diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php index b567e10cde..41dc7f2d94 100644 --- a/src/wp-includes/kses.php +++ b/src/wp-includes/kses.php @@ -828,8 +828,9 @@ function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) { $xhtml_slash = ' /'; // Are any attributes allowed at all for this element? - if ( ! isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0 ) + if ( ! isset( $allowed_html[ strtolower( $element ) ] ) || true === $allowed_html[ strtolower( $element ) ] || count( $allowed_html[ strtolower( $element ) ] ) == 0 ) { return "<$element$xhtml_slash>"; + } // Split it $attrarr = wp_kses_hair($attr, $allowed_protocols); diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php index bc62c58c6c..96e2594cd4 100644 --- a/tests/phpunit/tests/kses.php +++ b/tests/phpunit/tests/kses.php @@ -678,4 +678,34 @@ EOF; $this->assertEquals( $input, wp_kses( $input, $allowedposttags ) ); } + + /** + * @ticket 40680 + */ + function test_wp_kses_attr_no_attributes_allowed_with_empty_array() { + $element = 'foo'; + $attribute = 'title="foo" class="bar"'; + + $this->assertEquals( "<{$element}>", wp_kses_attr( $element, $attribute, array( 'foo' => array() ), array() ) ); + } + + /** + * @ticket 40680 + */ + function test_wp_kses_attr_no_attributes_allowed_with_true() { + $element = 'foo'; + $attribute = 'title="foo" class="bar"'; + + $this->assertEquals( "<{$element}>", wp_kses_attr( $element, $attribute, array( 'foo' => true ), array() ) ); + } + + /** + * @ticket 40680 + */ + function test_wp_kses_attr_single_attribute_is_allowed() { + $element = 'foo'; + $attribute = 'title="foo" class="bar"'; + + $this->assertEquals( "<{$element} title=\"foo\">", wp_kses_attr( $element, $attribute, array( 'foo' => array( 'title' => true ) ), array() ) ); + } }