This updates `wp_get_loading_optimization_attributes()` and `wp_maybe_add_fetchpriority_high_attr()` to account for cases where an `IMG` has `fetchpriority=low` or `fetchpriority=auto`:
* `IMG` tags with `fetchpriority=low` are not lazy-loaded since they may be in a Navigation overlay, Details block, or Accordion Item block and need to be loaded the instant the user toggles the block.
* `IMG` tags with `fetchpriority=auto` do not increase the media count since they may be hidden in a viewport by block visibility settings.
* Blocks with conditional visibility (such as hidden on mobile or desktop) now automatically add `fetchpriority="auto"` to their contained `IMG` tags to prevent them from erroneously receiving `fetchpriority=high` or affecting the lazy-loading of subsequent images.
* An `IMG` with `fetchpriority=auto` which also surpasses the `wp_min_priority_img_pixels` threshold will prevent a subsequent image from getting `fetchpriority=high`.
Developed in https://github.com/WordPress/wordpress-develop/pull/11196
Includes backport of [https://github.com/WordPress/gutenberg/pull/76302 Gutenberg#76302].
See related Gutenberg issues:
- [https://github.com/WordPress/gutenberg/issues/76181 76181]: Image in navigation overlay can get `fetchpriority=high` and degrade LCP metric for page.
- [https://github.com/WordPress/gutenberg/issues/76268 76268]: Image in collapsed Details block may erroneously get `fetchpriority=high` even though hidden.
- [https://github.com/WordPress/gutenberg/issues/76301 76301]: Block Visibility: `IMG` in viewport-conditional block may get `fetchpriority=high` even when not displayed.
- [https://github.com/WordPress/gutenberg/issues/76335 76335]: Image in collapsed Accordion block may erroneously get `fetchpriority=high` even though hidden.
Follow-up to r56347, r56037.
Props westonruter, mukesh27, ramonopoly, wildworks.
See #58235.
Fixes#64823.
Built from https://develop.svn.wordpress.org/trunk@61934
git-svn-id: http://core.svn.wordpress.org/trunk@61216 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change introduces PHPStan static analysis configured at [https://phpstan.org/user-guide/rule-levels rule level 0], which includes: "basic checks, unknown classes, unknown functions, unknown methods called on `$this`, wrong number of arguments passed to those methods and functions, always undefined variables". Contributors may elect for a higher PHPStan rule level by creating a `phpstan.neon` which overrides `phpstan.neon.dist`.
* Fix various PHPStan level 0 errors by adding `@phpstan-ignore` comments, updating PHPDoc types, and adding missing return values.
* Remove existing `@phpstan-ignore` comments that are now obsolete or inapplicable for level 0.
* Add a new GitHub Actions workflow for PHPStan Static Analysis. Reports are currently provided as warnings with inline annotations in pull requests and do not fail the build.
* Add a `phpstan` Grunt task and include it in the `precommit:php` task to run before `phpunit`.
* Introduce a `typecheck:php` npm script and a `composer phpstan` script to run analysis in local development environments.
* Add documentation for PHPStan usage in `tests/phpstan/README.md`.
Developed in https://github.com/WordPress/wordpress-develop/pull/10419
Props justlevine, westonruter, johnbillion, desrosj, SirLouen, dmsnell, oglekler, joehoyle, jorbin.
See #64238, #63268, #52217, #51423.
Fixes#61175.
Built from https://develop.svn.wordpress.org/trunk@61699
git-svn-id: http://core.svn.wordpress.org/trunk@61007 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When setting JavaScript or JSON script tag content, automatically escape sequences like `<script>` and `</script>`. This renders the content safe for HTML. The semantics of any JSON and virtually any JavaScript are preserved.
Script type detection follows the HTML standard for identifying JavaScript and JSON script tags. Other script types continue to reject potentially dangerous content.
Developed in https://github.com/WordPress/wordpress-develop/pull/10635.
Props jonsurrell, dmsnell, westonruter.
Fixes#64419. See #63851, #51159.
