wp_kses_one_attr() WordPress Function
The wp_kses_one_attr() function is used to sanitize a single HTML attribute. It takes two arguments: an attribute name and a string containing the attribute value. The function performs the following actions: - Checks that the attribute name is a valid HTML attribute. - Strips any invalid characters from the attribute value. - Checks that the attribute value is a valid URL if the attribute name is "href" or "src". - Returns a sanitized attribute value. This function is used to ensure that user-supplied data is safe to use in a Wordpress site. It is called by the wp_kses() function, which sanitizes an entire HTML string.
wp_kses_one_attr( string $string, string $element ) #
Filters one HTML attribute and ensures its value is allowed.
Description
This function can escape data in some situations where wp_kses() must strip the whole attribute.
Parameters
- $string
(string)(Required)The 'whole' attribute, including name and value.
- $element
(string)(Required)The HTML element name to which the attribute belongs.
Return
(string) Filtered attribute.
Source
File: wp-includes/kses.php
function wp_kses_one_attr( $string, $element ) {
$uris = wp_kses_uri_attributes();
$allowed_html = wp_kses_allowed_html( 'post' );
$allowed_protocols = wp_allowed_protocols();
$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
// Preserve leading and trailing whitespace.
$matches = array();
preg_match( '/^\s*/', $string, $matches );
$lead = $matches[0];
preg_match( '/\s*$/', $string, $matches );
$trail = $matches[0];
if ( empty( $trail ) ) {
$string = substr( $string, strlen( $lead ) );
} else {
$string = substr( $string, strlen( $lead ), -strlen( $trail ) );
}
// Parse attribute name and value from input.
$split = preg_split( '/\s*=\s*/', $string, 2 );
$name = $split[0];
if ( count( $split ) == 2 ) {
$value = $split[1];
// Remove quotes surrounding $value.
// Also guarantee correct quoting in $string for this one attribute.
if ( '' === $value ) {
$quote = '';
} else {
$quote = $value[0];
}
if ( '"' === $quote || "'" === $quote ) {
if ( substr( $value, -1 ) != $quote ) {
return '';
}
$value = substr( $value, 1, -1 );
} else {
$quote = '"';
}
// Sanitize quotes, angle braces, and entities.
$value = esc_attr( $value );
// Sanitize URI values.
if ( in_array( strtolower( $name ), $uris, true ) ) {
$value = wp_kses_bad_protocol( $value, $allowed_protocols );
}
$string = "$name=$quote$value$quote";
$vless = 'n';
} else {
$value = '';
$vless = 'y';
}
// Sanitize attribute by name.
wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html );
// Restore whitespace.
return $lead . $string . $trail;
}
Expand full source codeCollapse full source codeView on TracView on GitHub
Changelog
| Version | Description |
|---|---|
| 4.2.3 | Introduced. |