[wp-trac] [WordPress Trac] #33121: wp_kses_attr_check fails to process html data-* attributes
WordPress Trac
noreply at wordpress.org
Thu Oct 11 15:36:34 UTC 2018
#33121: wp_kses_attr_check fails to process html data-* attributes
--------------------------------------+-----------------------
Reporter: isoftware | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 5.0
Component: Editor | Version: 4.2.3
Severity: major | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+-----------------------
Comment (by azaozz):
@peterwilsoncc thanks for adding the test :)
Looking at `data--invaild="gone"` and `data-also-invaild-="gone"`, it
seems having two hyphens or a hyphen as last char of the data-* attribute
name is valid (https://www.w3.org/TR/REC-xml/#NT-Nmtoken). Also seems
quite a few chars are valid there, but still thinking we should only
support `a-z0-9_-`.
Also `preg_match( '/^' . preg_quote( $prefix ) . '(-[a-z0-9_]+)*$/',
$name_low )` would mean we don't allow attribute manes like `data-wp-id`
(which is somewhat common).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33121#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list