wp_kses_attr_check() WordPress Function

The wp_kses_attr_check() function is used to check whether an attribute name and value are valid according to the Kses HTML attribute validation rules. If the attribute name and value are valid, the function returns the name and value as an array. If the attribute name and value are not valid, the function returns an empty array.

wp_kses_attr_check( string $name, string $value, string $whole, string $vless, string $element, array $allowed_html ) #

Determines whether an attribute is allowed.

Contents

Parameters

$name

(string)(Required)The attribute name. Passed by reference. Returns empty string when not allowed.

$value

(string)(Required)The attribute value. Passed by reference. Returns a filtered value.

$whole

(string)(Required)The name=value input. Passed by reference. Returns filtered input.

$vless

(string)(Required)Whether the attribute is valueless. Use 'y' or 'n'.

$element

(string)(Required)The name of the element to which this attribute belongs.

$allowed_html

(array)(Required)The full list of allowed elements and attributes.

Top ↑

Return

(bool) Whether or not the attribute is allowed.

Top ↑

Source

File: wp-includes/kses.php

function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) {
	$name_low    = strtolower( $name );
	$element_low = strtolower( $element );

	if ( ! isset( $allowed_html[ $element_low ] ) ) {
		$name  = '';
		$value = '';
		$whole = '';
		return false;
	}

	$allowed_attr = $allowed_html[ $element_low ];

	if ( ! isset( $allowed_attr[ $name_low ] ) || '' === $allowed_attr[ $name_low ] ) {
		/*
		 * Allow `data-*` attributes.
		 *
		 * When specifying `$allowed_html`, the attribute name should be set as
		 * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
		 * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
		 *
		 * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
		 * double hyphens `--` are not accepted by WordPress.
		 */
		if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] )
			&& preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match )
		) {
			/*
			 * Add the whole attribute name to the allowed attributes and set any restrictions
			 * for the `data-*` attribute values for the current element.
			 */
			$allowed_attr[ $match[0] ] = $allowed_attr['data-*'];
		} else {
			$name  = '';
			$value = '';
			$whole = '';
			return false;
		}
	}

	if ( 'style' === $name_low ) {
		$new_value = safecss_filter_attr( $value );

		if ( empty( $new_value ) ) {
			$name  = '';
			$value = '';
			$whole = '';
			return false;
		}

		$whole = str_replace( $value, $new_value, $whole );
		$value = $new_value;
	}

	if ( is_array( $allowed_attr[ $name_low ] ) ) {
		// There are some checks.
		foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) {
			if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) {
				$name  = '';
				$value = '';
				$whole = '';
				return false;
			}
		}
	}

	return true;
}

Expand full source codeCollapse full source codeView on TracView on GitHub

Top ↑

Top ↑

Used By

Used By
Used ByDescription
wp-includes/kses.php:wp_kses_one_attr()

Filters one HTML attribute and ensures its value is allowed.

wp-includes/kses.php:wp_kses_attr()

Removes all attributes, if none are allowed for this element.

Top ↑

Changelog

Changelog
VersionDescription
5.0.0Added support for data-* wildcard attributes.
4.2.3Introduced.
Download the latest version of WordPress from https://wordpress.org/

The content displayed on this page has been created in part by processing WordPress source code files which are made available under the GPLv2 (or a later version) license by theĀ Free Software Foundation. In addition to this, the content includes user-written examples and information. All material is subject to review and curation by the WPPaste.com community.