Default true.
* @return string HTML attribute or empty string.
*/
function disabled( $disabled, $current = true, $display = true ) {
return __checked_selected_helper( $disabled, $current, $display, 'disabled' );
}
/**
* Outputs the HTML readonly attribute.
*
* Compares the first two arguments and if identical marks as readonly.
*
* @since 5.9.0
*
* @param mixed $readonly_value One of the values to compare.
* @param mixed $current Optional. The other value to compare if not just true.
* Default true.
* @param bool $display Optional. Whether to echo or just return the string.
* Default true.
* @return string HTML attribute or empty string.
*/
function wp_readonly( $readonly_value, $current = true, $display = true ) {
return __checked_selected_helper( $readonly_value, $current, $display, 'readonly' );
}
/*
* Include a compat `readonly()` function on PHP < 8.1. Since PHP 8.1,
* `readonly` is a reserved keyword and cannot be used as a function name.
* In order to avoid PHP parser errors, this function was extracted
* to a separate file and is only included conditionally on PHP < 8.1.
*/
if ( PHP_VERSION_ID < 80100 ) {
require_once __DIR__ . '/php-compat/readonly.php';
}
/**
* Private helper function for checked, selected, disabled and readonly.
*
* Compares the first two arguments and if identical marks as `$type`.
*
* @since 2.8.0
* @access private
*
* @param mixed $helper One of the values to compare.
* @param mixed $current The other value to compare if not just true.
* @param bool $display Whether to echo or just return the string.
* @param string $type The type of checked|selected|disabled|readonly we are doing.
* @return string HTML attribute or empty string.
*/
function __checked_selected_helper( $helper, $current, $display, $type ) { // phpcs:ignore WordPress.NamingConventions.ValidFunctionName.FunctionDoubleUnderscore,PHPCompatibility.FunctionNameRestrictions.ReservedFunctionNames.FunctionDoubleUnderscore
if ( (string) $helper === (string) $current ) {
$result = " $type='$type'";
} else {
$result = '';
}
if ( $display ) {
echo $result;
}
return $result;
}
/**
* Assigns a visual indicator for required form fields.
*
* @since 6.1.0
*
* @return string Indicator glyph wrapped in a `span` tag.
*/
function wp_required_field_indicator() {
/* translators: Character to identify required form fields. */
$glyph = __( '*' );
$indicator = '' . esc_html( $glyph ) . '';
/**
* Filters the markup for a visual indicator of required form fields.
*
* @since 6.1.0
*
* @param string $indicator Markup for the indicator element.
*/
return apply_filters( 'wp_required_field_indicator', $indicator );
}
/**
* Creates a message to explain required form fields.
*
* @since 6.1.0
*
* @return string Message text and glyph wrapped in a `span` tag.
*/
function wp_required_field_message() {
$message = sprintf(
'%s',
/* translators: %s: Asterisk symbol (*). */
sprintf( __( 'Required fields are marked %s' ), wp_required_field_indicator() )
);
/**
* Filters the message to explain required form fields.
*
* @since 6.1.0
*
* @param string $message Message text and glyph wrapped in a `span` tag.
*/
return apply_filters( 'wp_required_field_message', $message );
}
/**
* Default settings for heartbeat.
*
* Outputs the nonce used in the heartbeat XHR.
*
* @since 3.6.0
*
* @param array $settings
* @return array Heartbeat settings.
*/
function wp_heartbeat_settings( $settings ) {
if ( ! is_admin() ) {
$settings['ajaxurl'] = admin_url( 'admin-ajax.php', 'relative' );
}
if ( is_user_logged_in() ) {
$settings['nonce'] = wp_create_nonce( 'heartbeat-nonce' );
}
return $settings;
}
-image',
'cursor',
'filter',
'list-style',
'list-style-image',
);
/*
* CSS attributes that accept gradient data types.
*
*/
$css_gradient_data_types = array(
'background',
'background-image',
);
if ( empty( $allowed_attr ) ) {
return $css;
}
$css = '';
foreach ( $css_array as $css_item ) {
if ( '' === $css_item ) {
continue;
}
$css_item = trim( $css_item );
$css_test_string = $css_item;
$found = false;
$url_attr = false;
$gradient_attr = false;
$is_custom_var = false;
if ( ! str_contains( $css_item, ':' ) ) {
$found = true;
} else {
$parts = explode( ':', $css_item, 2 );
$css_selector = trim( $parts[0] );
// Allow assigning values to CSS variables.
if ( in_array( '--*', $allowed_attr, true ) && preg_match( '/^--[a-zA-Z0-9-_]+$/', $css_selector ) ) {
$allowed_attr[] = $css_selector;
$is_custom_var = true;
}
if ( in_array( $css_selector, $allowed_attr, true ) ) {
$found = true;
$url_attr = in_array( $css_selector, $css_url_data_types, true );
$gradient_attr = in_array( $css_selector, $css_gradient_data_types, true );
}
if ( $is_custom_var ) {
$css_value = trim( $parts[1] );
$url_attr = str_starts_with( $css_value, 'url(' );
$gradient_attr = str_contains( $css_value, '-gradient(' );
}
}
if ( $found && $url_attr ) {
// Simplified: matches the sequence `url(*)`.
