From 52a94927512d5155f613442898a6bdae9ce8ad86 Mon Sep 17 00:00:00 2001
From: Dennis Snell <dennis.snell@automattic.com>
Date: Mon, 22 Apr 2024 21:23:16 +0300
Subject: [PATCH] KSES: Allow all Custom Data Attributes

Allow spec-compliant data-attributes in `wp_kses_attr_check()`
---
 src/wp-includes/kses.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
index cccb1768c2dfd..1d7f1904f81f3 100644
--- a/src/wp-includes/kses.php
+++ b/src/wp-includes/kses.php
@@ -1263,11 +1263,10 @@ function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowe
 		 * `data-*` (not to be mixed with the HTML 4.0 `data` attribute, see
 		 * https://www.w3.org/TR/html40/struct/objects.html#adef-data).
 		 *
-		 * Note: the attribute name should only contain `A-Za-z0-9_-` chars,
-		 * double hyphens `--` are not accepted by WordPress.
+		 * @see https://html.spec.whatwg.org/#custom-data-attribute
 		 */
 		if ( str_starts_with( $name_low, 'data-' ) && ! empty( $allowed_attr['data-*'] )
-			&& preg_match( '/^data(?:-[a-z0-9_]+)+$/', $name_low, $match )
+			&& preg_match( '~^data-[^=/> \\t\\f\\r\\n]+$~', $name_low, $match )
 		) {
 			/*
 			 * Add the whole attribute name to the allowed attributes and set any restrictions