wp_kses_attr_check

Advertisement

Summery Summery

Determines whether an attribute is allowed.

Syntax Syntax

wp_kses_attr_check( string $name, string $value, string $whole, string $vless, string $element, array $allowed_html )

Parameters Parameters

$name

(string) (Required) The attribute name. Passed by reference. Returns empty string when not allowed.

$value

(string) (Required) The attribute value. Passed by reference. Returns a filtered value.

$whole

(string) (Required) The name=value input. Passed by reference. Returns filtered input.

$vless

(string) (Required) Whether the attribute is valueless. Use 'y' or 'n'.

$element

(string) (Required) The name of the element to which this attribute belongs.

$allowed_html

(array) (Required) The full list of allowed elements and attributes.

Return Return

(bool) Whether or not the attribute is allowed.

Source Source

File: wp-includes/kses.php

	// Split it.
	$attrarr = wp_kses_hair( $attr, $allowed_protocols );

	// Go through $attrarr, and save the allowed attributes for this element
	// in $attr2.
	$attr2 = '';
	foreach ( $attrarr as $arreach ) {
		if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) {
			$attr2 .= ' ' . $arreach['whole'];
		}
	}

	// Remove any "<" or ">" characters.
	$attr2 = preg_replace( '/[<>]/', '', $attr2 );

	return "<$element$attr2$xhtml_slash>";
}

/**
 * Determines whether an attribute is allowed.
 *
 * @since 4.2.3
 * @since 5.0.0 Add support for `data-*` wildcard attributes.
 *
 * @param string $name         The attribute name. Passed by reference. Returns empty string when not allowed.
 * @param string $value        The attribute value. Passed by reference. Returns a filtered value.
 * @param string $whole        The `name=value` input. Passed by reference. Returns filtered input.
 * @param string $vless        Whether the attribute is valueless. Use 'y' or 'n'.
 * @param string $element      The name of the element to which this attribute belongs.
 * @param array  $allowed_html The full list of allowed elements and attributes.
 * @return bool Whether or not the attribute is allowed.
 */
function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) {
	$name_low    = strtolower( $name );
	$element_low = strtolower( $element );

	if ( ! isset( $allowed_html[ $element_low ] ) ) {
		$name  = '';
		$value = '';
		$whole = '';
		return false;
	}

	$allowed_attr = $allowed_html[ $element_low ];

	if ( ! isset( $allowed_attr[ $name_low ] ) || '' === $allowed_attr[ $name_low ] ) {
		/*
		 * Allow `data-*` attributes.
		 *
		 * When specifying `$allowed_html`, the attribute name should be set as
		 * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
		 * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
		 *
		 * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
		 * double hyphens `--` are not accepted by WordPress.
		 */
		if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] ) && preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match ) ) {
			/*
			 * Add the whole attribute name to the allowed attributes and set any restrictions
			 * for the `data-*` attribute values for the current element.
			 */
			$allowed_attr[ $match[0] ] = $allowed_attr['data-*'];
		} else {
			$name  = '';
			$value = '';

Advertisement

Changelog Changelog

Changelog
Version Description
5.0.0 Add support for data-* wildcard attributes.
4.2.3 Introduced.

Advertisement

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.