[wp-trac] [WordPress Trac] #62426: Interactivity API directives support invalid data attribute characters on the server

WordPress Trac noreply at wordpress.org
Mon Mar 10 19:51:56 UTC 2025 

#62426: Interactivity API directives support invalid data attribute characters on
the server
---------------------------------------------------+---------------------
 Reporter:  jonsurrell                             |       Owner:  (none)
     Type:  defect (bug)                           |      Status:  new
 Priority:  normal                                 |   Milestone:  6.8
Component:  Interactivity API                      |     Version:  6.5
 Severity:  major                                  |  Resolution:
 Keywords:  has-patch has-unit-tests dev-feedback  |     Focuses:
---------------------------------------------------+---------------------
Changes (by SirLouen):

 * keywords:  has-patch => has-patch has-unit-tests dev-feedback
 * severity:  normal => major


Comment:

 == Test Report
 === Description
 This report validates that the indicated patch addresses the issue.

 Patch tested: [https://patch-diff.githubusercontent.com/raw/WordPress
 /wordpress-develop/pull/8048.diff PR 8048]

 === Environment
 - WordPress: 6.8-beta1-59933-src
 - PHP: 8.2.27
 - Server: nginx/1.27.4
 - Database: mysqli (Server: 8.4.4 / Client: mysqlnd 8.2.27)
 - Browser: Chrome 133.0.0.0
 - OS: Windows 10/11
 - Theme: Twenty Twenty-Five 1.1
 - MU Plugins: None activated
 - Plugins:
   * Test Reports 1.2.0

 === Reproduction steps

 1. Using `interactivity-testing.php` in a working WP environment results
 expected.
 - For the first test case without the patch, the class is present and this
 is wrong (class="bottom-[-24rem]")
 - For the first test case with the patch, class should not be present
 2. For the second test case with the patch, class should be present in
 both scenarios.

 === Actual Results with Patch
 - ✅ Invalid directive with square brackets is not processed (no class
 attribute added)
 - ✅ Valid directive without square brackets is processed correctly (class
 attribute added)

 === Additional Notes
 - Tests were added in the last version of the 8048 PR


 === Supplemental Artifacts

 File: interactivity-testing.php
 {{{#!php
 <?php
 require_once __DIR__ . '/wp-load.php';

 // Test Case 1: Invalid directive with square brackets
 $html = <<<HTML
 <div data-wp-interactive="example" data-wp-context='{"x":1}'><div data-wp-
 class--bottom-[-24rem]="context.x">Should not have any class
 attribute.</div></div>
 HTML;
 echo "Test Case 1 (Invalid directive):\n";
 echo wp_interactivity_process_directives( $html );
 echo "\n\n";

 // Test Case 2: Valid directive without square brackets
 $html = <<<HTML
 <div data-wp-interactive="example" data-wp-context='{"x":1}'><div data-wp-
 class--bottom--24rem="context.x">Must have class attribute.</div></div>
 HTML;
 echo "Test Case 2 (Valid directive):\n";
 echo wp_interactivity_process_directives( $html );
 echo "\n\n";
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62426#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list