[wp-trac] [WordPress Trac] #63724: HTML API: Reliably parse HTML attributes in `wp_kses_hair()`
WordPress Trac
noreply at wordpress.org
Thu Jul 24 21:10:39 UTC 2025
#63724: HTML API: Reliably parse HTML attributes in `wp_kses_hair()`
----------------------------------------+---------------------
Reporter: dmsnell | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 6.9
Component: HTML API | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch needs-unit-tests | Focuses:
----------------------------------------+---------------------
Comment (by dmsnell):
Thanks @jorbin — I’m slow, but I plan on adding tests that assert the
mapping between HTML attributes and the kinds of outputs that
`wp_kses_hair()` produces.
This ticket will probably be a good proving ground for these kinds of
changes, as there is a long list of core functionality that I would like
to see us update over the coming years. Almost every one of them will
involve behavioral changes, but I believe that leaving the kinds of
breakages in place is not the best way forward.
At least in the ideal cases the behaviors are preserved. That is, the
intent matches. I don’t know how much belongs in a test to show those
changes, but I know some of those tests will lose relevance with time. For
example, if `wp_kses_hair()` misparses an HTML attribute but WordPress now
properly understands that attribute, do you have suggestions on how you
would like to see that?
At the extreme end I know we don’t document previous bugs, but as you say,
this has been long established. Still, in some cases, logging notable
changes is also broadcasting some sensitive vulnerabilities that remain in
other parts of Core.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63724#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list