[wp-trac] [WordPress Trac] #37698: wp_kses_split global variable pollution

Sat Jun 28 15:15:14 UTC 2025

#37698: wp_kses_split global variable pollution
-------------------------------------------------+-------------------------
 Reporter:  xknown                               |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Formatting                           |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch needs-test-info reporter-  |     Focuses:
  feedback                                       |
-------------------------------------------------+-------------------------
Changes (by SirLouen):

 * keywords:  has-patch needs-testing early has-unit-tests => has-patch
     needs-test-info reporter-feedback

Comment:

 == Test Report
 === Description
 🟠 This report validates that the indicated patch works as expected.

 Patch tested: https://github.com/WordPress/wordpress-
 develop/pull/9108.diff

 === Environment
 - WordPress: 6.9-alpha-60093-src
 - PHP: 8.2.28
 - Server: nginx/1.29.0
 - Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
 - Browser: Chrome 137.0.0.0
 - OS: Windows 10/11
 - Theme: Twenty Fifteen 4.0
 - MU Plugins: None activated
 - Plugins:
   * Classic Editor 1.6.7
   * Hello Dolly 9.7.2
   * Test Reports 1.2.0

 === Testing Instructions
 - Using the info provided in OP, place the code anywhere where it can be
 executed

 === Actual Results
 1.  🟠 Issue resolved with patch with some caveats (check notes)

 === Additional Notes
 - This patch basically takes advantage of `use` in lambda functions to
 avoid having to edit `global` variables which seem to be very unreliable
 for this task, deprecating the callback function, that happened to use
 these globals.

 - ⚠️ The problem is that I'm not 100% convinced about how this patch is
 working. I'm not liking the fact that this assert alone:

 {{{
 public function test_wp_kses_split_global_pollution() {
         $result_inner = '';
         $func         = function ( $attributes ) use ( &$result_inner ) {
                 $result_inner = wp_kses_split( '<img src=x style="color:
 red;" >', array( 'img' => array( 'src' => array() ) ), array() );
                 return $attributes;
         };
         add_filter( 'safe_style_css', $func );
         $this->assertEquals( '<img src="x">', $result_inner );
 }
 }}}

 Fails, and I'm not sure why.

 But this alone

 {{{
 public function test_wp_kses_split_global_pollution() {
         $expected = "<a style='color: red'>I link this</a>";
         $result   = wp_kses_split( "<a style='color: red;'>I link
 this</a>", array( 'a' => array( 'style' => array() ) ), array( 'http' ) );
         $this->assertEquals( $expected, $result );
 }
 }}}

 Passes well as expected

 A more detailed explanation would do good for continuing with this report.

 cc @xknown

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/37698#comment:18>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform