Skip to content

HTML API: Align STYLE tag contents escaping with SCRIPT tag #10668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
sirreal wants to merge 7 commits into
base: trunk
Choose a base branch
from
Draft

HTML API: Align STYLE tag contents escaping with SCRIPT tag #10668

sirreal wants to merge 7 commits into from
+71 −22

Conversation

@sirreal
Copy link
Member

@sirreal sirreal commented Dec 29, 2025
edited
Loading

#10635 is merged here. It should land first so that this approach can align with what finally lands there.

Trac ticket:

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

@sirreal sirreal mentioned this pull request Dec 29, 2025
Closed
@github-actions
Copy link

github-actions bot commented Dec 29, 2025

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • The Plugin and Theme Directories cannot be accessed within Playground.
  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

@sirreal sirreal force-pushed the html-api/improve-style-tag-contents-escaping branch from 6ff95c3 to 9f2f45b Compare January 14, 2026 16:20
westonruter
westonruter reviewed Jan 14, 2026
View reviewed changes
src/wp-includes/html-api/class-wp-html-tag-processor.php
Comment on lines +4251 to +4275
/*
* Replace all instances of the ASCII case-insensitive match of "</style"
* when followed by whitespace or "/" or ">", by using a CSS Unicode
* escape sequence for the "s" (or the "S").
*
* CSS Unicode escape sequences will terminate at the first non-hexadecimal,
* so the `t` character in `style` ensures that a Unicode escape sequence
* like `\73t` is correctly interpreted as `st`.
*/
while ( $at < $end ) {
$tag_at = stripos( $text, '</style', $at );
if ( false === $tag_at ) {
break;
}

if ( 1 !== strspn( $text, " \t\f\r\n/>", $tag_at + 7, 1 ) ) {
$at = $tag_at + 7;
continue;
}

$escaped .= substr( $text, $was_at, $tag_at - $was_at + 2 );
$escaped .= 's' === $text[ $tag_at + 2 ] ? '\73' : '\53';
$was_at = $tag_at + 3;
$at = $tag_at + 8;
}
Copy link
Member

@westonruter westonruter Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would there be an opportunity to factor this out into a common method to be reused by both escape_style_contents and escape_javascript_script_contents?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@westonruter westonruter westonruter left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sirreal @westonruter