diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php index 0e175f24e7..2d37d7f992 100644 --- a/src/wp-includes/formatting.php +++ b/src/wp-includes/formatting.php @@ -2058,8 +2058,10 @@ function sanitize_sql_orderby( $orderby ) { /** * Sanitizes an HTML classname to ensure it only contains valid characters. * - * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty - * string then it will return the alternative value supplied. + * Strips the string down to A-Z,a-z,0-9,_,- and attempts to further adhere to + * the specification (@see https://www.w3.org/TR/CSS22/syndata.html#characters). + * If this results in an empty string then it will return the alternative + * value supplied. * * @todo Expand to support the full range of CDATA that a class attribute can contain. * @@ -2077,6 +2079,16 @@ function sanitize_html_class( $class, $fallback = '' ) { //Limit to A-Z,a-z,0-9,_,- $sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $sanitized ); + //Replace digits, hyphen and double hyphen at begining of class name because + //they are not allowed as per spec. + $sanitized = preg_replace( array( + '/^[0-9]/', + '/^(-[0-9])|^(--)/', + ), array( + '_', + '__', + ), $sanitized); + if ( '' == $sanitized && $fallback ) { return sanitize_html_class( $fallback ); } diff --git a/tests/phpunit/tests/formatting/SanitizeClassName.php b/tests/phpunit/tests/formatting/SanitizeClassName.php new file mode 100644 index 0000000000..970059bba9 --- /dev/null +++ b/tests/phpunit/tests/formatting/SanitizeClassName.php @@ -0,0 +1,21 @@ + 'spaceseparated', + 'CASE_PRESERVED' => 'CASE_PRESERVED', + '$invalid^chars' => 'invalidchars', + '0starts-with-integer' => '_starts-with-integer', + '-starts-with--' => '-starts-with--', // this is allowed because the rule is /^-[0-9]/ + '-0starts-with-integer' => '__starts-with-integer', + '--starts-with---' => '__starts-with---', + ); + foreach ( $tests as $key => $value ) { + $this->assertEquals( $value, sanitize_html_class( $key ) ); + } + } +}