Add attribute placeholder extraction with context promotion

sirreal · sirreal · commit f837c75a465b · 2026-02-05T09:42:22.000+01:00
Extract placeholders from attribute values using regex. When a
placeholder appears in both text and attribute contexts, promote
to attribute context (more restrictive escaping applies everywhere).
diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
@@ -109,6 +109,56 @@ public function get_tag_attributes(): array {
 
 					$this->compiled[ $placeholder ]['offsets'][] = array( $start, $length );
 					break;
+
+				case '#tag':
+					if ( $processor->is_tag_closer() ) {
+						break;
+					}
+
+					$html = $processor->get_html();
+					foreach ( $processor->get_tag_attributes() as $attribute ) {
+						// Boolean attributes cannot contain placeholders.
+						if ( $attribute->is_true ) {
+							continue;
+						}
+						// At least `</%x>` to contain a placeholder.
+						if ( $attribute->value_length < 5 ) {
+							continue;
+						}
+
+						$offset = $attribute->value_starts_at;
+						$end    = $offset + $attribute->value_length;
+
+						while (
+							1 === preg_match(
+								'#</%[ \\t\\r\\f\\n]*([a-z0-9_-]+)[ \\t\\r\\f\\n]*>#i',
+								$html,
+								$matches,
+								PREG_OFFSET_CAPTURE,
+								$offset
+							)
+							&& $matches[0][1] < $end
+						) {
+							$placeholder  = $matches[1][0];
+							$match_start  = $matches[0][1];
+							$match_length = strlen( $matches[0][0] );
+
+							if ( ! isset( $this->compiled[ $placeholder ] ) ) {
+								$this->compiled[ $placeholder ] = array(
+									'offsets' => array(),
+									'context' => 'attribute',
+								);
+							} else {
+								// Promote text context to attribute context.
+								$this->compiled[ $placeholder ]['context'] = 'attribute';
+							}
+
+							$this->compiled[ $placeholder ]['offsets'][] = array( $match_start, $match_length );
+
+							$offset = $match_start + $match_length;
+						}
+					}
+					break;
 			}
 		}
 	}
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -809,4 +809,43 @@ public function test_extracts_repeated_text_placeholders() {
 		$this->assertArrayHasKey( 'name', $placeholders );
 		$this->assertCount( 2, $placeholders['name']['offsets'] );
 	}
+
+	/**
+	 * Verifies attribute placeholders are extracted.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::get_placeholders
+	 */
+	public function test_extracts_attribute_placeholders() {
+		$template = T::from( '<meta name="</%n>" content="</%c>">' );
+
+		$placeholders = $template->get_placeholders();
+
+		$this->assertArrayHasKey( 'n', $placeholders );
+		$this->assertArrayHasKey( 'c', $placeholders );
+		$this->assertSame( 'attribute', $placeholders['n']['context'] );
+		$this->assertSame( 'attribute', $placeholders['c']['context'] );
+	}
+
+	/**
+	 * Verifies context promotion from text to attribute.
+	 *
+	 * When a placeholder appears in both text and attribute contexts,
+	 * the attribute context takes precedence (more restrictive escaping).
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::get_placeholders
+	 */
+	public function test_context_promotion_text_to_attribute() {
+		$template = T::from( '<a href="</%url>"></%url></a>' );
+
+		$placeholders = $template->get_placeholders();
+
+		$this->assertArrayHasKey( 'url', $placeholders );
+		// Both occurrences should use attribute context
+		$this->assertSame( 'attribute', $placeholders['url']['context'] );
+		$this->assertCount( 2, $placeholders['url']['offsets'] );
+	}
 }