Built from https://develop.svn.wordpress.org/trunk@61477
git-svn-id: http://core.svn.wordpress.org/trunk@60789 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Some class names with HTML character references could be mishandled, for example:
- Failure to remove an existing class like `&` with `::remove_class( '&' )`
- Double-encoding of an existing class like `&` after a modification, becoming `&`
The second case manifested after double-encoding prevention was removed from `::set_attribute()` in [60919].
Developed in https://github.com/WordPress/wordpress-develop/pull/10591.
Props jonsurrell, dmsnell.
Fixes#64340.
Built from https://develop.svn.wordpress.org/trunk@61346
git-svn-id: http://core.svn.wordpress.org/trunk@60658 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The HTML API has relied upon a single PCRE to determine whether to allow setting certain attribute names. This was because those names aren’t allowed to contain Unicode noncharacters, but detecting noncharacters without a UTF-8 parser is nontrivial.
In this change the direct PCRE has been replaced with a number of `strcpn()` calls and a call to the newer `wp_has_noncharacters()` function. Under the hood, this function will still defer to a PCRE if Unicode support is available, but otherwise will fall back to the UTF-8 pipeline in Core.
This change removes the platform variability, making the HTML API more reliable when Unicode support for PCRE is lacking.
Developed in https://github.com/WordPress/wordpress-develop/pull/9798
Discussed in https://core.trac.wordpress.org/ticket/63863
See #63863.
Built from https://develop.svn.wordpress.org/trunk@61003
git-svn-id: http://core.svn.wordpress.org/trunk@60339 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The HTML API has relied on `esc_attr()` and `esc_html()` when setting string attribute values or the contents of modifiable text. This leads to unexpected behavior when those functions attempt to prevent double-escaping of existing character references, and it can make certain contents impossible to represent.
After this change, the HTML API will reliably escape all submitted plaintext such that it appears in the browser the way it was submitted to the HTML API, with all character references escaped. This does not change the behavior of how URL attributes are escaped.
Developed in https://github.com/WordPress/wordpress-develop/pull/10143
Discussed in https://core.trac.wordpress.org/ticket/64054
Props dmsnell, jonsurrell, westonruter.
Fixes#64054.
Built from https://develop.svn.wordpress.org/trunk@60919
git-svn-id: http://core.svn.wordpress.org/trunk@60255 1a063a9b-81f0-0310-95a4-ce76da25c4cd
PHP 8.5 deprecates the `__sleep()` and `__wakeup()` magic methods in favor of `__serialize()` and `__unserialize()`:
> `Deprecated: The __wakeup() serialization magic method has been deprecated. Implement __unserialize() instead (or in addition, if support for old PHP versions is necessary)`
For PHP < 7.4 compatibility, `__sleep()` and `__wakeup()` need to be kept for the time being.
This commit moves the logic of `__wakeup()` methods in core to `__unserialize()`, and turns the former into wrappers. WordPress core does not use `__sleep()` methods, so these are the only changes required.
Reference: [https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_the_sleep_and_wakeup_magic_methods PHP RFC: Deprecations for PHP 8.5: Deprecate the __sleep() and __wakeup() magic methods].
Follow-up to [56835], [60787], [60795].
Props TobiasBg, tusharbharti, swissspidy, dmsnell, SergeyBiryukov.
Fixes#63962. See #63061.
Built from https://develop.svn.wordpress.org/trunk@60796
git-svn-id: http://core.svn.wordpress.org/trunk@60132 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The serialize_token() method was added in WordPress 6.7.0 as a protected member on the WP_HTML_Processor class. It wasn’t clear at the time of merging if it would be necessary to expose it as a public method. However, since that time a number of experiments have led to the conclusion that it would be very valuable to do so.
This patch opens up the method for invocation from the outside, trivializing the generation of normative HTML subspans from a parent document.
Developed in https://github.com/WordPress/wordpress-develop/pull/9456
Discussed in https://core.trac.wordpress.org/ticket/63823
Follow-up to [59076].
Props dmsnell, jonsurrell.
Fixes#38044.
Built from https://develop.svn.wordpress.org/trunk@60633
git-svn-id: http://core.svn.wordpress.org/trunk@59969 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When originally committed, this code was targeting 6.7.1. However, it was not backported and included in 6.7.1. Will this be followed up by another version change? You'll need to stay tuned to next week's episode of "As the WordPress Turns" to find out!
