Make WordPress Core

Opened 21 months ago

Last modified 21 months ago

#56521 new defect (bug)

wp_kses wp_kses_hair fails to allow a valueless attribute when is follwed by /

Reported by: luistar15's profile luistar15 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 6.0.2
Component: Security Keywords: has-patch
Focuses: Cc:


I have created a static gutenberg block for managing forms.
The block generates <input> html elements, for example:

<input name="email" required/>

But after saving the post, the required attribute is striped in the db:

<input name="email"/>

So the visitors are sendig the form ignoring the validation.

It only happens when the attribute is the last one and is followerd by / without spaces:

<input name="email" required>    => OK
<input name="email" required/>   => ERROR
<input name="email" required />  => OK

I put togheter a test case:

// theme/functions.php

add_action( 'init', function () {
        $tests = [
                '<input name="email" required>',
                '<input name="email" required/>',
                '<input name="email" required />',

        $allowed_html = [
                'input' => [
                        'name'     => true,
                        'required' => true,

        header('Content-Type: text/plain; charset=UTF-8', true);

        foreach ( $tests as $test ) {
                $sanitized = wp_kses( $test, $allowed_html );
                printf( "_in => %s\nout => %s\n\n", $test, $sanitized);


I have found where the error could be fixed:

// wp-includes/kses.php:1320

if ( preg_match( '/^\s+/', $attr ) ) { // Valueless.

Replacing the regex /^\s+/ with /^(\s+|\/$)/ fixes the problem.

I'm hopping it can be fixed for the next release, until then I'm manually applying the patch again.

Change History (1)

This ticket was mentioned in PR #3200 on WordPress/wordpress-develop by luistar15.

21 months ago

  • Keywords has-patch added

wp_kses_hair fails to parse a valueless attribute at the end of the list.
For example: <input name="email" required/> will strip the required attribute.
This change fixes it.

Note: See TracTickets for help on using tickets.