W3cubDocs

/WordPress

wp_kses_attr_check( string $name, string $value, string $whole, string $vless, string $element, array $allowed_html )

Determines whether an attribute is allowed.

Parameters

$name

(string) (Required) The attribute name. Passed by reference. Returns empty string when not allowed.

$value

(string) (Required) The attribute value. Passed by reference. Returns a filtered value.

$whole

(string) (Required) The name=value input. Passed by reference. Returns filtered input.

$vless

(string) (Required) Whether the attribute is valueless. Use 'y' or 'n'.

$element

(string) (Required) The name of the element to which this attribute belongs.

$allowed_html

(array) (Required) The full list of allowed elements and attributes.

Return

(bool) Whether or not the attribute is allowed.

Source

File: wp-includes/kses.php 

function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) {
	$name_low    = strtolower( $name );
	$element_low = strtolower( $element );

	if ( ! isset( $allowed_html[ $element_low ] ) ) {
		$name  = '';
		$value = '';
		$whole = '';
		return false;
	}

	$allowed_attr = $allowed_html[ $element_low ];

	if ( ! isset( $allowed_attr[ $name_low ] ) || '' === $allowed_attr[ $name_low ] ) {
		/*
		 * Allow `data-*` attributes.
		 *
		 * When specifying `$allowed_html`, the attribute name should be set as
		 * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
		 * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
		 *
		 * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
		 * double hyphens `--` are not accepted by WordPress.
		 */
		if ( strpos( $name_low, 'data-' ) === 0 && ! empty( $allowed_attr['data-*'] ) && preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match ) ) {
			/*
			 * Add the whole attribute name to the allowed attributes and set any restrictions
			 * for the `data-*` attribute values for the current element.
			 */
			$allowed_attr[ $match[0] ] = $allowed_attr['data-*'];
		} else {
			$name  = '';
			$value = '';
			$whole = '';
			return false;
		}
	}

	if ( 'style' === $name_low ) {
		$new_value = safecss_filter_attr( $value );

		if ( empty( $new_value ) ) {
			$name  = '';
			$value = '';
			$whole = '';
			return false;
		}

		$whole = str_replace( $value, $new_value, $whole );
		$value = $new_value;
	}

	if ( is_array( $allowed_attr[ $name_low ] ) ) {
		// There are some checks.
		foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) {
			if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) {
				$name  = '';
				$value = '';
				$whole = '';
				return false;
			}
		}
	}

	return true;
}

Uses

Uses Description
wp-includes/kses.php: safecss_filter_attr()

Filters an inline style attribute and removes disallowed rules.
wp-includes/kses.php: wp_kses_check_attr_val()

Performs different checks for attribute values.

Used By

Used By Description
wp-includes/kses.php: wp_kses_one_attr()

Filters one HTML attribute and ensures its value is allowed.
wp-includes/kses.php: wp_kses_attr()

Removes all attributes, if none are allowed for this element.

Changelog

Version Description
5.0.0 Add support for data-* wildcard attributes.
4.2.3 Introduced.

© 2003–2019 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/wp_kses_attr_check