HTML API: Normalize raw attribute carriage returns before serialization

Author: sirreal

src/wp-includes/html-api/class-wp-html-processor.php

@@ -1443,7 +1443,7 @@ public function serialize_token(): string {
 			}
 
 			$html .= " {$qualified_attribute_name}";
-			$value = $this->get_attribute( $attribute_name );
+			$value = $this->get_attribute_for_serialization( $attribute_name );
 
 			if ( is_string( $value ) ) {
 				$html .= '="' . self::serialize_decoded_text( $value ) . '"';

src/wp-includes/html-api/class-wp-html-tag-processor.php

@@ -2359,13 +2359,14 @@ private function class_name_updates_to_attributes_updates(): void {
 		}
 
 		if ( false === $existing_class && isset( $this->attributes['class'] ) ) {
-			$existing_class = WP_HTML_Decoder::decode_attribute(
-				substr(
-					$this->html,
-					$this->attributes['class']->value_starts_at,
-					$this->attributes['class']->value_length
-				)
+			$existing_class = substr(
+				$this->html,
+				$this->attributes['class']->value_starts_at,
+				$this->attributes['class']->value_length
 			);
+			$existing_class = str_replace( "\r\n", "\n", $existing_class );
+			$existing_class = str_replace( "\r", "\n", $existing_class );
+			$existing_class = WP_HTML_Decoder::decode_attribute( $existing_class );
 		}
 
 		if ( false === $existing_class ) {
@@ -2829,6 +2830,51 @@ public function get_attribute( $name ) {
 		return WP_HTML_Decoder::decode_attribute( $raw_value );
 	}
 
+	/**
+	 * Returns the value of an attribute, applying HTML input stream preprocessing.
+	 *
+	 * This is intended for serialization, where source HTML values have already
+	 * passed through preprocessing before character references decode. Enqueued
+	 * attribute updates are plaintext API values, so they are returned unchanged.
+	 *
+	 * @since 6.9.0
+	 * @ignore
+	 *
+	 * @param string $name Name of attribute whose value is requested.
+	 * @return string|true|null Value of attribute or `null` if not available. Boolean attributes return `true`.
+	 */
+	protected function get_attribute_for_serialization( $name ) {
+		if ( self::STATE_MATCHED_TAG !== $this->parser_state ) {
+			return null;
+		}
+
+		$comparable = strtolower( $name );
+
+		if ( 'class' === $comparable ) {
+			$this->class_name_updates_to_attributes_updates();
+		}
+
+		$enqueued_value = $this->get_enqueued_attribute_value( $comparable );
+		if ( false !== $enqueued_value ) {
+			return $enqueued_value;
+		}
+
+		if ( ! isset( $this->attributes[ $comparable ] ) ) {
+			return null;
+		}
+
+		$attribute = $this->attributes[ $comparable ];
+		if ( true === $attribute->is_true ) {
+			return true;
+		}
+
+		$raw_value = substr( $this->html, $attribute->value_starts_at, $attribute->value_length );
+		$raw_value = str_replace( "\r\n", "\n", $raw_value );
+		$raw_value = str_replace( "\r", "\n", $raw_value );
+
+		return WP_HTML_Decoder::decode_attribute( $raw_value );
+	}
+
 	/**
 	 * Gets lowercase names of all attributes matching a given prefix in the current tag.
 	 *

tests/phpunit/tests/html-api/wpHtmlProcessor-serialize.php

@@ -547,6 +547,58 @@ public static function data_provider_decoded_carriage_returns() {
 		);
 	}
 
+	/**
+	 * Ensures that raw carriage returns in attribute values are serialized as line feeds.
+	 *
+	 * @ticket 65372
+	 *
+	 * @dataProvider data_provider_raw_attribute_carriage_returns
+	 *
+	 * @param string $input    HTML input containing raw carriage returns.
+	 * @param string $expected Expected normalized output.
+	 */
+	public function test_normalize_serializes_raw_attribute_carriage_returns_as_line_feeds( string $input, string $expected ) {
+		$normalized = WP_HTML_Processor::normalize( $input );
+
+		$this->assertSame( $expected, $normalized, 'Should have serialized raw attribute carriage returns as line feeds.' );
+		$this->assertSame(
+			$expected,
+			WP_HTML_Processor::normalize( $normalized ),
+			'Normalizing already-normalized HTML should not change raw attribute newlines.'
+		);
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[]
+	 */
+	public static function data_provider_raw_attribute_carriage_returns() {
+		return array(
+			'Raw carriage return' => array( "<p title=\"a\rb\"></p>", "<p title=\"a\nb\"></p>" ),
+			'Raw CRLF pair'       => array( "<p title=\"a\r\nb\"></p>", "<p title=\"a\nb\"></p>" ),
+		);
+	}
+
+	/**
+	 * Ensures that raw carriage returns are normalized before class updates are serialized.
+	 *
+	 * @ticket 65372
+	 */
+	public function test_serialize_token_normalizes_raw_class_carriage_returns_before_class_updates() {
+		$processor = WP_HTML_Processor::create_fragment( "<p class=\"a\rb\"></p>" );
+
+		$this->assertTrue( $processor->next_tag( 'P' ), 'Should find the P element.' );
+
+		$processor->add_class( 'c' );
+
+		$this->assertSame(
+			"<p class=\"a\nb c\">",
+			$processor->serialize_token(),
+			'Should have serialized raw class carriage returns as line feeds before adding classes.'
+		);
+	}
+
 	/**
 	 * Data provider.
 	 *