[wp-trac] [WordPress Trac] #29807: add support for picture element and srcset attribute on img in wp_kses
WordPress Trac
noreply at wordpress.org
Sat Mar 14 10:18:18 UTC 2026
#29807: add support for picture element and srcset attribute on img in wp_kses
--------------------------------------------+------------------------------
Reporter: mattheu | Owner: adamsilverstein
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 7.1
Component: Formatting | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests early | Focuses:
--------------------------------------------+------------------------------
Changes (by ozgursar):
* keywords: has-patch has-unit-tests early needs-refresh => has-patch has-
unit-tests early
Comment:
== Patch Testing Report
Patch Tested: https://github.com/WordPress/wordpress-develop/pull/6184
=== Environment
- WordPress: 7.0-beta5-61991-src
- PHP: 8.2.29
- Server: nginx/1.29.4
- Database: mysqli (Server: 8.4.7 / Client: mysqlnd 8.2.29)
- Browser: Opera
- OS: macOS
- Theme: Twenty Twenty-Five 1.4
- MU Plugins: None activated
- Plugins:
* Code Snippets 3.9.5
* Test Reports 1.2.1
I've created a test plugin based on the unit tests in the PR6184
=== Steps taken
1. Download the test plugin from
[https://gist.github.com/ozgursar/62ee9d1a9d5491b30c1d277489b46644 Gist]
and install as a plugin or add to `functions.php`
2. Go to `Tools > #29807 Tests`
3. Observe Input and Output based on the function tested
4. Apply patch
5. Observe the same tests again and confirm they pass this time
6. ✅ Patch is solving the problem
=== Expected result
- `<picture>` and `<source>` elements are preserved by `wp_kses()` and no
longer stripped from post content
- `srcset`, `sizes`, `decoding`, and `fetchpriority` attributes are
preserved on `<img>` tags
- `<source>` element correctly allows `srcset`, `type`, `media`, and
`sizes` attributes
- Disallowed attributes (`src`) and event handlers (`onclick, onerror`)
are stripped from <source>
- Bad protocols (for example bad://, javascript:) are stripped per-URL
within a comma-separated `srcset` value, but valid URLs in the same
`srcset` are preserved
- CDN image resizer URLs containing commas in the path (for example
Cloudflare `cdn-cgi/image/format=auto,quality=80/...`) are not shredded by
the `srcset` splitting logic
- `srcset` is registered in `wp_kses_uri_attributes()` so protocol
sanitization is applied to it automatically
- The `wp_kses_uri_attributes` filter allows developers to control which
attributes are treated as URI lists
- The new `wp_kses_sanitize_uris()` function correctly handles single-URI
attributes, multi-URI attributes, and non-URI attributes
=== Additional Notes
- Test plugin is created with the help of Claude AI based on the patch and
unit tests found in `kses.php`
=== Screenshots/Screencast with results
Before
[[Image(https://i.imgur.com/IOdABoa.png)]]
After
[[Image(https://i.imgur.com/C5RrHki.png)]]
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29807#comment:65>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list