wp_kses_one_attr

Filters one attribute only and ensures its value is allowed.

Description

(string) wp_kses_one_attr( (string) $string, (string) $element ); 

This function has the advantage of being more secure than esc_attr() and can escape data in some situations where wp_kses() must strip the whole attribute.

Returns (string)

Filtered attribute.

Parameters (2)

0. $string (string)
The whole attribute, including name and value.
1. $element (string)
The element name to which the attribute belongs.

Usage

  1. if ( !function_exists( 'wp_kses_one_attr' ) ) { 
  2. require_once ABSPATH . WPINC . '/kses.php'; 
  3.  
  4. // The 'whole' attribute, including name and value. 
  5. $string = ''; 
  6.  
  7. // The element name to which the attribute belongs. 
  8. $element = ''; 
  9.  
  10. // NOTICE! Understand what this does before running. 
  11. $result = wp_kses_one_attr($string, $element); 
  12.  

Defined (1)

The function is defined in the following location(s).

/wp-includes/kses.php  
  1. function wp_kses_one_attr( $string, $element ) { 
  2. $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action'); 
  3. $allowed_html = wp_kses_allowed_html( 'post' ); 
  4. $allowed_protocols = wp_allowed_protocols(); 
  5. $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 
  6.  
  7. // Preserve leading and trailing whitespace. 
  8. $matches = array(); 
  9. preg_match('/^\s*/', $string, $matches); 
  10. $lead = $matches[0]; 
  11. preg_match('/\s*$/', $string, $matches); 
  12. $trail = $matches[0]; 
  13. if ( empty( $trail ) ) { 
  14. $string = substr( $string, strlen( $lead ) ); 
  15. } else { 
  16. $string = substr( $string, strlen( $lead ), -strlen( $trail ) ); 
  17.  
  18. // Parse attribute name and value from input. 
  19. $split = preg_split( '/\s*=\s*/', $string, 2 ); 
  20. $name = $split[0]; 
  21. if ( count( $split ) == 2 ) { 
  22. $value = $split[1]; 
  23.  
  24. // Remove quotes surrounding $value. 
  25. // Also guarantee correct quoting in $string for this one attribute. 
  26. if ( '' == $value ) { 
  27. $quote = ''; 
  28. } else { 
  29. $quote = $value[0]; 
  30. if ( '"' == $quote || "'" == $quote ) { 
  31. if ( substr( $value, -1 ) != $quote ) { 
  32. return ''; 
  33. $value = substr( $value, 1, -1 ); 
  34. } else { 
  35. $quote = '"'; 
  36.  
  37. // Sanitize quotes, angle braces, and entities. 
  38. $value = esc_attr( $value ); 
  39.  
  40. // Sanitize URI values. 
  41. if ( in_array( strtolower( $name ), $uris ) ) { 
  42. $value = wp_kses_bad_protocol( $value, $allowed_protocols ); 
  43.  
  44. $string = "$name=$quote$value$quote"; 
  45. $vless = 'n'; 
  46. } else { 
  47. $value = ''; 
  48. $vless = 'y'; 
  49.  
  50. // Sanitize attribute by name. 
  51. wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html ); 
  52.  
  53. // Restore whitespace. 
  54. return $lead . $string . $trail;