HTML API: Indicate when WordPress rejects attribute updates.

dmsnell · dmsnell · commit 0c46e2a0b480 · 2024-08-02T22:57:46.000Z
When setting an an attribute value in the HTML API, WordPress may reject an update based on rules in `kses`. In these cases, the return value from an escaping function will be an empty string, and the HTML API should reject the update. Unfortunately, it currently reports that it updates the attribute but sets an empty string value, which is misleading. In this patch, the HTML API will refuse the attribute update and return false to indicate as much when WordPress rejects the updates. Developed in WordPress#7114 Discussed in https://core.trac.wordpress.org/ticket/61719 Follow-up to [58472]. Props: amitraj2203, dmsnell, mukesh27. Fixes #61719. git-svn-id: https://develop.svn.wordpress.org/trunk@58844 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -3197,6 +3197,12 @@ public function set_attribute( $name, $value ): bool {
 			 * @see https://html.spec.whatwg.org/#attributes-3
 			 */
 			$escaped_new_value = in_array( $comparable_name, wp_kses_uri_attributes() ) ? esc_url( $value ) : esc_attr( $value );
+
+			// If the escaping functions wiped out the update, reject it and indicate it was rejected.
+			if ( '' === $escaped_new_value && '' !== $value ) {
+				return false;
+			}
+
 			$updated_attribute = "{$name}=\"{$escaped_new_value}\"";
 		}
 
