before_css_filtering().
+     *
+     * @return array[]
+     */
+    public function data_wp_kses_style_attr_decodes_entities_before_css_filtering() {
+        return array(
+            'background image URL with single quotes' => array(
+                '<div style="background-image: url(\'https://localhost/image.jpg\');"></div>',
+                '<div style="background-image: url(&#039;https://localhost/image.jpg&#039;)"></div>',
+            ),
+            'background image URL with entity-encoded double quotes' => array(
+                '<div style="background-image: url(&quot;https://localhost/image.jpg&quot;);"></div>',
+                '<div style="background-image: url(&quot;https://localhost/image.jpg&quot;)"></div>',
+            ),
+            'background image URL with query string ampersand' => array(
+                '<div style="background-image: url(https://localhost/image.jpg?a=1&b=2);"></div>',
+                '<div style="background-image: url(https://localhost/image.jpg?a=1&amp;b=2)"></div>',
+            ),
+            'background image URL followed by another declaration' => array(
+                '<div style="background-image:url(\'https://localhost/image.jpg\');background-size:cover;"></div>',
+                '<div style="background-image:url(&#039;https://localhost/image.jpg&#039;);background-size:cover"></div>',
+            ),
+        );
+    }
+
+    /**
      * Test URL sanitization in the style tag.
      *