wp_kses_attr_check()
云策文档标注
概述
wp_kses_attr_check() 函数用于检查 HTML 属性是否被允许,是 WordPress 安全过滤机制的一部分。它通过引用传递参数,并根据允许的 HTML 列表验证属性名和值,支持 data-* 通配符属性和 style 属性的特殊处理。
关键要点
- 函数通过引用传递参数 $name、$value 和 $whole,在属性不被允许时将它们设为空字符串。
- 支持 data-* 通配符属性,需在 $allowed_html 中指定 data-* 键,且属性名需匹配正则表达式 /^data-[a-z0-9_-]+$/。
- 对 style 属性使用 safecss_filter_attr() 进行过滤,确保 CSS 规则安全。
- 如果 $allowed_attr[$name_low] 是数组,会调用 wp_kses_check_attr_val() 进行进一步值检查。
- 返回布尔值表示属性是否允许,false 时表示属性被拒绝。
代码示例
function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) {
$name_low = strtolower( $name );
$element_low = strtolower( $element );
if ( ! isset( $allowed_html[ $element_low ] ) ) {
$name = '';
$value = '';
$whole = '';
return false;
}
$allowed_attr = $allowed_html[ $element_low ];
if ( ! isset( $allowed_attr[ $name_low ] ) || '' === $allowed_attr[ $name_low ] ) {
if ( str_starts_with( $name_low, 'data-' ) && ! empty( $allowed_attr['data-*'] )
&& preg_match( '/^data-[a-z0-9_-]+$/', $name_low, $match )
) {
$allowed_attr[ $match[0] ] = $allowed_attr['data-*'];
} else {
$name = '';
$value = '';
$whole = '';
return false;
}
}
if ( 'style' === $name_low ) {
$new_value = safecss_filter_attr( $value );
if ( empty( $new_value ) ) {
$name = '';
$value = '';
$whole = '';
return false;
}
$whole = str_replace( $value, $new_value, $whole );
$value = $new_value;
}
if ( is_array( $allowed_attr[ $name_low ] ) ) {
foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) {
if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) {
$name = '';
$value = '';
$whole = '';
return false;
}
}
}
return true;
}注意事项
- 参数 $vless 表示属性是否无值,应使用 'y' 或 'n' 字符串。
- data-* 属性支持从 WordPress 5.0.0 版本开始引入,需注意版本兼容性。
- 函数内部依赖 safecss_filter_attr() 和 wp_kses_check_attr_val() 进行特定检查和过滤。
原文内容
Determines whether an attribute is allowed.
Parameters
$namestringrequired-
The attribute name. Passed by reference. Returns empty string when not allowed.
$valuestringrequired-
The attribute value. Passed by reference. Returns a filtered value.
$wholestringrequired-
The
name=valueinput. Passed by reference. Returns filtered input. $vlessstringrequired-
Whether the attribute is valueless. Use
'y'or'n'. $elementstringrequired-
The name of the element to which this attribute belongs.
$allowed_htmlarrayrequired-
The full list of allowed elements and attributes.
Source
function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) {
$name_low = strtolower( $name );
$element_low = strtolower( $element );
if ( ! isset( $allowed_html[ $element_low ] ) ) {
$name = '';
$value = '';
$whole = '';
return false;
}
$allowed_attr = $allowed_html[ $element_low ];
if ( ! isset( $allowed_attr[ $name_low ] ) || '' === $allowed_attr[ $name_low ] ) {
/*
* Allow `data-*` attributes.
*
* When specifying `$allowed_html`, the attribute name should be set as
* `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
* https://www.w3.org/TR/html40/struct/objects.html#adef-data).
*
* Note: the attribute name should only contain `A-Za-z0-9_-` chars.
*/
if ( str_starts_with( $name_low, 'data-' ) && ! empty( $allowed_attr['data-*'] )
&& preg_match( '/^data-[a-z0-9_-]+$/', $name_low, $match )
) {
/*
* Add the whole attribute name to the allowed attributes and set any restrictions
* for the `data-*` attribute values for the current element.
*/
$allowed_attr[ $match[0] ] = $allowed_attr['data-*'];
} else {
$name = '';
$value = '';
$whole = '';
return false;
}
}
if ( 'style' === $name_low ) {
$new_value = safecss_filter_attr( $value );
if ( empty( $new_value ) ) {
$name = '';
$value = '';
$whole = '';
return false;
}
$whole = str_replace( $value, $new_value, $whole );
$value = $new_value;
}
if ( is_array( $allowed_attr[ $name_low ] ) ) {
// There are some checks.
foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) {
if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) {
$name = '';
$value = '';
$whole = '';
return false;
}
}
}
return true;
}