wp_kses_attr_check

The timeline below displays how wordpress function wp_kses_attr_check has changed across different WordPress versions. If a version is not listed, refer to the next available version below.

WordPress Version: 6.3

/**
 * Determines whether an attribute is allowed.
 *
 * @since 4.2.3
 * @since 5.0.0 Added support for `data-*` wildcard attributes.
 *
 * @param string $name         The attribute name. Passed by reference. Returns empty string when not allowed.
 * @param string $value        The attribute value. Passed by reference. Returns a filtered value.
 * @param string $whole        The `name=value` input. Passed by reference. Returns filtered input.
 * @param string $vless        Whether the attribute is valueless. Use 'y' or 'n'.
 * @param string $element      The name of the element to which this attribute belongs.
 * @param array  $allowed_html The full list of allowed elements and attributes.
 * @return bool Whether or not the attribute is allowed.
 */
function wp_kses_attr_check(&$name, &$value, &$whole, $vless, $element, $allowed_html)
{
    $name_low = strtolower($name);
    $element_low = strtolower($element);
    if (!isset($allowed_html[$element_low])) {
        $name = '';
        $value = '';
        $whole = '';
        return false;
    }
    $allowed_attr = $allowed_html[$element_low];
    if (!isset($allowed_attr[$name_low]) || '' === $allowed_attr[$name_low]) {
        /*
         * Allow `data-*` attributes.
         *
         * When specifying `$allowed_html`, the attribute name should be set as
         * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
         * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
         *
         * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
         * double hyphens `--` are not accepted by WordPress.
         */
        if (str_starts_with($name_low, 'data-') && !empty($allowed_attr['data-*']) && preg_match('/^data(?:-[a-z0-9_]+)+$/', $name_low, $match)) {
            /*
             * Add the whole attribute name to the allowed attributes and set any restrictions
             * for the `data-*` attribute values for the current element.
             */
            $allowed_attr[$match[0]] = $allowed_attr['data-*'];
        } else {
            $name = '';
            $value = '';
            $whole = '';
            return false;
        }
    }
    if ('style' === $name_low) {
        $new_value = safecss_filter_attr($value);
        if (empty($new_value)) {
            $name = '';
            $value = '';
            $whole = '';
            return false;
        }
        $whole = str_replace($value, $new_value, $whole);
        $value = $new_value;
    }
    if (is_array($allowed_attr[$name_low])) {
        // There are some checks.
        foreach ($allowed_attr[$name_low] as $currkey => $currval) {
            if (!wp_kses_check_attr_val($value, $vless, $currkey, $currval)) {
                $name = '';
                $value = '';
                $whole = '';
                return false;
            }
        }
    }
    return true;
}

WordPress Version: 6.1

/**
 * Determines whether an attribute is allowed.
 *
 * @since 4.2.3
 * @since 5.0.0 Added support for `data-*` wildcard attributes.
 *
 * @param string $name         The attribute name. Passed by reference. Returns empty string when not allowed.
 * @param string $value        The attribute value. Passed by reference. Returns a filtered value.
 * @param string $whole        The `name=value` input. Passed by reference. Returns filtered input.
 * @param string $vless        Whether the attribute is valueless. Use 'y' or 'n'.
 * @param string $element      The name of the element to which this attribute belongs.
 * @param array  $allowed_html The full list of allowed elements and attributes.
 * @return bool Whether or not the attribute is allowed.
 */
function wp_kses_attr_check(&$name, &$value, &$whole, $vless, $element, $allowed_html)
{
    $name_low = strtolower($name);
    $element_low = strtolower($element);
    if (!isset($allowed_html[$element_low])) {
        $name = '';
        $value = '';
        $whole = '';
        return false;
    }
    $allowed_attr = $allowed_html[$element_low];
    if (!isset($allowed_attr[$name_low]) || '' === $allowed_attr[$name_low]) {
        /*
         * Allow `data-*` attributes.
         *
         * When specifying `$allowed_html`, the attribute name should be set as
         * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
         * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
         *
         * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
         * double hyphens `--` are not accepted by WordPress.
         */
        if (strpos($name_low, 'data-') === 0 && !empty($allowed_attr['data-*']) && preg_match('/^data(?:-[a-z0-9_]+)+$/', $name_low, $match)) {
            /*
             * Add the whole attribute name to the allowed attributes and set any restrictions
             * for the `data-*` attribute values for the current element.
             */
            $allowed_attr[$match[0]] = $allowed_attr['data-*'];
        } else {
            $name = '';
            $value = '';
            $whole = '';
            return false;
        }
    }
    if ('style' === $name_low) {
        $new_value = safecss_filter_attr($value);
        if (empty($new_value)) {
            $name = '';
            $value = '';
            $whole = '';
            return false;
        }
        $whole = str_replace($value, $new_value, $whole);
        $value = $new_value;
    }
    if (is_array($allowed_attr[$name_low])) {
        // There are some checks.
        foreach ($allowed_attr[$name_low] as $currkey => $currval) {
            if (!wp_kses_check_attr_val($value, $vless, $currkey, $currval)) {
                $name = '';
                $value = '';
                $whole = '';
                return false;
            }
        }
    }
    return true;
}

