KSES: Allow all Custom Data Attributes

Allow spec-compliant data-attributes in `wp_kses_attr_check()`
WordPress · Apr 22, 2024 · 52a9492 · 52a9492
1 parent c144248
commit 52a9492
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
@@ -1263,11 +1263,10 @@ function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowe
 		 * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
 		 * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
 		 *
-		 * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
-		 * double hyphens `--` are not accepted by WordPress.
+		 * @see https://html.spec.whatwg.org/#custom-data-attribute
 		 */
 		if ( str_starts_with( $name_low, 'data-' ) && ! empty( $allowed_attr['data-*'] )
-			&& preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match )
+			&& preg_match( '~^data-[^=/> \\t\\f\\r\\n]+$~', $name_low, $match )
 		) {
 			/*
 			 * Add the whole attribute name to the allowed attributes and set any restrictions