wp_kses_one_attr() – Filters one HTML attribute and ensures its value is allowed.

You appear to be a bot. Output may be restricted

Description

Filters one HTML attribute and ensures its value is allowed.

This function can escape data in some situations where wp_kses() must strip the whole attribute.

Usage

$string = wp_kses_one_attr( $string, $element );

Parameters

$string
( string ) required – The 'whole' attribute, including name and value.
$element
( string ) required – The HTML element name to which the attribute belongs.

Returns

string Filtered attribute.

Source

File name: wordpress/wp-includes/kses.php
Lines:

1 to 61 of 61
function wp_kses_one_attr( $string, $element ) {
  $uris              = wp_kses_uri_attributes();
  $allowed_html      = wp_kses_allowed_html( 'post' );
  $allowed_protocols = wp_allowed_protocols();
  $string            = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );

  // Preserve leading and trailing whitespace.
  $matches = array();
  preg_match( '/^\s*/', $string, $matches );
  $lead = $matches[0];
  preg_match( '/\s*$/', $string, $matches );
  $trail = $matches[0];
  if ( empty( $trail ) ) {
    $string = substr( $string, strlen( $lead ) );
  } else {
    $string = substr( $string, strlen( $lead ), -strlen( $trail ) );
  }

  // Parse attribute name and value from input.
  $split = preg_split( '/\s*=\s*/', $string, 2 );
  $name  = $split[0];
  if ( count( $split ) == 2 ) {
    $value = $split[1];

    // Remove quotes surrounding $value.
    // Also guarantee correct quoting in $string for this one attribute.
    if ( '' === $value ) {
      $quote = '';
    } else {
      $quote = $value[0];
    }
    if ( '"' === $quote || "'" === $quote ) {
      if ( substr( $value, -1 ) != $quote ) {
        return '';
      }
      $value = substr( $value, 1, -1 );
    } else {
      $quote = '"';
    }

    // Sanitize quotes, angle braces, and entities.
    $value = esc_attr( $value );

    // Sanitize URI values.
    if ( in_array( strtolower( $name ), $uris, true ) ) {
      $value = wp_kses_bad_protocol( $value, $allowed_protocols );
    }

    $string = "$name=$quote$value$quote";
    $vless  = 'n';
  } else {
    $value = '';
    $vless = 'y';
  }

  // Sanitize attribute by name.
  wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html );

  // Restore whitespace.
  return $lead . $string . $trail;
}
 

 View on GitHub View on Trac