HTML API: Indicate when WordPress rejects attribute updates.

When setting an an attribute value in the HTML API, WordPress may reject
an update based on rules in `kses`. In these cases, the return value from
an escaping function will be an empty string, and the HTML API should
reject the update. Unfortunately, it currently reports that it updates the
attribute but sets an empty string value, which is misleading.

In this patch, the HTML API will refuse the attribute update and return
false to indicate as much when WordPress rejects the updates.

Developed in https://github.com/wordpress/wordpress-develop/pull/7114
Discussed in https://core.trac.wordpress.org/ticket/61719

Follow-up to [58472].

Props: amitraj2203, dmsnell, mukesh27.
Fixes #61719.

Built from https://develop.svn.wordpress.org/trunk@58844


git-svn-id: http://core.svn.wordpress.org/trunk@58240 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/html-api/class-wp-html-tag-processor.php

@@ -3197,6 +3197,12 @@ class WP_HTML_Tag_Processor {
 			 * @see https://html.spec.whatwg.org/#attributes-3
 			 */
 			$escaped_new_value = in_array( $comparable_name, wp_kses_uri_attributes() ) ? esc_url( $value ) : esc_attr( $value );
+
+			// If the escaping functions wiped out the update, reject it and indicate it was rejected.
+			if ( '' === $escaped_new_value && '' !== $value ) {
+				return false;
+			}
+
 			$updated_attribute = "{$name}=\"{$escaped_new_value}\"";
 		}
 

wp-includes/version.php

@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.7-alpha-58843';
+$wp_version = '6.7-alpha-58844';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.