Skip to content

Instantly share code, notes, and snippets.

@sudar

sudar/kses.php

Created Aug 4, 2020
Embed
What would you like to do?
Sample code to demonstrate the issue with wp_kses and allowed_html for sanitizing svg's that contain attributes with numbers at the end
<?php
/**
* Sample code to demonstrate the issue with wp_kses and allowed_html for sanitizing svg's that contain attributes with numbers at the end.
*/
$svg = <<<SVG
<svg>
<path x1="10" y1="10"/>
</svg>
SVG;
$allowed_html = [
'svg' => [],
'path' => [
'x1',
'y1',
],
];
$sanitized_svg = wp_kses( $svg, $allowed_html );
echo $sanitized_svg; // Both x1 and y1 attributes of the `path` tag will be stripped.
if ( $svg !== $sanitized_svg ) {
echo 'The wp_kses function removes any attributes that have numbers at the end.';
} else {
echo 'Everything works as expected.';
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.