[wp-trac] [WordPress Trac] #64054: HTML API: Attribute escaping should escape all HTML entities
WordPress Trac
noreply at wordpress.org
Fri Oct 3 16:03:22 UTC 2025
#64054: HTML API: Attribute escaping should escape all HTML entities
--------------------------+------------------------------
Reporter: jonsurrell | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: HTML API | Version: 6.2
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
--------------------------+------------------------------
Comment (by jonsurrell):
[https://playground.wordpress.net/php-
playground.html#eyJjb2RlIjoiPD9waHBcbnJlcXVpcmUgJy93b3JkcHJlc3Mvd3AtbG9hZC5waHAnO1xuZWNobyBcIjxwbGFpbnRleHQ+XCI7XG5cbiRwID0gbmV3IFdQX0hUTUxfVGFnX1Byb2Nlc3NvciggJzxwPicgKTtcbiRwLT5uZXh0X3RhZygpO1xuJHAtPnNldF9hdHRyaWJ1dGUoICdkYXRhLWx0LWd0JywgJyZsdDsgJmd0OycgKTtcbnZhcl9kdW1wKCAkcC0+Z2V0X2F0dHJpYnV0ZSgnZGF0YS1sdC1ndCcpICk7IiwicGhwIjoiOC40Iiwid3AiOiI2LjgifQ==
Here's a demo of how this behavior is not consistent.] A round trip
`set_attribute()` + `get_attribute()` decodes anything that looked like
entities:
{{{#!php
<?php
$p = new WP_HTML_Tag_Processor( '<p>' );
$p->next_tag();
$p->set_attribute( 'data-lt-gt', '< >' );
var_dump( $p->get_attribute('data-lt-gt') );
// string(3) "< >"
// expected: "< >"
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64054#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list