WordPress Version: 5.5

/**
 * Determines whether an attribute is allowed.
 *
 * @since 4.2.3
 * @since 5.0.0 Add support for `data-*` wildcard attributes.
 *
 * @param string $name         The attribute name. Passed by reference. Returns empty string when not allowed.
 * @param string $value        The attribute value. Passed by reference. Returns a filtered value.
 * @param string $whole        The `name=value` input. Passed by reference. Returns filtered input.
 * @param string $vless        Whether the attribute is valueless. Use 'y' or 'n'.
 * @param string $element      The name of the element to which this attribute belongs.
 * @param array  $allowed_html The full list of allowed elements and attributes.
 * @return bool Whether or not the attribute is allowed.
 */
function wp_kses_attr_check(&$name, &$value, &$whole, $vless, $element, $allowed_html)
{
    $name_low = strtolower($name);
    $element_low = strtolower($element);
    if (!isset($allowed_html[$element_low])) {
        $name = '';
        $value = '';
        $whole = '';
        return false;
    }
    $allowed_attr = $allowed_html[$element_low];
    if (!isset($allowed_attr[$name_low]) || '' === $allowed_attr[$name_low]) {
        /*
         * Allow `data-*` attributes.
         *
         * When specifying `$allowed_html`, the attribute name should be set as
         * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
         * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
         *
         * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
         * double hyphens `--` are not accepted by WordPress.
         */
        if (strpos($name_low, 'data-') === 0 && !empty($allowed_attr['data-*']) && preg_match('/^data(?:-[a-z0-9_]+)+$/', $name_low, $match)) {
            /*
             * Add the whole attribute name to the allowed attributes and set any restrictions
             * for the `data-*` attribute values for the current element.
             */
            $allowed_attr[$match[0]] = $allowed_attr['data-*'];
        } else {
            $name = '';
            $value = '';
            $whole = '';
            return false;
        }
    }
    if ('style' === $name_low) {
        $new_value = safecss_filter_attr($value);
        if (empty($new_value)) {
            $name = '';
            $value = '';
            $whole = '';
            return false;
        }
        $whole = str_replace($value, $new_value, $whole);
        $value = $new_value;
    }
    if (is_array($allowed_attr[$name_low])) {
        // There are some checks.
        foreach ($allowed_attr[$name_low] as $currkey => $currval) {
            if (!wp_kses_check_attr_val($value, $vless, $currkey, $currval)) {
                $name = '';
                $value = '';
                $whole = '';
                return false;
            }
        }
    }
    return true;
}

WordPress Version: 5.4

/**
 * Determines whether an attribute is allowed.
 *
 * @since 4.2.3
 * @since 5.0.0 Add support for `data-*` wildcard attributes.
 *
 * @param string $name         The attribute name. Passed by reference. Returns empty string when not allowed.
 * @param string $value        The attribute value. Passed by reference. Returns a filtered value.
 * @param string $whole        The `name=value` input. Passed by reference. Returns filtered input.
 * @param string $vless        Whether the attribute is valueless. Use 'y' or 'n'.
 * @param string $element      The name of the element to which this attribute belongs.
 * @param array  $allowed_html The full list of allowed elements and attributes.
 * @return bool Whether or not the attribute is allowed.
 */
function wp_kses_attr_check(&$name, &$value, &$whole, $vless, $element, $allowed_html)
{
    $name_low = strtolower($name);
    $element_low = strtolower($element);
    if (!isset($allowed_html[$element_low])) {
        $name = '';
        $value = '';
        $whole = '';
        return false;
    }
    $allowed_attr = $allowed_html[$element_low];
    if (!isset($allowed_attr[$name_low]) || '' == $allowed_attr[$name_low]) {
        /*
         * Allow `data-*` attributes.
         *
         * When specifying `$allowed_html`, the attribute name should be set as
         * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
         * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
         *
         * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
         * double hyphens `--` are not accepted by WordPress.
         */
        if (strpos($name_low, 'data-') === 0 && !empty($allowed_attr['data-*']) && preg_match('/^data(?:-[a-z0-9_]+)+$/', $name_low, $match)) {
            /*
             * Add the whole attribute name to the allowed attributes and set any restrictions
             * for the `data-*` attribute values for the current element.
             */
            $allowed_attr[$match[0]] = $allowed_attr['data-*'];
        } else {
            $name = '';
            $value = '';
            $whole = '';
            return false;
        }
    }
    if ('style' == $name_low) {
        $new_value = safecss_filter_attr($value);
        if (empty($new_value)) {
            $name = '';
            $value = '';
            $whole = '';
            return false;
        }
        $whole = str_replace($value, $new_value, $whole);
        $value = $new_value;
    }
    if (is_array($allowed_attr[$name_low])) {
        // There are some checks.
        foreach ($allowed_attr[$name_low] as $currkey => $currval) {
            if (!wp_kses_check_attr_val($value, $vless, $currkey, $currval)) {
                $name = '';
                $value = '';
                $whole = '';
                return false;
            }
        }
    }
    return true;
}

