[wp-trac] [WordPress Trac] #29807: add support for picture element and srcset attribute on img in wp_kses
WordPress Trac
noreply at wordpress.org
Mon Feb 2 10:33:42 UTC 2026
#29807: add support for picture element and srcset attribute on img in wp_kses
-------------------------------------------------+-------------------------
Reporter: mattheu | Owner:
| adamsilverstein
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 7.0
Component: Formatting | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests early | Focuses:
needs-refresh |
-------------------------------------------------+-------------------------
Changes (by ozgursar):
* keywords: has-patch has-unit-tests early needs-testing => has-patch has-
unit-tests early needs-refresh
Comment:
When I try to apply the patch (https://github.com/WordPress/wordpress-
develop/pull/6184) to the latest `trunk` (7.0-alpha-61215-src) it fails to
apply with the following messages:
{{{
Running "patch:https://github.com/WordPress/wordpress-develop/pull/6184"
(patch) task
patching file 'src/wp-includes/kses.php'
4 out of 11 hunks failed--saving rejects to 'src/wp-includes/kses.php.rej'
patching file 'tests/phpunit/tests/kses.php'
}}}
Rejects added to `kses.php.rej` are as follows:
{{{
@@ -1587,7 +1593,6 @@
$attrarr = array();
$mode = 0;
$attrname = '';
- $uris = wp_kses_uri_attributes();
// Loop through the whole attribute list.
@@ -1635,9 +1640,9 @@
if ( preg_match( '%^"([^"]*)"(\s+|/?$)%',
$attr, $match ) ) {
// "value"
$thisval = $match[1];
- if ( in_array( strtolower(
$attrname ), $uris, true ) ) {
- $thisval =
wp_kses_bad_protocol( $thisval, $allowed_protocols );
- }
+
+ // Sanitize URI values.
+ $thisval = wp_kses_sanitize_uris(
$attrname, $thisval, $allowed_protocols );
if ( false === array_key_exists(
$attrname, $attrarr ) ) {
$attrarr[ $attrname ] =
array(
@@ -1657,9 +1662,8 @@
if ( preg_match( "%^'([^']*)'(\s+|/?$)%",
$attr, $match ) ) {
// 'value'
$thisval = $match[1];
- if ( in_array( strtolower(
$attrname ), $uris, true ) ) {
- $thisval =
wp_kses_bad_protocol( $thisval, $allowed_protocols );
- }
+ // Sanitize URI values.
+ $thisval = wp_kses_sanitize_uris(
$attrname, $thisval, $allowed_protocols );
if ( false === array_key_exists(
$attrname, $attrarr ) ) {
$attrarr[ $attrname ] =
array(
@@ -1679,9 +1683,8 @@
if ( preg_match(
"%^([^\s\"']+)(\s+|/?$)%", $attr, $match ) ) {
// value
$thisval = $match[1];
- if ( in_array( strtolower(
$attrname ), $uris, true ) ) {
- $thisval =
wp_kses_bad_protocol( $thisval, $allowed_protocols );
- }
+ // Sanitize URI values.
+ $thisval = wp_kses_sanitize_uris(
$attrname, $thisval, $allowed_protocols );
if ( false === array_key_exists(
$attrname, $attrarr ) ) {
$attrarr[ $attrname ] =
array(
}}}
As the patch can not be successfully applied to the trunk, I'm removing
`needs-testing` and adding `needs-refresh`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29807#comment:53>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list