Interactivity API: Apply the same directive name restrictions as the client.

joemcgill · joemcgill · commit 804ca756b143 · 2025-03-24T14:51:19.000Z
This adds the same logic to filter directive data attributes to ignore invalid data attributes that is applied in the client to avoid processing directives on the server that will not be processed in the client. Props jonsurrell, SirLouen. Fixes #62426. git-svn-id: https://develop.svn.wordpress.org/trunk@60070 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
@@ -451,6 +451,26 @@ private function _process_directives( string $html ) {
 
 					// Checks if there is a server directive processor registered for each directive.
 					foreach ( $p->get_attribute_names_with_prefix( 'data-wp-' ) as $attribute_name ) {
+						if ( ! preg_match(
+							/*
+							 * This must align with the client-side regex used by the interactivity API.
+							 * @see https://github.com/WordPress/gutenberg/blob/ca616014255efbb61f34c10917d52a2d86c1c660/packages/interactivity/src/vdom.ts#L20-L32
+							 */
+							'/' .
+							'^data-wp-' .
+							// Match alphanumeric characters including hyphen-separated
+							// segments. It excludes underscore intentionally to prevent confusion.
+							// E.g., "custom-directive".
+							'([a-z0-9]+(?:-[a-z0-9]+)*)' .
+							// (Optional) Match '--' followed by any alphanumeric charachters. It
+							// excludes underscore intentionally to prevent confusion, but it can
+							// contain multiple hyphens. E.g., "--custom-prefix--with-more-info".
+							'(?:--([a-z0-9_-]+))?$' .
+							'/i',
+							$attribute_name
+						) ) {
+							continue;
+						}
 						list( $directive_prefix ) = $this->extract_prefix_and_suffix( $attribute_name );
 						if ( array_key_exists( $directive_prefix, self::$directive_processors ) ) {
 							$directives_prefixes[] = $directive_prefix;
diff --git a/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php b/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php
@@ -1585,4 +1585,24 @@ public static function data_length_directives(): array {
 			'object'            => array( new stdClass(), '' ),
 		);
 	}
+
+	/**
+	 * Ensures that directives with invalid attribute names are ignored.
+	 *
+	 * @ticket 62426
+	 */
+	public function test_invalid_directive_names_are_ignored() {
+		$html = <<<HTML
+			<div data-wp-interactive="test" data-wp-context='{ "t": true }'>
+				<br data-wp-class--allowed="context.t">
+				<br data-wp-class--dis:allowed="context.t">
+				<br data-wp-class--[disallowed]="context.t">
+			</div>
+HTML;
+
+		$processed_html = $this->interactivity->process_directives( $html );
+		$this->assertStringContainsString( 'class="allowed"', $processed_html );
+		$this->assertStringNotContainsString( 'class="dis:allowed"', $processed_html );
+		$this->assertStringNotContainsString( 'class="[disallowed]"', $processed_html );
+	}
 }
