wp_kses_one_attr()
Filters one HTML attribute and ensures its value is allowed.
This function can escape data in some situations where wp_kses() strip the whole attribute.
No Hooks.
Returns
String. Filtered attribute.
Usage
wp_kses_one_attr( $attr, $element );
- $attr(string) (required)
- The 'whole' attribute, including name and value.
- $element(string) (required)
- The HTML element name to which the attribute belongs.
Changelog
| Since 4.2.3 | Introduced. |
wp_kses_one_attr() wp kses one attr code WP 6.8.3
function wp_kses_one_attr( $attr, $element ) {
$uris = wp_kses_uri_attributes();
$allowed_html = wp_kses_allowed_html( 'post' );
$allowed_protocols = wp_allowed_protocols();
$attr = wp_kses_no_null( $attr, array( 'slash_zero' => 'keep' ) );
// Preserve leading and trailing whitespace.
$matches = array();
preg_match( '/^\s*/', $attr, $matches );
$lead = $matches[0];
preg_match( '/\s*$/', $attr, $matches );
$trail = $matches[0];
if ( empty( $trail ) ) {
$attr = substr( $attr, strlen( $lead ) );
} else {
$attr = substr( $attr, strlen( $lead ), -strlen( $trail ) );
}
// Parse attribute name and value from input.
$split = preg_split( '/\s*=\s*/', $attr, 2 );
$name = $split[0];
if ( count( $split ) === 2 ) {
$value = $split[1];
/*
* Remove quotes surrounding $value.
* Also guarantee correct quoting in $attr for this one attribute.
*/
if ( '' === $value ) {
$quote = '';
} else {
$quote = $value[0];
}
if ( '"' === $quote || "'" === $quote ) {
if ( ! str_ends_with( $value, $quote ) ) {
return '';
}
$value = substr( $value, 1, -1 );
} else {
$quote = '"';
}
// Sanitize quotes, angle braces, and entities.
$value = esc_attr( $value );
// Sanitize URI values.
if ( in_array( strtolower( $name ), $uris, true ) ) {
$value = wp_kses_bad_protocol( $value, $allowed_protocols );
}
$attr = "$name=$quote$value$quote";
$vless = 'n';
} else {
$value = '';
$vless = 'y';
}
// Sanitize attribute by name.
wp_kses_attr_check( $name, $value, $attr, $vless, $element, $allowed_html );
// Restore whitespace.
return $lead . $attr . $trail;
}