[wp-trac] [WordPress Trac] #49464: wp_kses_hair and wp_kses_hair_parse regex is not allowing digits in attribute names
WordPress Trac
noreply at wordpress.org
Tue Feb 18 10:12:26 UTC 2020
#49464: wp_kses_hair and wp_kses_hair_parse regex is not allowing digits in
attribute names
--------------------------+-----------------------------
Reporter: codeforest | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 5.3.2
Severity: major | Keywords:
Focuses: |
--------------------------+-----------------------------
If we have a shortcode inside HTML tag like this:
{{{
<a href="https://example.com/[op_get_param param='promoCode'
default='Zvonko']" data-op3-timer-seconds="0">Some link</a>
}}}
The regex inside wp_kses_hair and wp_kses_hair_parse is stripping data-op3
-timer-seconds as invalid attribute name, while it is a legal one.
XML elements must follow these naming rules (source:
https://www.w3schools.com/xml/xml_elements.asp):
* Element names are case-sensitive
* Element names must start with a letter or underscore
* Element names cannot start with the letters xml (or XML, or Xml,
etc)
* Element names can contain letters, digits, hyphens, underscores, and
periods
* Element names cannot contain spaces
The solution would be to adjust the regex for attribute names to allow for
digits that are not on the first place.
{{{
// original regex line
'[-a-zA-Z:]+' // Attribute name.
}}}
{{{
// new regex line, we are allowing digits if not on the first place
'[_a-zA-Z][-_a-zA-Z0-9:]*' // Attribute name.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49464>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list