WordPress Version: 5.3

/**
 * Determines whether an attribute is allowed.
 *
 * @since 4.2.3
 * @since 5.0.0 Add support for `data-*` wildcard attributes.
 *
 * @param string $name         The attribute name. Passed by reference. Returns empty string when not allowed.
 * @param string $value        The attribute value. Passed by reference. Returns a filtered value.
 * @param string $whole        The `name=value` input. Passed by reference. Returns filtered input.
 * @param string $vless        Whether the attribute is valueless. Use 'y' or 'n'.
 * @param string $element      The name of the element to which this attribute belongs.
 * @param array  $allowed_html The full list of allowed elements and attributes.
 * @return bool Whether or not the attribute is allowed.
 */
function wp_kses_attr_check(&$name, &$value, &$whole, $vless, $element, $allowed_html)
{
    $allowed_attr = $allowed_html[strtolower($element)];
    $name_low = strtolower($name);
    if (!isset($allowed_attr[$name_low]) || '' == $allowed_attr[$name_low]) {
        /*
         * Allow `data-*` attributes.
         *
         * When specifying `$allowed_html`, the attribute name should be set as
         * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
         * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
         *
         * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
         * double hyphens `--` are not accepted by WordPress.
         */
        if (strpos($name_low, 'data-') === 0 && !empty($allowed_attr['data-*']) && preg_match('/^data(?:-[a-z0-9_]+)+$/', $name_low, $match)) {
            /*
             * Add the whole attribute name to the allowed attributes and set any restrictions
             * for the `data-*` attribute values for the current element.
             */
            $allowed_attr[$match[0]] = $allowed_attr['data-*'];
        } else {
            $name = '';
            $value = '';
            $whole = '';
            return false;
        }
    }
    if ('style' == $name_low) {
        $new_value = safecss_filter_attr($value);
        if (empty($new_value)) {
            $name = '';
            $value = '';
            $whole = '';
            return false;
        }
        $whole = str_replace($value, $new_value, $whole);
        $value = $new_value;
    }
    if (is_array($allowed_attr[$name_low])) {
        // there are some checks
        foreach ($allowed_attr[$name_low] as $currkey => $currval) {
            if (!wp_kses_check_attr_val($value, $vless, $currkey, $currval)) {
                $name = '';
                $value = '';
                $whole = '';
                return false;
            }
        }
    }
    return true;
}

WordPress Version: 5.1

/**
 * Determines whether an attribute is allowed.
 *
 * @since 4.2.3
 * @since 5.0.0 Add support for `data-*` wildcard attributes.
 *
 * @param string $name         The attribute name. Passed by reference. Returns empty string when not allowed.
 * @param string $value        The attribute value. Passed by reference. Returns a filtered value.
 * @param string $whole        The `name=value` input. Passed by reference. Returns filtered input.
 * @param string $vless        Whether the attribute is valueless. Use 'y' or 'n'.
 * @param string $element      The name of the element to which this attribute belongs.
 * @param array  $allowed_html The full list of allowed elements and attributes.
 * @return bool Whether or not the attribute is allowed.
 */
function wp_kses_attr_check(&$name, &$value, &$whole, $vless, $element, $allowed_html)
{
    $allowed_attr = $allowed_html[strtolower($element)];
    $name_low = strtolower($name);
    if (!isset($allowed_attr[$name_low]) || '' == $allowed_attr[$name_low]) {
        /*
         * Allow `data-*` attributes.
         *
         * When specifying `$allowed_html`, the attribute name should be set as
         * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
         * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
         *
         * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
         * double hyphens `--` are not accepted by WordPress.
         */
        if (strpos($name_low, 'data-') === 0 && !empty($allowed_attr['data-*']) && preg_match('/^data(?:-[a-z0-9_]+)+$/', $name_low, $match)) {
            /*
             * Add the whole attribute name to the allowed attributes and set any restrictions
             * for the `data-*` attribute values for the current element.
             */
            $allowed_attr[$match[0]] = $allowed_attr['data-*'];
        } else {
            $name = $value = $whole = '';
            return false;
        }
    }
    if ('style' == $name_low) {
        $new_value = safecss_filter_attr($value);
        if (empty($new_value)) {
            $name = $value = $whole = '';
            return false;
        }
        $whole = str_replace($value, $new_value, $whole);
        $value = $new_value;
    }
    if (is_array($allowed_attr[$name_low])) {
        // there are some checks
        foreach ($allowed_attr[$name_low] as $currkey => $currval) {
            if (!wp_kses_check_attr_val($value, $vless, $currkey, $currval)) {
                $name = $value = $whole = '';
                return false;
            }
        }
    }
    return true;
}

