[wp-trac] [WordPress Trac] #65270: wp_kses() corrupts valid CSS background-image: url(...) declarations into style=")" 7.0-RC4
WordPress Trac
noreply at wordpress.org
Tue May 19 13:56:36 UTC 2026
#65270: wp_kses() corrupts valid CSS background-image: url(...) declarations into
style=")" 7.0-RC4
--------------------------+-----------------------------
Reporter: nextendweb | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Formatting | Version: trunk
Severity: major | Keywords:
Focuses: |
--------------------------+-----------------------------
`wp_kses()` appears to incorrectly sanitize valid CSS `background-image:
url(...)` declarations, resulting in malformed output instead of
preserving the declaration or removing it entirely.
The issue reproduces with both literal quotes and HTML entity encoded
quotes inside `url(...)`.
**Steps to Reproduce**
{{{
$allowed = [
'div' => [
'style' => true,
],
];
echo wp_kses( '<div style="background-image:
url(\'https://localhost/image.jpg\');"></div>', $allowed );
echo wp_kses( '<div style="background-image:
url("https://localhost/image.jpg");"></div>', $allowed );
}}}
**Actual Results**
Both examples produce:
{{{
<div style=")"></div>
}}}
**Expected Results**
Expected output should either preserve the valid CSS:
{{{
<div style="background-image: url('https://localhost/image.jpg')"></div>
}}}
The sanitizer should not emit malformed residual CSS such as:
{{{
style=")"
}}}
**Regression Notes**
This appears to be a regression from WordPress 6.9.4 for single-quoted CSS
`url(...)` values.
In WordPress 6.9.4, this worked as expected:
{{{
wp_kses(
'<div style="background-image:
url(\'https://localhost/image.jpg\');"></div>',
[
'div' => [
'style' => true,
],
]
);
}}}
In WordPress 7.0-RC4, the same input returns:
{{{
<div style=")"></div>
}}}
The `"` variant appears to produce the same broken result in both
WordPress 6.9.4 and 7.0-RC4, so that part should not be described as a
regression.
The regression scope appears to be valid CSS using single quotes inside
`url(...)`, which worked in 6.9.4 and now produces malformed residual
output in 7.0-RC4.
**Additional Notes**
* `style => true` is the expected way to allow the `style` attribute in
`wp_kses()`.
* `https` is an allowed protocol by default.
* The issue reproduces regardless of whether quotes inside `url(...)` are
literal or entity encoded (`"`).
* This appears related to CSS sanitization in `safecss_filter_attr()`
rather than HTML attribute allowlisting itself.
* Potential regression in recent KSES/CSS parsing changes.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/65270>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list