Opened 15 months ago
Last modified 2 months ago
#62024 new defect (bug)
wp_kses_post incorrectly escapes "<" attributes values
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 5.0 |
| Component: | Formatting | Keywords: | |
| Focuses: | coding-standards | Cc: |
Description
Hello,
We are trying to use wp_kses everywhere we output as recommended. However, we encountered the following issue:
Example:
<?php echo wp_kses_post('<button data-glide-dir="<"><</button>") ?>
Expected result:
<button data-glide-dir="<"><</button>
Actual result:
<button data-glide-dir="<</button>
This breaks glide.js unless we use this workaround (https://github.com/glidejs/glide/issues/547)
I think this should be allowed as per https://html.spec.whatwg.org/multipage/syntax.html#syntax-attributes
Thanks and best regards
Change History (3)
#2
@
14 months ago
This is certainly incorrect behavior and the HTML you shared is indeed fine. The fundamental problem is that kses, as a system, doesn't really understand HTML.
There are efforts to improve things with the HTML API, but it's not entirely ready to replace everything kses does yet.
I'd suggest encoding the attribute value as a workaround, kses shouldn't have a problem understanding this HTML:
<?php wp_kses_post('<button data-glide-dir="<"><</button>'); // returns '<button data-glide-dir=\"<\"><</button>'
#3
@
2 months ago
- Version changed from 6.7 to 5.0
Here's a demo of the behavior.
I've confirmed this behavior as of version 6.3, but I suspect it's been around much longer. I'll set the version arbitrarily to 5.0.
Sorry, the test case should read:
<?php echo wp_kses_post('<button data-glide-dir="<"><</button>') ?>