Allow data-wp-action and data-wp-nonce through wp_kses in Settings Form

ajaydsouza · ajaydsouza · commit 4e36131b0434 · 2026-05-27T12:56:16.000+04:00
get_allowed_html() was missing data-wp-action and data-wp-nonce for
input and select elements. wp_kses stripped these attributes, so
TomSelect could not read the action/nonce off the element and sent
AJAX requests without them.
diff --git a/includes/admin/settings/class-settings-form.php b/includes/admin/settings/class-settings-form.php
@@ -216,6 +216,8 @@ protected function get_allowed_html(): array {
 				'autocomplete'     => true,
 				// Tom Select data attributes (built-in Settings API feature).
 				'data-wp-prefix'   => true,
+				'data-wp-action'   => true,
+				'data-wp-nonce'    => true,
 				'data-wp-endpoint' => true,
 				'data-ts-config'   => true,
 			),
@@ -230,6 +232,8 @@ protected function get_allowed_html(): array {
 				'autocomplete'     => true,
 				// Tom Select data attributes (built-in Settings API feature).
 				'data-wp-prefix'   => true,
+				'data-wp-action'   => true,
+				'data-wp-nonce'    => true,
 				'data-wp-endpoint' => true,
 				'data-ts-config'   => true,
 			),
