wp_kses_attr_check( string $name, string $value, string $whole, string $vless, string $element, array $allowed_html ): bool
Determines whether an attribute is allowed.
Parameters
$namestring Required-
The attribute name. Passed by reference. Returns empty string when not allowed.
$valuestring Required-
The attribute value. Passed by reference. Returns a filtered value.
$wholestring Required-
The
name=valueinput. Passed by reference. Returns filtered input. $vlessstring Required-
Whether the attribute is valueless. Use
'y'or'n'. $elementstring Required-
The name of the element to which this attribute belongs.
$allowed_htmlarray Required-
The full list of allowed elements and attributes.
Return
bool Whether or not the attribute is allowed.
Source
File: wp-includes/kses.php. View all references
function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) {
$name_low = strtolower( $name );
$element_low = strtolower( $element );
if ( ! isset( $allowed_html[ $element_low ] ) ) {
$name = '';
$value = '';
$whole = '';
return false;
}
$allowed_attr = $allowed_html[ $element_low ];
if ( ! isset( $allowed_attr[ $name_low ] ) || '' === $allowed_attr[ $name_low ] ) {
/*
* Allow `data-*` attributes.
*
* When specifying `$allowed_html`, the attribute name should be set as
* `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
* https://www.w3.org/TR/html40/struct/objects.html#adef-data).
*
* Note: the attribute name should only contain `A-Za-z0-9_-` chars,
* double hyphens `--` are not accepted by WordPress.
*/
if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] )
&& preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match )
) {
/*
* Add the whole attribute name to the allowed attributes and set any restrictions
* for the `data-*` attribute values for the current element.
*/
$allowed_attr[ $match[0] ] = $allowed_attr['data-*'];
} else {
$name = '';
$value = '';
$whole = '';
return false;
}
}
if ( 'style' === $name_low ) {
$new_value = safecss_filter_attr( $value );
if ( empty( $new_value ) ) {
$name = '';
$value = '';
$whole = '';
return false;
}
$whole = str_replace( $value, $new_value, $whole );
$value = $new_value;
}
if ( is_array( $allowed_attr[ $name_low ] ) ) {
// There are some checks.
foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) {
if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) {
$name = '';
$value = '';
$whole = '';
return false;
}
}
}
return true;
}
Related
Uses
| Uses | Description |
|---|---|
| safecss_filter_attr() wp-includes/kses.php | Filters an inline style attribute and removes disallowed rules. |
| wp_kses_check_attr_val() wp-includes/kses.php | Performs different checks for attribute values. |
Used By
| Used By | Description |
|---|---|
| wp_kses_one_attr() wp-includes/kses.php | Filters one HTML attribute and ensures its value is allowed. |
| wp_kses_attr() wp-includes/kses.php | Removes all attributes, if none are allowed for this element. |
Changelog
© 2003–2022 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/wp_kses_attr_check