wp_kses_one_attr( string $string, string $element )
Filters one HTML attribute and ensures its value is allowed.
Description
This function can escape data in some situations where wp_kses()
must strip the whole attribute.
Parameters
- $string
-
(string) (Required) The 'whole' attribute, including name and value.
- $element
-
(string) (Required) The HTML element name to which the attribute belongs.
Return
(string) Filtered attribute.
Source
File: wp-includes/kses.php
function wp_kses_one_attr( $string, $element ) { $uris = wp_kses_uri_attributes(); $allowed_html = wp_kses_allowed_html( 'post' ); $allowed_protocols = wp_allowed_protocols(); $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); // Preserve leading and trailing whitespace. $matches = array(); preg_match( '/^\s*/', $string, $matches ); $lead = $matches[0]; preg_match( '/\s*$/', $string, $matches ); $trail = $matches[0]; if ( empty( $trail ) ) { $string = substr( $string, strlen( $lead ) ); } else { $string = substr( $string, strlen( $lead ), -strlen( $trail ) ); } // Parse attribute name and value from input. $split = preg_split( '/\s*=\s*/', $string, 2 ); $name = $split[0]; if ( count( $split ) == 2 ) { $value = $split[1]; // Remove quotes surrounding $value. // Also guarantee correct quoting in $string for this one attribute. if ( '' === $value ) { $quote = ''; } else { $quote = $value[0]; } if ( '"' === $quote || "'" === $quote ) { if ( substr( $value, -1 ) != $quote ) { return ''; } $value = substr( $value, 1, -1 ); } else { $quote = '"'; } // Sanitize quotes, angle braces, and entities. $value = esc_attr( $value ); // Sanitize URI values. if ( in_array( strtolower( $name ), $uris, true ) ) { $value = wp_kses_bad_protocol( $value, $allowed_protocols ); } $string = "$name=$quote$value$quote"; $vless = 'n'; } else { $value = ''; $vless = 'y'; } // Sanitize attribute by name. wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html ); // Restore whitespace. return $lead . $string . $trail; }
Changelog
Version | Description |
---|---|
4.2.3 | Introduced. |
© 2003–2021 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/wp_kses_one_attr