Make WordPress Core

Opened 5 months ago

Last modified 3 months ago

#62024 new defect (bug)

wp_kses_post incorrectly escapes "<" attributes values

Reported by: jernstjernst's profile jernstjernst Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.7
Component: Formatting Keywords:
Focuses: coding-standards Cc:

Description

Hello,

We are trying to use wp_kses everywhere we output as recommended. However, we encountered the following issue: 

Example:

<?php
echo wp_kses_post('<button data-glide-dir="<">&lt;</button>")
?>

Expected result:

<button data-glide-dir="<">&lt;</button>

Actual result: 

&lt;button data-glide-dir=&quot;&lt;</button>

This breaks glide.js unless we use this workaround (https://github.com/glidejs/glide/issues/547)

I think this should be allowed as per https://html.spec.whatwg.org/multipage/syntax.html#syntax-attributes

Thanks and best regards

Change History (2)

#1 @jernstjernst
5 months ago

Sorry, the test case should read:

<?php
echo wp_kses_post('<button data-glide-dir="<">&lt;</button>')
?>

#2 @jonsurrellCore Committer
3 months ago

This is certainly incorrect behavior and the HTML you shared is indeed fine. The fundamental problem is that kses, as a system, doesn't really understand HTML.

There are efforts to improve things with the HTML API, but it's not entirely ready to replace everything kses does yet.

I'd suggest encoding the attribute value as a workaround, kses shouldn't have a problem understanding this HTML:

<?php
wp_kses_post('<button data-glide-dir="&lt;">&lt;</button>');
// returns '<button data-glide-dir=\"&lt;\">&lt;</button>'
Note: See TracTickets for help on using tickets.