wp_kses_one_attr

function

wp_kses_one_attr( string $string, string $element )

Filters one HTML attribute and ensures its value is allowed.

Contents

Description
- Parameters
- Return
- Source
- Changelog
Related
- Uses
- Used By
User Contributed Notes

Description Description

This function can escape data in some situations where wp_kses() must strip the whole attribute.

Parameters Parameters

$string: (string) (Required) The 'whole' attribute, including name and value.
$element: (string) (Required) The HTML element name to which the attribute belongs.

Return Return

(string) Filtered attribute.

Source Source

File: wp-includes/kses.php

function wp_kses_one_attr( $string, $element ) {
	$uris              = wp_kses_uri_attributes();
	$allowed_html      = wp_kses_allowed_html( 'post' );
	$allowed_protocols = wp_allowed_protocols();
	$string            = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );

	// Preserve leading and trailing whitespace.
	$matches = array();
	preg_match( '/^\s*/', $string, $matches );
	$lead = $matches[0];
	preg_match( '/\s*$/', $string, $matches );
	$trail = $matches[0];
	if ( empty( $trail ) ) {
		$string = substr( $string, strlen( $lead ) );
	} else {
		$string = substr( $string, strlen( $lead ), -strlen( $trail ) );
	}

	// Parse attribute name and value from input.
	$split = preg_split( '/\s*=\s*/', $string, 2 );
	$name  = $split[0];
	if ( count( $split ) == 2 ) {
		$value = $split[1];

		// Remove quotes surrounding $value.
		// Also guarantee correct quoting in $string for this one attribute.
		if ( '' == $value ) {
			$quote = '';
		} else {
			$quote = $value[0];
		}
		if ( '"' == $quote || "'" == $quote ) {
			if ( substr( $value, -1 ) != $quote ) {
				return '';
			}
			$value = substr( $value, 1, -1 );
		} else {
			$quote = '"';
		}

		// Sanitize quotes, angle braces, and entities.
		$value = esc_attr( $value );

		// Sanitize URI values.
		if ( in_array( strtolower( $name ), $uris ) ) {
			$value = wp_kses_bad_protocol( $value, $allowed_protocols );
		}

		$string = "$name=$quote$value$quote";
		$vless  = 'n';
	} else {
		$value = '';
		$vless = 'y';
	}

	// Sanitize attribute by name.
	wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html );

	// Restore whitespace.
	return $lead . $string . $trail;
}

Expand full source code Collapse full source code View on Trac

Changelog Changelog

Changelog
Version	Description
4.2.3	Introduced.

Uses Uses

Uses
Uses	Description
wp-includes/kses.php: wp_kses_uri_attributes()	Helper function listing HTML attributes containing a URL.
wp-includes/kses.php: wp_kses_attr_check()	Determines whether an attribute is allowed.
wp-includes/formatting.php: esc_attr()	Escaping for HTML attributes.
wp-includes/kses.php: wp_kses_no_null()	Removes any invalid control characters in a text string.
wp-includes/kses.php: wp_kses_bad_protocol()	Sanitizes a string and removed disallowed URL protocols.
wp-includes/kses.php: wp_kses_allowed_html()	Returns an array of allowed HTML tags and attributes for a given context.
wp-includes/functions.php: wp_allowed_protocols()	Retrieve a list of protocols to allow in HTML attributes.

Show 2 more uses Hide more uses

Used By Used By

Used By
Used By	Description
wp-includes/shortcodes.php: do_shortcodes_in_html_tags()	Search only inside HTML elements for shortcodes and process them.

User Contributed Notes User Contributed Notes

You must log in before being able to contribute a note or feedback.

Keep Leading Your Followers!
Share it for them.