Make WordPress Core

Opened 5 weeks ago

Last modified 5 weeks ago

#62024 new defect (bug)

wp_kses_post incorrectly escapes "<" attributes values

Reported by: jernstjernst's profile jernstjernst Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: trunk
Component: Formatting Keywords:
Focuses: coding-standards Cc:

Description

Hello,

We are trying to use wp_kses everywhere we output as recommended. However, we encountered the following issue: 

Example:

<?php
echo wp_kses_post('<button data-glide-dir="<">&lt;</button>")
?>

Expected result:

<button data-glide-dir="<">&lt;</button>

Actual result: 

&lt;button data-glide-dir=&quot;&lt;</button>

This breaks glide.js unless we use this workaround (https://github.com/glidejs/glide/issues/547)

I think this should be allowed as per https://html.spec.whatwg.org/multipage/syntax.html#syntax-attributes

Thanks and best regards

Change History (1)

#1 @jernstjernst
5 weeks ago

Sorry, the test case should read:

<?php
echo wp_kses_post('<button data-glide-dir="<">&lt;</button>')
?>
Note: See TracTickets for help on using tickets.