Opened 5 months ago
Last modified 3 months ago
#62024 new defect (bug)
wp_kses_post incorrectly escapes "<" attributes values
Reported by: | jernstjernst | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 6.7 |
Component: | Formatting | Keywords: | |
Focuses: | coding-standards | Cc: |
Description ¶
Hello,
We are trying to use wp_kses everywhere we output as recommended. However, we encountered the following issue:
Example:
<?php echo wp_kses_post('<button data-glide-dir="<"><</button>") ?>
Expected result:
<button data-glide-dir="<"><</button>
Actual result:
<button data-glide-dir="<</button>
This breaks glide.js unless we use this workaround (https://github.com/glidejs/glide/issues/547)
I think this should be allowed as per https://html.spec.whatwg.org/multipage/syntax.html#syntax-attributes
Thanks and best regards
Pull Requests
- Loading…
Change History (2)
#2
@ Core Committer
3 months ago
This is certainly incorrect behavior and the HTML you shared is indeed fine. The fundamental problem is that kses, as a system, doesn't really understand HTML.
There are efforts to improve things with the HTML API, but it's not entirely ready to replace everything kses does yet.
I'd suggest encoding the attribute value as a workaround, kses shouldn't have a problem understanding this HTML:
<?php wp_kses_post('<button data-glide-dir="<"><</button>'); // returns '<button data-glide-dir=\"<\"><</button>'
Sorry, the test case should read: