[wp-trac] [WordPress Trac] #33924: sanitize_html_class valid characters

Thu Oct 22 22:13:48 UTC 2015

#33924: sanitize_html_class valid characters
-------------------------------------+-----------------------------
 Reporter:  m-e-h                    |       Owner:
     Type:  defect (bug)             |      Status:  new
 Priority:  normal                   |   Milestone:  Future Release
Component:  Formatting               |     Version:  trunk
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-testing  |     Focuses:
-------------------------------------+-----------------------------

Comment (by peterwilsoncc):

 If the `sanitize_html_class` regex is to be altered, I'd like to see it
 expanded beyond just adding an `@`. My approach would be to accept
 anything that:

 * is a one-byte character
 * does not require escaping in CSS or `document.querySelector`,
 * has wide browser support

 Some background from [https://mathiasbynens.be/notes/css-escapes Mathias
 Bynens]:

 > The following characters have a special meaning in CSS: `!`, `"`, `#`,
 `$`, `%`, `&`, `'`, `(`, `)`, `*`, `+`, `,`, `-`, `.`, `/`, `:`, `;`, `<`,
 `=`, `>`, `?`, `@`, `[`, `\`, `]`, `^`, {{{`}}}, `{`, `|`, `}`, and `~`.

 > Any characters matching `[\t\n\v\f\r]` need to be escaped based on their
 Unicode code points. The space character (` `) can simply be backslashed
 (`\` ). Other whitespace characters don’t need to be escaped.

 > Other than that, characters that can’t possibly convey any meaning in
 CSS (e.g. `♥`) can and should just be used unescaped.

 I'll put together some reduced test cases and upload.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33924#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform