[wp-trac] [WordPress Trac] #65270: wp_kses() corrupts valid CSS background-image: url(...) declarations into style=")" 7.0-RC4

WordPress Trac noreply at wordpress.org
Tue May 19 13:56:36 UTC 2026


#65270: wp_kses() corrupts valid CSS background-image: url(...) declarations into
style=")" 7.0-RC4
--------------------------+-----------------------------
 Reporter:  nextendweb    |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Formatting    |    Version:  trunk
 Severity:  major         |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 `wp_kses()` appears to incorrectly sanitize valid CSS `background-image:
 url(...)` declarations, resulting in malformed output instead of
 preserving the declaration or removing it entirely.

 The issue reproduces with both literal quotes and HTML entity encoded
 quotes inside `url(...)`.

 **Steps to Reproduce**

 {{{
 $allowed = [
   'div' => [
     'style' => true,
   ],
 ];

 echo wp_kses( '<div style="background-image:
 url(\'https://localhost/image.jpg\');"></div>', $allowed );

 echo wp_kses( '<div style="background-image:
 url("https://localhost/image.jpg");"></div>', $allowed );
 }}}

 **Actual Results**

 Both examples produce:

 {{{

 <div style=")"></div>
 }}}

 **Expected Results**

 Expected output should either preserve the valid CSS:

 {{{

 <div style="background-image: url('https://localhost/image.jpg')"></div>
 }}}

 The sanitizer should not emit malformed residual CSS such as:

 {{{
 style=")"
 }}}

 **Regression Notes**

 This appears to be a regression from WordPress 6.9.4 for single-quoted CSS
 `url(...)` values.

 In WordPress 6.9.4, this worked as expected:

 {{{
 wp_kses(
     '<div style="background-image:
 url(\'https://localhost/image.jpg\');"></div>',
     [
         'div' => [
             'style' => true,
         ],
     ]
 );
 }}}

 In WordPress 7.0-RC4, the same input returns:

 {{{
 <div style=")"></div>
 }}}

 The `"` variant appears to produce the same broken result in both
 WordPress 6.9.4 and 7.0-RC4, so that part should not be described as a
 regression.

 The regression scope appears to be valid CSS using single quotes inside
 `url(...)`, which worked in 6.9.4 and now produces malformed residual
 output in 7.0-RC4.

 **Additional Notes**

 * `style => true` is the expected way to allow the `style` attribute in
 `wp_kses()`.
 * `https` is an allowed protocol by default.
 * The issue reproduces regardless of whether quotes inside `url(...)` are
 literal or entity encoded (`"`).
 * This appears related to CSS sanitization in `safecss_filter_attr()`
 rather than HTML attribute allowlisting itself.
 * Potential regression in recent KSES/CSS parsing changes.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/65270>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list