Fix attribute text escaping and add trailing segment handling

Use WP_HTML_Decoder::decode_attribute to decode static attribute text
before re-encoding, preventing double-escaping of existing character
references (e.g. & staying & instead of becoming &).

Also track trailing text segments after the last placeholder within
attribute values, not just leading/inter-placeholder segments.

Author: sirreal

src/wp-includes/html-api/class-wp-html-template.php

@@ -211,6 +211,11 @@ public function get_tag_attributes(): array {
 							$last_offset = $match_start + $match_length;
 							$offset      = $last_offset;
 						}
+
+						// Track trailing text segment after last placeholder.
+						if ( $last_offset < $end ) {
+							$this->attr_escapes[] = array( $last_offset, $end - $last_offset );
+						}
 					}
 					break;
 			}
@@ -426,9 +431,14 @@ public function render(): string|false {
 		}
 
 		// 3. Attribute text escaping.
+		// Static text in attribute values needs escaping to prevent character
+		// reference injection (e.g. "&" + "not" = "&not;" = "¬"). Decode
+		// existing character references first, then re-encode to avoid
+		// double-escaping (e.g. "&amp;" should stay "&amp;", not become "&amp;amp;").
 		foreach ( $this->attr_escapes as list( $start, $length ) ) {
-			$original  = substr( $html, $start, $length );
-			$updates[] = array( $start, $length, strtr( $original, $escape_map ) );
+			$original = substr( $html, $start, $length );
+			$decoded  = WP_HTML_Decoder::decode_attribute( $original );
+			$updates[] = array( $start, $length, strtr( $decoded, $escape_map ) );
 		}
 
 		// Sort by start position descending so replacements don't shift positions.

tests/phpunit/tests/html-api/wpHtmlTemplate.php

@@ -882,6 +882,47 @@ public function test_extracts_attribute_placeholders() {
 	 *
 	 * @covers ::get_placeholders
 	 */
+	/**
+	 * Verifies that static text around placeholders in attributes is escaped.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::from
+	 * @covers ::bind
+	 * @covers ::render
+	 */
+	public function test_escapes_static_text_around_placeholder_in_attribute() {
+		// Leading static text (prefix before placeholder)
+		$result = T::from( '<a href="/path/</%slug>">Link</a>' )
+			->bind( array( 'slug' => 'hello' ) )
+			->render();
+		$this->assertEqualHTML( '<a href="/path/hello">Link</a>', $result );
+
+		// Trailing static text (suffix after placeholder)
+		$result = T::from( '<a href="</%slug>/page">Link</a>' )
+			->bind( array( 'slug' => 'hello' ) )
+			->render();
+		$this->assertEqualHTML( '<a href="hello/page">Link</a>', $result );
+
+		// Ampersand in trailing static text must be escaped
+		$result = T::from( '<a href="</%base>&amp;extra=1">Link</a>' )
+			->bind( array( 'base' => '/search?q=test' ) )
+			->render();
+		$this->assertEqualHTML( '<a href="/search?q=test&amp;extra=1">Link</a>', $result );
+
+		// Ampersand entity in leading static text must not be double-escaped
+		$result = T::from( '<a href="/search?a=1&amp;b=</%val>">Link</a>' )
+			->bind( array( 'val' => '2' ) )
+			->render();
+		$this->assertEqualHTML( '<a href="/search?a=1&amp;b=2">Link</a>', $result );
+
+		// Character reference in trailing static text is preserved (not double-escaped)
+		$result = T::from( '<meta name="</%placeholder>&not;">' )
+			->bind( array( 'placeholder' => '' ) )
+			->render();
+		$this->assertEqualHTML( '<meta name="¬">', $result );
+	}
+
 	public function test_context_promotion_text_to_attribute() {
 		$template = T::from( '<a href="</%url>"></%url></a>' );