[wp-trac] [WordPress Trac] #63724: HTML API: Reliably parse HTML attributes in `wp_kses_hair()`

WordPress Trac noreply at wordpress.org
Mon Jan 19 07:34:16 UTC 2026 

#63724: HTML API: Reliably parse HTML attributes in `wp_kses_hair()`
-------------------------------------------------+-------------------------
 Reporter:  dmsnell                              |       Owner:  dmsnell
     Type:  enhancement                          |      Status:  reopened
 Priority:  normal                               |   Milestone:  7.0
Component:  HTML API                             |     Version:  6.9
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch has-unit-tests needs-      |     Focuses:
  refresh                                        |
-------------------------------------------------+-------------------------

Comment (by dd32):

 FYI @dmsnell after this change

 {{{
 E_WARNING: foreach() argument must be of type array|object, null given in
 wp-includes/kses.php:1634
 }}}

 This was triggered by malformed input:
 {{{
 wp_rel_ugc( '<a href="https://example" title="Malformed</a>' );
 }}}

 The output has remained the same before/after, just it now includes that
 warning.
 {{{
 <a href=\"https://example\" title=\"Malformed</a rel=\"nofollow ugc\">
 }}}

 Stack:
 {{{
     3.8947  105419272  16. wp_rel_ugc($text = '<a href="https://example"
 title="Malformed</a>') : eval()'d code:1
     3.8947  105419736  17. preg_replace_callback($pattern = '|<a
 (.+?)>|i', $callback = class Closure { virtual $closure = "{closure}",
 public $parameter = ['$matches' => '<required>'] }, $subject = '<a
 href="https://example" title="Malformed</a>') wp-
 includes/formatting.php:3310
     3.8948  105420408  18. {closure:wp-
 includes/formatting.php:3307-3309}($matches = [0 => '<a
 href="https://example" title="Malformed</a>', 1 => 'href="https://example"
 title="Malformed</a']) wp-includes/formatting.php:3310
     3.8948  105420664  19. wp_rel_callback($matches = [0 => '<a
 href="https://example" title="Malformed</a>', 1 => 'href="https://example"
 title="Malformed</a'], $rel = 'nofollow ugc') wp-
 includes/formatting.php:3308
     3.8949  105420664  20. wp_kses_hair($attr = 'href="https://example"
 title="Malformed</a', $allowed_protocols = [0 => 'http', 1 => 'https', 2
 => 'ftp', 3 => 'ftps', 4 => 'mailto', 5 => 'news', 6 => 'irc', 7 =>
 'irc6', 8 => 'ircs', 9 => 'gopher', 10 => 'nntp', 11 => 'feed', 12 =>
 'telnet', 13 => 'mms', 14 => 'rtsp', 15 => 'sms', 16 => 'svn', 17 =>
 'tel', 18 => 'fax', 19 => 'xmpp', 20 => 'webcal', 21 => 'urn']) wp-
 includes/formatting.php:3231
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63724#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list