WordPress Version: 5.0

/**
 * Determine whether an attribute is allowed.
 *
 * @since 4.2.3
 * @since 5.0.0 Add support for `data-*` wildcard attributes.
 *
 * @param string $name The attribute name. Returns empty string when not allowed.
 * @param string $value The attribute value. Returns a filtered value.
 * @param string $whole The name=value input. Returns filtered input.
 * @param string $vless 'y' when attribute like "enabled", otherwise 'n'.
 * @param string $element The name of the element to which this attribute belongs.
 * @param array $allowed_html The full list of allowed elements and attributes.
 * @return bool Is the attribute allowed?
 */
function wp_kses_attr_check(&$name, &$value, &$whole, $vless, $element, $allowed_html)
{
    $allowed_attr = $allowed_html[strtolower($element)];
    $name_low = strtolower($name);
    if (!isset($allowed_attr[$name_low]) || '' == $allowed_attr[$name_low]) {
        /*
         * Allow `data-*` attributes.
         *
         * When specifying `$allowed_html`, the attribute name should be set as
         * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
         * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
         *
         * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
         * double hyphens `--` are not accepted by WordPress.
         */
        if (strpos($name_low, 'data-') === 0 && !empty($allowed_attr['data-*']) && preg_match('/^data(?:-[a-z0-9_]+)+$/', $name_low, $match)) {
            /*
             * Add the whole attribute name to the allowed attributes and set any restrictions
             * for the `data-*` attribute values for the current element.
             */
            $allowed_attr[$match[0]] = $allowed_attr['data-*'];
        } else {
            $name = $value = $whole = '';
            return false;
        }
    }
    if ('style' == $name_low) {
        $new_value = safecss_filter_attr($value);
        if (empty($new_value)) {
            $name = $value = $whole = '';
            return false;
        }
        $whole = str_replace($value, $new_value, $whole);
        $value = $new_value;
    }
    if (is_array($allowed_attr[$name_low])) {
        // there are some checks
        foreach ($allowed_attr[$name_low] as $currkey => $currval) {
            if (!wp_kses_check_attr_val($value, $vless, $currkey, $currval)) {
                $name = $value = $whole = '';
                return false;
            }
        }
    }
    return true;
}

WordPress Version: .10

/**
 * Determine whether an attribute is allowed.
 *
 * @since 4.2.3
 *
 * @param string $name The attribute name. Returns empty string when not allowed.
 * @param string $value The attribute value. Returns a filtered value.
 * @param string $whole The name=value input. Returns filtered input.
 * @param string $vless 'y' when attribute like "enabled", otherwise 'n'.
 * @param string $element The name of the element to which this attribute belongs.
 * @param array $allowed_html The full list of allowed elements and attributes.
 * @return bool Is the attribute allowed?
 */
function wp_kses_attr_check(&$name, &$value, &$whole, $vless, $element, $allowed_html)
{
    $allowed_attr = $allowed_html[strtolower($element)];
    $name_low = strtolower($name);
    if (!isset($allowed_attr[$name_low]) || '' == $allowed_attr[$name_low]) {
        $name = $value = $whole = '';
        return false;
    }
    if ('style' == $name_low) {
        $new_value = safecss_filter_attr($value);
        if (empty($new_value)) {
            $name = $value = $whole = '';
            return false;
        }
        $whole = str_replace($value, $new_value, $whole);
        $value = $new_value;
    }
    if (is_array($allowed_attr[$name_low])) {
        // there are some checks
        foreach ($allowed_attr[$name_low] as $currkey => $currval) {
            if (!wp_kses_check_attr_val($value, $vless, $currkey, $currval)) {
                $name = $value = $whole = '';
                return false;
            }
        }
    }
    return true;
}