[wp-trac] [WordPress Trac] #44988: The sanitize_html_class() is deceptive / "buggy"
WordPress Trac
noreply at wordpress.org
Fri Sep 28 10:28:34 UTC 2018
#44988: The sanitize_html_class() is deceptive / "buggy"
----------------------------+------------------------------
Reporter: ChiefAlchemist | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Formatting | Version: 4.9.6
Severity: normal | Resolution:
Keywords: | Focuses:
----------------------------+------------------------------
Comment (by ayeshrajans):
The W3 spec does say that class names cannot start with a digit, single or
double hyphens.
https://www.w3.org/TR/CSS21/syndata.html#characters
We can either remove the invalid characters or replace them. I'm leaning
towards replacing them with an underscore because we cal still salvage an
invalid class name from it (`12345` would become `'_2345'` instead of
`''`).
{{{#!php
$sanitized = preg_replace( array(
'/^[0-9]/',
'/^(-[0-9])|^(--)/',
), array(
'_',
'__',
), $sanitized);
}}}
Backwards compatibility should not be issue because invalid classes are
dropped by browsers anyway: https://jsfiddle.net/4om9bqhp/
I will attach a patch in next reply, but it raises some more issues...
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44988#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list