From b0aca7258dfa942415577ecc91f493479143873d Mon Sep 17 00:00:00 2001 From: hellofromTonya Date: Tue, 3 Sep 2024 20:15:09 +0000 Subject: [PATCH] HTML API: Indicate when WordPress rejects attribute updates. When setting an an attribute value in the HTML API, WordPress may reject an update based on rules in `kses`. In these cases, the return value from an escaping function will be an empty string, and the HTML API should reject the update. Unfortunately, it currently reports that it updates the attribute but sets an empty string value, which is misleading. In this changeset, the HTML API will refuse the attribute update and return false to indicate as much when WordPress rejects the updates. Reviewed by jorbin, hellofromTonya. Merges [58844] to the 6.6 branch. Follow-up to [58472]. Props amitraj2203, dmsnell, mukesh27. Fixes #61719. Built from https://develop.svn.wordpress.org/branches/6.6@58980 git-svn-id: http://core.svn.wordpress.org/branches/6.6@58376 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/html-api/class-wp-html-tag-processor.php | 6 ++++++ wp-includes/version.php | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/wp-includes/html-api/class-wp-html-tag-processor.php b/wp-includes/html-api/class-wp-html-tag-processor.php index 8fc75938c9..23206f6eed 100644 --- a/wp-includes/html-api/class-wp-html-tag-processor.php +++ b/wp-includes/html-api/class-wp-html-tag-processor.php @@ -2980,6 +2980,12 @@ class WP_HTML_Tag_Processor { * @see https://html.spec.whatwg.org/#attributes-3 */ $escaped_new_value = in_array( $comparable_name, wp_kses_uri_attributes() ) ? esc_url( $value ) : esc_attr( $value ); + + // If the escaping functions wiped out the update, reject it and indicate it was rejected. + if ( '' === $escaped_new_value && '' !== $value ) { + return false; + } + $updated_attribute = "{$name}=\"{$escaped_new_value}\""; } diff --git a/wp-includes/version.php b/wp-includes/version.php index f4ac1f545b..5878a0ef91 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.6.2-alpha-58979'; +$wp_version = '6.6.2-alpha-58980'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.