HTML API: Run URL attributes through esc_url().

Props dmsnell, xknown, jorbin, gziolo.




git-svn-id: https://develop.svn.wordpress.org/trunk@58472 602fd350-edb4-49c9-b593-d223f7449a82

Author: audrasjb

src/wp-includes/html-api/class-wp-html-tag-processor.php

@@ -2972,8 +2972,16 @@ public function set_attribute( $name, $value ) {
 		if ( true === $value ) {
 			$updated_attribute = $name;
 		} else {
+			$tag_name        = $this->get_tag();
+			$comparable_name = strtolower( $name );
+
+			/*
+			 * Escape URL attributes.
+			 *
+			 * @see https://html.spec.whatwg.org/#attributes-3
+			 */
 			$escaped_new_value = esc_attr( $value );
-			$updated_attribute = "{$name}=\"{$escaped_new_value}\"";
+			$updated_attribute = wp_kses_one_attr( "{$comparable_name}=\"{$escaped_new_value}\"", $tag_name );
 		}
 
 		/*