[wp-trac] [WordPress Trac] #63724: HTML API: Reliably parse HTML attributes in `wp_kses_hair()`

WordPress Trac noreply at wordpress.org
Fri Jan 9 23:02:44 UTC 2026 

#63724: HTML API: Reliably parse HTML attributes in `wp_kses_hair()`
-------------------------------------------------+-------------------------
 Reporter:  dmsnell                              |       Owner:  dmsnell
     Type:  enhancement                          |      Status:  assigned
 Priority:  normal                               |   Milestone:  7.0
Component:  HTML API                             |     Version:  6.9
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch has-unit-tests needs-      |     Focuses:
  refresh                                        |
-------------------------------------------------+-------------------------

Comment (by dmsnell):

 @jorbin thanks to @jonsurrell’s work we have a test suite, and it
 demonstrates the behaviors as well as where they different with this
 change.

 I’m going to merge this, expecting to watch things and revert if
 necessary, but I think it will be stable. None of the cases that were
 previously broken were part of the function contract, and additionally,
 calling code had to already expect proper results.

 This is hard for me to verbalize, but here is an example. Suppose we had
 `id=<` as our input. In any situation that code previously wanted to
 detect something about this pattern, it already had to also accept
 `id="<"`, `id="<"`, `id='<'`, and a few other variants.

 So I think this change is not presenting any meaningful differences in
 expectations but rather normalizing inputs so that only a subset of the
 pre-existing expectations are necessary. It’s shrinking the domain of
 required support.

 The test suite shows some great examples of updates that definitely change
 behavior but which are also definitely wanted: in many cases Core is
 entirely unaware of the presence of existing attributes and can lead
 calling code to duplicate attribute or defeat valuable checks because of a
 presumed absence or misparse.

 The original description on the function suggests it will perform
 normalization, but now it will be done comprehensively.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63724#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list