[wp-trac] [WordPress Trac] #64340: HTML API may double-escape class names when adding repeatedly
WordPress Trac
noreply at wordpress.org
Wed Dec 3 12:51:09 UTC 2025
#64340: HTML API may double-escape class names when adding repeatedly
--------------------------+------------------------
Reporter: jonsurrell | Owner: jonsurrell
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 6.9.1
Component: HTML API | Version: 6.9
Severity: normal | Keywords:
Focuses: |
--------------------------+------------------------
`WP_HTML_Tag_Processor` and `WP_HTML_Processor` may incorrectly encode
class names containing the characters `&`, `<`, `>`, `"`, or `'` when
modifying them via class methods like `::add_class()` and calling
`::get_updated_html()`.
For example:
{{{#!php
<?php
$p = new WP_HTML_Tag_Processor('<div></div>');
$p->next_tag();
$p->add_class('&');
echo $p->get_updated_html() . "\n";
$p->add_class('OK');
echo $p->get_updated_html() . "\n";
}}}
Will print:
{{{#!xml
<div class="&"></div>
<div class="& OK"></div>
}}}
Notice that the first pass is correct, `&` has been correctly encoded in
the class attribute as `&`. However, after calling `::add_class()` and
`::get_updated_html()` again, the `&` hass incorrectly been double-encoded
as `&`.
The same code in WordPress 6.8 would print:
{{{#!xml
<div class="&"></div>
<div class="& OK"></div>
}}}
This is related to [60919] that was released in WordPress 6.9. The double-
encoding behavior was present before, but it was "corrected" in this case
by the use of `esc_attr()` that avoids any double-encoding. When
`esc_attr()` usage was removed in [60919], the double-escaping behavior
manifests causing this issue.
----
This was originally reported by GitHub user `ktmn` in
[https://github.com/WordPress/gutenberg/issues/73713 Gutenberg issue
73713].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64340>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list