Follow-up to [59285] and [59364].
See #62270.
Built from https://develop.svn.wordpress.org/trunk@59747
git-svn-id: http://core.svn.wordpress.org/trunk@59089 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fixes the issue when an HTML_Processor bookmark was set at a virtual token (a node in the resulting document that does not correspond to an HTML token present in the input string), seek behavior was unreliable.
Props jonsurrell, gziolo.
Fixes#62521.
Built from https://develop.svn.wordpress.org/trunk@59502
git-svn-id: http://core.svn.wordpress.org/trunk@58888 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The HTML specification does not close HTML or BODY tags (pop them off the stack of open elements) when their tag closers are encountered. The HTML processor correctly handled this behavior, however it incorrectly "paused" by returning true from the step functions.
Props jonsurrell, dmsnell, gziolo.
Fixes#62583.
Built from https://develop.svn.wordpress.org/trunk@59500
git-svn-id: http://core.svn.wordpress.org/trunk@58886 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The current implementation of `create_fragment` (and the underlying `create_fragment_at_current_node`) allows passing in a context that might result in a tree that cannot be represented by HTML. For example, a user might use `<p>` as context, and attempt to create a fragment that also consists of a paragraph element, `<p>like this`. This would result in a paragraph node nested inside another -- something that can never result from parsing HTML.
To prevent this, this changeset makes `create_fragment_at_current_node` private and limits `create_fragment` to only `<body>` as context, while a comprehensive solution to allow other contexts is being worked on.
Follow-up to [59444], [59467].
Props jonsurrell, dmsnell, bernhard-reiter.
Fixes#62584.
Built from https://develop.svn.wordpress.org/trunk@59469
git-svn-id: http://core.svn.wordpress.org/trunk@58855 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset modifies `WP_HTML_Processor::create_fragment( $html, $context )` to use a full processor and `create_fragment_at_node` instead of the other way around. This makes more sense and makes the main factory methods more clear, where the state required for fragments is set up in `create_fragment_at_node` instead of in both `create_fragment` and `create_fragment_at_current_node`.
This allows for more HTML contexts to be provided to the basic `create_fragment` where the provided context HTML is appended to `<!DOCTYPE html>`, a full processor is created, the last tag opener is found, and a fragment parser is created at that node via `create_fragment_at_current_node`.
The HTML5lib tests are updated accordingly to use this new method to create fragments.
Props jonsurrell, dmsnell, bernhard-reiter.
Fixes#62584.
Built from https://develop.svn.wordpress.org/trunk@59467
git-svn-id: http://core.svn.wordpress.org/trunk@58853 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fixes a missing "D" in the character list used by strspn to find tag openers, causing tags starting with D to be skipped by the tag processor in some circumstances.
Follow-up to [58613].
Props jonsurrell, santosguillamot, wongjn, cbravobernal.
Fixes#62522.
Built from https://develop.svn.wordpress.org/trunk@59464
git-svn-id: http://core.svn.wordpress.org/trunk@58850 1a063a9b-81f0-0310-95a4-ce76da25c4cd
HTML Fragment parsing always happens with a context node, which may impact how a fragment of HTML is parsed. HTML Fragment Processors can be instantiated with a `BODY` context node via `WP_HTML_Processor::create_fragment( $html )`.
This changeset adds a static method called `create_fragment_at_current_node( string $html_fragment )`. It can only be called when the processor is paused at a `#tag`, with some additional constraints:
- The opening and closing tags must appear in the HTML input (no virtual tokens).
- No "self-contained" elements are allowed ( `IFRAME`, `SCRIPT`, `TITLE`, etc.).
If successful, the method will return a `WP_HTML_Processor` instance whose context is inherited from the node that the method was called from.
Props jonsurrell, bernhard-reiter, gziolo.
Fixes#62357.
Built from https://develop.svn.wordpress.org/trunk@59444
git-svn-id: http://core.svn.wordpress.org/trunk@58830 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Changeset [59399] fixed missing DOCTYPEs in normalized HTML output. It missed an edge case where public and system identifiers may contain double quotes, in which case they must be quoted with single quotes.
This commit addresses that issue and adds tests.
Follow-up to [59399].
Props jonsurrell, luisherranz, apermo.
