[wp-trac] [WordPress Trac] #64340: HTML API may double-escape class names when adding repeatedly
WordPress Trac
noreply at wordpress.org
Wed Dec 3 13:10:10 UTC 2025
#64340: HTML API may double-escape class names when adding repeatedly
--------------------------------------+-------------------------
Reporter: jonsurrell | Owner: jonsurrell
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 6.9.1
Component: HTML API | Version: 6.9
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+-------------------------
Description changed by jonsurrell:
Old description:
> `WP_HTML_Tag_Processor` and `WP_HTML_Processor` may incorrectly encode
> class names containing the characters `&`, `<`, `>`, `"`, or `'` when
> modifying them via class methods like `::add_class()` and calling
> `::get_updated_html()`.
>
> For example:
>
> {{{#!php
> <?php
> $p = new WP_HTML_Tag_Processor('<div></div>');
> $p->next_tag();
> $p->add_class('&');
> echo $p->get_updated_html() . "\n";
> $p->add_class('OK');
> echo $p->get_updated_html() . "\n";
> }}}
>
> Will print:
>
> {{{#!xml
> <div class="&"></div>
> <div class="& OK"></div>
> }}}
>
> Notice that the first pass is correct, `&` has been correctly encoded in
> the class attribute as `&`. However, after calling `::add_class()`
> and `::get_updated_html()` again, the `&` hass incorrectly been double-
> encoded as `&`.
>
> The same code in WordPress 6.8 would print:
>
> {{{#!xml
> <div class="&"></div>
> <div class="& OK"></div>
> }}}
>
> This is related to [60919] that was released in WordPress 6.9. The
> double-encoding behavior was present before, but it was "corrected" in
> this case by the use of `esc_attr()` that avoids any double-encoding.
> When `esc_attr()` usage was removed in [60919], the double-escaping
> behavior manifests causing this issue.
>
> ----
>
> This was originally reported by GitHub user `ktmn` in
> [https://github.com/WordPress/gutenberg/issues/73713 Gutenberg issue
> 73713].
New description:
`WP_HTML_Tag_Processor` and `WP_HTML_Processor` may incorrectly encode
class names containing the characters `&`, `<`, `>`, `"`, or `'` when
modifying them via class methods like `::add_class()` and calling
`::get_updated_html()`.
For example:
{{{#!php
<?php
$p = new WP_HTML_Tag_Processor('<div></div>');
$p->next_tag();
$p->add_class('&');
echo $p->get_updated_html() . "\n";
$p->add_class('OK');
echo $p->get_updated_html() . "\n";
}}}
Will print:
{{{#!xml
<div class="&"></div>
<div class="& OK"></div>
}}}
Notice that the first pass is correct, `&` has been correctly encoded in
the class attribute as `&`. However, after calling `::add_class()` and
`::get_updated_html()` again, the `&` has incorrectly been double-encoded
as `&`.
The same code in WordPress 6.8 would print:
{{{#!xml
<div class="&"></div>
<div class="& OK"></div>
}}}
This is related to [60919] that was released in WordPress 6.9. The double-
encoding behavior was present before, but it was "corrected" in this case
by the use of `esc_attr()` that avoids any double-encoding. When
`esc_attr()` usage was removed in [60919], the double-escaping behavior
manifests causing this issue.
----
This was originally reported by GitHub user `ktmn` in
[https://github.com/WordPress/gutenberg/issues/73713 Gutenberg issue
73713].
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64340#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list