preg_match_all( '/url\([^)]+\)/', $parts[1], $url_matches );
foreach ( $url_matches[0] as $url_match ) {
// Clean up the URL from each of the matches above.
preg_match( '/^url\(\s*([\'\"]?)(.*)(\g1)\s*\)$/', $url_match, $url_pieces );
if ( empty( $url_pieces[2] ) ) {
$found = false;
break;
}
$url = trim( $url_pieces[2] );
if ( empty( $url ) || wp_kses_bad_protocol( $url, $allowed_protocols ) !== $url ) {
$found = false;
break;
} else {
// Remove the whole `url(*)` bit that was matched above from the CSS.
$css_test_string = str_replace( $url_match, '', $css_test_string );
}
}
}
if ( $found && $gradient_attr ) {
$css_value = trim( $parts[1] );
if ( preg_match( '/^(repeating-)?(linear|radial|conic)-gradient\(([^()]|rgb[a]?\([^()]*\))*\)$/', $css_value ) ) {
// Remove the whole `gradient` bit that was matched above from the CSS.
$css_test_string = str_replace( $css_value, '', $css_test_string );
}
}
if ( $found ) {
/*
* Allow CSS functions like var(), calc(), etc. by removing them from the test string.
* Nested functions and parentheses are also removed, so long as the parentheses are balanced.
*/
$css_test_string = preg_replace(
'/\b(?:var|calc|min|max|minmax|clamp|repeat)(\((?:[^()]|(?1))*\))/',
'',
$css_test_string
);
/*
* Disallow CSS containing \ ( & } = or comments, except for within url(), var(), calc(), etc.
* which were removed from the test string above.
*/
$allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
/**
* Filters the check for unsafe CSS in `safecss_filter_attr`.
*
* Enables developers to determine whether a section of CSS should be allowed or discarded.
* By default, the value will be false if the part contains \ ( & } = or comments.
* Return true to allow the CSS part to be included in the output.
*
* @since 5.5.0
*
* @param bool $allow_css Whether the CSS in the test string is considered safe.
* @param string $css_test_string The CSS string to test.
*/
$allow_css = apply_filters( 'safecss_filter_attr_allow_css', $allow_css, $css_test_string );
// Only add the CSS part if it passes the regex check.
if ( $allow_css ) {
if ( '' !== $css ) {
$css .= ';';
}
$css .= $css_item;
}
}
}
return $css;
}
/**
* Helper function to add global attributes to a tag in the allowed HTML list.
*
* @since 3.5.0
* @since 5.0.0 Added support for `data-*` wildcard attributes.
* @since 6.0.0 Added `dir`, `lang`, and `xml:lang` to global attributes.
* @since 6.3.0 Added `aria-controls`, `aria-current`, and `aria-expanded` attributes.
*
* @access private
* @ignore
*
* @param array $value An array of attributes.
* @return array The array of attributes with global attributes added.
*/
function _wp_add_global_attributes( $value ) {
$global_attributes = array(
'aria-controls' => true,
'aria-current' => true,
'aria-describedby' => true,
'aria-details' => true,
'aria-expanded' => true,
'aria-label' => true,
'aria-labelledby' => true,
'aria-hidden' => true,
'class' => true,
'data-*' => true,
'dir' => true,
'id' => true,
'lang' => true,
'style' => true,
'title' => true,
'role' => true,
'xml:lang' => true,
);
if ( true === $value ) {
$value = array();
}
if ( is_array( $value ) ) {
return array_merge( $value, $global_attributes );
}
return $value;
}
/**
* Helper function to check if this is a safe PDF URL.
*
* @since 5.9.0
* @access private
* @ignore
*
* @param string $url The URL to check.
* @return bool True if the URL is safe, false otherwise.
*/
function _wp_kses_allow_pdf_objects( $url ) {
// We're not interested in URLs that contain query strings or fragments.
if ( str_contains( $url, '?' ) || str_contains( $url, '#' ) ) {
return false;
}
// If it doesn't have a PDF extension, it's not safe.
if ( ! str_ends_with( $url, '.pdf' ) ) {
return false;
}
// If the URL host matches the current site's media URL, it's safe.
$upload_info = wp_upload_dir( null, false );
$parsed_url = wp_parse_url( $upload_info['url'] );
$upload_host = isset( $parsed_url['host'] ) ? $parsed_url['host'] : '';
$upload_port = isset( $parsed_url['port'] ) ? ':' . $parsed_url['port'] : '';
if ( str_starts_with( $url, "http://$upload_host$upload_port/" )
|| str_starts_with( $url, "https://$upload_host$upload_port/" )
) {
return true;
}
return false;
}