HTML API: Use strict in_array comparison for checking URI attributes.

dmsnell · dmsnell · commit 064f75e12b65 · 2024-08-14T19:49:03.000Z
This patch modifies the URL-escaping code in the HTML API to rely on strict comparisons. This prevents accidental matching via type-coercion. Developed in #7196 Follow-up to [58473]. Props jonsurrell. git-svn-id: https://develop.svn.wordpress.org/trunk@58897 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3667,7 +3667,7 @@ public function set_attribute( $name, $value ): bool {
 			 *
 			 * @see https://html.spec.whatwg.org/#attributes-3
 			 */
-			$escaped_new_value = in_array( $comparable_name, wp_kses_uri_attributes() ) ? esc_url( $value ) : esc_attr( $value );
+			$escaped_new_value = in_array( $comparable_name, wp_kses_uri_attributes(), true ) ? esc_url( $value ) : esc_attr( $value );
 
 			// If the escaping functions wiped out the update, reject it and indicate it was rejected.
 			if ( '' === $escaped_new_value && '' !== $value ) {

Original file line number	Diff line number	Diff line change
`@@ -3667,7 +3667,7 @@ public function set_attribute( $name, $value ): bool {`
`3667`	`3667`	`*`
`3668`	`3668`	`* @see https://html.spec.whatwg.org/#attributes-3`
`3669`	`3669`	`*/`
`3670`		`- $escaped_new_value = in_array( $comparable_name, wp_kses_uri_attributes() ) ? esc_url( $value ) : esc_attr( $value );`
	`3670`	`+ $escaped_new_value = in_array( $comparable_name, wp_kses_uri_attributes(), true ) ? esc_url( $value ) : esc_attr( $value );`
`3671`	`3671`
`3672`	`3672`	`// If the escaping functions wiped out the update, reject it and indicate it was rejected.`
`3673`	`3673`	`if ( '' === $escaped_new_value && '' !== $value ) {`