Merge branch 'trunk' into add-ability-versioning

Author: JasonTheAdams

src/js/_enqueues/wp/sanitize.js

@@ -23,22 +23,25 @@
 		 * @return {string} Stripped text.
 		 */
 		stripTags: function( text ) {
-			let _text = text || '';
+			const domParser = new DOMParser();
+			const htmlDocument = domParser.parseFromString(
+				text,
+				'text/html'
+			);
 
-			// Do the search-replace until there is nothing to be replaced.
-			do {
-				// Keep pre-replace text for comparison.
-				text = _text;
-
-				// Do the replacement.
-				_text = text
-					.replace( /<!--[\s\S]*?(-->|$)/g, '' )
-					.replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' )
-					.replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' );
-			} while ( _text !== text );
+			/*
+			 * The following self-assignment appears to be a no-op, but it isn't.
+			 * It enforces the escaping. Reading the `innerText` property decodes
+			 * character references, returning a raw string. When written, however,
+			 * the text is re-escaped to ensure that the rendered text replicates
+			 * what it's given.
+			 *
+			 * See <https://github.com/WordPress/wordpress-develop/pull/10536#discussion_r2550615378>.
+			 */
+			htmlDocument.body.innerText = htmlDocument.body.innerText;
 
 			// Return the text with stripped tags.
-			return _text;
+			return htmlDocument.body.innerHTML;
 		},
 
 		/**

src/wp-includes/html-api/class-wp-html-tag-processor.php

@@ -2342,10 +2342,12 @@ private function class_name_updates_to_attributes_updates(): void {
 		}
 
 		if ( false === $existing_class && isset( $this->attributes['class'] ) ) {
-			$existing_class = substr(
-				$this->html,
-				$this->attributes['class']->value_starts_at,
-				$this->attributes['class']->value_length
+			$existing_class = WP_HTML_Decoder::decode_attribute(
+				substr(
+					$this->html,
+					$this->attributes['class']->value_starts_at,
+					$this->attributes['class']->value_length
+				)
 			);
 		}
 

tests/phpunit/tests/block-processor/wpBlockProcessor-BlockProcessing.php

@@ -49,31 +49,34 @@ public function test_get_depth() {
 		}
 
 		$processor = new WP_Block_Processor( $html );
-		$n         = new NumberFormatter( 'en-US', NumberFormatter::ORDINAL );
 
 		for ( $i = 0; $i < $max_depth; $i++ ) {
+			$nth = $i + 1;
+
 			$this->assertTrue(
 				$processor->next_delimiter(),
-				"Should have found {$n->format( $i + 1 )} opening delimiter: check test setup."
+				"Should have found opening delimiter #{$nth}: check test setup."
 			);
 
 			$this->assertSame(
 				$i + 1,
 				$processor->get_depth(),
-				"Should have identified the proper depth of the {$n->format( $i + 1 )} opening delimiter."
+				"Should have identified the proper depth of opening delimiter #{$nth}."
 			);
 		}
 
 		for ( $i = 0; $i < $max_depth; $i++ ) {
+			$nth = $i + 1;
+
 			$this->assertTrue(
 				$processor->next_delimiter(),
-				"Should have found {$n->format( $i + 1 )} closing delimiter: check test setup."
+				"Should have found closing delimiter #{$nth}: check test setup."
 			);
 
 			$this->assertSame(
 				$max_depth - $i - 1,
 				$processor->get_depth(),
-				"Should have identified the proper depth of the {$n->format( $i + 1 )} closing delimiter."
+				"Should have identified the proper depth of closing delimiter #{$nth}."
 			);
 		}
 	}

tests/phpunit/tests/html-api/wpHtmlTagProcessor.php

@@ -2887,11 +2887,11 @@ public static function data_updating_attributes_in_malformed_html() {
 			),
 			'HTML tag opening inside attribute value'      => array(
 				'input'    => '<pre id="<code" class="wp-block-code <code is poetry&gt;"><code>This &lt;is> a &lt;strong is="true">thing.</code></pre><span>test</span>',
-				'expected' => '<pre foo="bar" id="<code" class="wp-block-code &lt;code is poetry&amp;gt; firstTag"><code class="secondTag">This &lt;is> a &lt;strong is="true">thing.</code></pre><span>test</span>',
+				'expected' => '<pre foo="bar" id="<code" class="wp-block-code &lt;code is poetry&gt; firstTag"><code class="secondTag">This &lt;is> a &lt;strong is="true">thing.</code></pre><span>test</span>',
 			),
 			'HTML tag brackets in attribute values and data markup' => array(
 				'input'    => '<pre id="<code-&gt;-block-&gt;" class="wp-block-code <code is poetry&gt;"><code>This &lt;is> a &lt;strong is="true">thing.</code></pre><span>test</span>',
-				'expected' => '<pre foo="bar" id="<code-&gt;-block-&gt;" class="wp-block-code &lt;code is poetry&amp;gt; firstTag"><code class="secondTag">This &lt;is> a &lt;strong is="true">thing.</code></pre><span>test</span>',
+				'expected' => '<pre foo="bar" id="<code-&gt;-block-&gt;" class="wp-block-code &lt;code is poetry&gt; firstTag"><code class="secondTag">This &lt;is> a &lt;strong is="true">thing.</code></pre><span>test</span>',
 			),
 			'Single and double quotes in attribute value'  => array(
 				'input'    => '<p title="Demonstrating how to use single quote (\') and double quote (&quot;)"><span>test</span>',
@@ -3028,6 +3028,50 @@ public static function data_updating_attributes_in_malformed_html() {
 		);
 	}
 
+	/**
+	 * @ticket 64340
+	 */
+	public function test_class_changes_produce_correct_html() {
+		$processor = new WP_HTML_Tag_Processor( '<div class="&amp;">' );
+		$processor->next_tag();
+
+		$processor->add_class( '"' );
+		$processor->get_updated_html();
+
+		$processor->add_class( 'OK' );
+		$processor->get_updated_html();
+
+		$this->assertTrue( $processor->has_class( '&' ), 'Missing expected "&" class.' );
+		$this->assertTrue( $processor->has_class( '"' ), 'Missing expected \'"\' class.' );
+		$this->assertTrue( $processor->has_class( 'OK' ), 'Missing expected "OK" class.' );
+
+		$expected = '<div class="&amp; &quot; OK">';
+		$this->assertEqualHTML(
+			$expected,
+			$processor->get_updated_html(),
+			'<body>',
+			'HTML was not correctly updated after adding classes.'
+		);
+
+		$processor->remove_class( '&' );
+		$processor->get_updated_html();
+
+		$processor->remove_class( '"' );
+		$processor->get_updated_html();
+
+		$this->assertFalse( $processor->has_class( '&' ) );
+		$this->assertFalse( $processor->has_class( '"' ) );
+		$this->assertTrue( $processor->has_class( 'OK' ) );
+
+		$expected = '<div class="OK">';
+		$this->assertEqualHTML(
+			$expected,
+			$processor->get_updated_html(),
+			'<body>',
+			'HTML was not correctly updated after removing classes.'
+		);
+	}
+
 	/**
 	 * @covers WP_HTML_Tag_Processor::next_tag
 	 */