Fixes#62396.
Built from https://develop.svn.wordpress.org/trunk@59410
git-svn-id: http://core.svn.wordpress.org/trunk@58796 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Output DOCTYPE when calling `WP_HTML_Processor::serialize` on a full document that includes a DOCTYPE.
The DOCTYPE should be included in the serialized/normalized HTML output as it has an impact in how the document is handled, in particular whether the document should be handled in quirks or no-quirks mode.
This only affects the serialization of full parsers at this time because DOCTYPE tokens are currently ignored in all possible fragments. The omission of the DOCTYPE is subtle but can change the serialized document's quirks/no-quirks mode.
Props jonsurrell.
Fixes#62396.
Built from https://develop.svn.wordpress.org/trunk@59399
git-svn-id: http://core.svn.wordpress.org/trunk@58785 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When the HTML Processor seeks to an earlier place, it returns the the beginning of the document and proceeds forward until it reaches the appropriate location. This requires resetting internal state so that the processor can correctly proceed from the beginning of the document.
The seeking reset logic was not adapted to account for the full processor (i.e. when created via `WP_HTML_Processor::create_full_parser()`). This change updates the seek logic to account for the full and fragment parsers as well as other state that has been introduced in the interim and should be reset.
Props jonsurrell, dmsnell, westonruter, mi5t4n.
Fixes#62290.
Built from https://develop.svn.wordpress.org/trunk@59391
git-svn-id: http://core.svn.wordpress.org/trunk@58777 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Break out logic from the `next_token()` method into a private method which may call itself recursively. This allows for subclasses to override the `next_token()` method and be assured that each call to `next_token()` corresponds with the consumption of one single token. This also parallels how `WP_HTML_Tag_Processor::next_token()` wraps a private `base_class_next_token()` method.
Props westonruter, jonsurrell.
Fixes#62269.
Built from https://develop.svn.wordpress.org/trunk@59285
git-svn-id: http://core.svn.wordpress.org/trunk@58677 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When encountering inline SVG and MathML content in an HTML document, there are certain "integration points" which transition back into the HTML parsing ruleset. Previously, the HTML API was incorrectly switching into the namespace of the element transitioning into that ruleset.
In this patch, the correct transition is made, where all integration points refer to HTML rules, while non-integration points refer to the rules of the namespace corresponding to the token itself.
Developed in https://github.com/wordpress/wordpress-develop/pull/7425
Discussed in https://core.trac.wordpress.org/ticket/61576
Props dmsnell, jonsurrell.
See #61576.
Built from https://develop.svn.wordpress.org/trunk@59099
git-svn-id: http://core.svn.wordpress.org/trunk@58495 1a063a9b-81f0-0310-95a4-ce76da25c4cd
HTML often appears in ways that are unexpected. It may be missing implicit tags, may have unquoted, single-quoted, or double-quoted attributes, may contain duplicate attributes, may contain unescaped text content, or any number of other possible invalid constructions. The HTML API understands all fo these inputs, but downline parsers may not, and HTML snippets which are safe on their own may introduce problems when joined with other HTML snippets.
This patch introduces the `serialize()` method on the HTML Processor, which prints a fully-normative HTML output, eliminating invalid markup along the way. It produces a string which contains every missing tag, double-quoted attributes, and no duplicates. A `normalize()` static method on the HTML Processor provides a convenient wrapper for constructing a fragment parser and immediately serializing.
Subclasses relying on the `serialize_token()` method may perform structural HTML modifications with as much security as the upcoming `\Dom\HTMLDocument()` parser will, though these are not
able to provide the full safety that will eventually appear with `set_inner_html()`.
Further work may explore serializing to XML (which involves a number of other important transformations) and adding constraints to serialization (such as only allowing inline/flow/formatting elements and text).
Developed in https://github.com/wordpress/wordpress-develop/pull/7331
Discussed in https://core.trac.wordpress.org/ticket/62036
Props dmsnell, jonsurrell, westonruter.
Fixes#62036.
Built from https://develop.svn.wordpress.org/trunk@59076
git-svn-id: http://core.svn.wordpress.org/trunk@58472 1a063a9b-81f0-0310-95a4-ce76da25c4cd
