wp_kses_attr_check() – Determines whether an attribute is allowed.

You appear to be a bot. Output may be restricted

Description

Determines whether an attribute is allowed.

Usage

$bool = wp_kses_attr_check( $name, $value, $whole, $vless, $element, $allowed_html );

Parameters

$name
( string ) required – The attribute name. Passed by reference. Returns empty string when not allowed.
$value
( string ) required – The attribute value. Passed by reference. Returns a filtered value.
$whole
( string ) required – The name=value input. Passed by reference. Returns filtered input.
$vless
( string ) required – Whether the attribute is valueless. Use 'y' or 'n'.
$element
( string ) required – The name of the element to which this attribute belongs.
$allowed_html
( array ) required – The full list of allowed elements and attributes.

Returns

bool Whether or not the attribute is allowed.

Source

File name: wordpress/wp-includes/kses.php
Lines:

1 to 68 of 68
function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) {
  $name_low    = strtolower( $name );
  $element_low = strtolower( $element );

  if ( ! isset( $allowed_html[ $element_low ] ) ) {
    $name  = '';
    $value = '';
    $whole = '';
    return false;
  }

  $allowed_attr = $allowed_html[ $element_low ];

  if ( ! isset( $allowed_attr[ $name_low ] ) || '' === $allowed_attr[ $name_low ] ) {
    /*
		 * Allow `data-*` attributes.
		 *
		 * When specifying `$allowed_html`, the attribute name should be set as
		 * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
		 * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
		 *
		 * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
		 * double hyphens `--` are not accepted by WordPress.
		 */
    if ( str_starts_with( $name_low, 'data-' ) && ! empty( $allowed_attr['data-*'] )
      && preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match )
    ) {
      /*
			 * Add the whole attribute name to the allowed attributes and set any restrictions
			 * for the `data-*` attribute values for the current element.
			 */
      $allowed_attr[ $match[0] ] = $allowed_attr['data-*'];
    } else {
      $name  = '';
      $value = '';
      $whole = '';
      return false;
    }
  }

  if ( 'style' === $name_low ) {
    $new_value = safecss_filter_attr( $value );

    if ( empty( $new_value ) ) {
      $name  = '';
      $value = '';
      $whole = '';
      return false;
    }

    $whole = str_replace( $value, $new_value, $whole );
    $value = $new_value;
  }

  if ( is_array( $allowed_attr[ $name_low ] ) ) {
    // There are some checks.
    foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) {
      if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) {
        $name  = '';
        $value = '';
        $whole = '';
        return false;
      }
    }
  }

  return true;
}
 

 View on GitHub View on Trac