[wp-trac] [WordPress Trac] #55407: Allow case-insensitive elements for KSES

WordPress Trac noreply at wordpress.org
Wed Mar 16 23:54:44 UTC 2022

#55407: Allow case-insensitive elements for KSES
 Reporter:  r-a-y                       |       Owner:  (none)
     Type:  defect (bug)                |      Status:  new
 Priority:  normal                      |   Milestone:  6.0
Component:  Formatting                  |     Version:
 Severity:  normal                      |  Resolution:
 Keywords:  has-patch needs-unit-tests  |     Focuses:

Comment (by peterwilsoncc):

 The proposed patch is problematic in that it will make KSES case

 Consider the HTML `<DIV CLASS="55407"></DIV>`, the first altered line
 removes `strtolower()` from the check of allowed elements. This will cause
 a false negative and result in the element being removed.

 See https://3v4l.org/5X0OJ for an example of the difference.

 In it's current form, KSES will maintain the case in which the element is

 <DIV class="55407">Some div</DIV>

 <Not-Allowed>Not Allowed element</Not-AlloWed>

 Is stored in the database as

 <DIV class="55407">Some div</DIV>

 Not Allowed element

 Adding elements to the allowed HTML array or via the appropriate filter do
 need to be in lowercase. I think this needs to remain the case as the
 allowed HTML shouldn't contain the same element in different cases, eg

 $allowed_html = [
    'div' => [ /* etc */ ],
    'DIV' => [ /* etc */ ],

Ticket URL: <https://core.trac.wordpress.org/ticket/55407#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list