php – Why is KS removing semicolons from inline style?

I have a validation function that uses wp_kses, and it works as expected for removing code from input if it’s relatively simple code, yet also removing semicolons from inline styles using kses. (In <h1 style=color: red;">the name</h1>, the semicolon after the word ‘red’ is removed) The documentation makes no mention of this behavior, is this a bug? Below is my actual code using KS. Can anyone tell me how do I change my code so that kses doesn’t remove the semicolons?

function sanitize_name($valid, $value, $field, $input) {

    if( $valid !== true ) {
        return $valid;
    }

    $allowed = array( 
        'h1' => array(
            'style' => array(),
        ),
        'h2' => array(),
        'h3' => array(),
        'h4' => array(),
        'h5' => array(),
        'h6' => array(),
        'p' => array(),
        'br' => array(),
        'strong' => array(),
        'b' => array(),
        'em' => array(),
        'ul' => array(),
        'li' => array(),
        'ol' => array(),
        'div' => array(),
        'span' => array(),
        'pre' => array(),
        'button' => array(),
        'svg' => array(),
        'blockquote' => array(),
        'a' => array(),
        'i' => array(),
        'sup' => array(),
        'sub' => array()
    );

    $value2 = wp_kses( $value, $allowed );

    
    if ( strcmp( stripslashes( $value ), $value2) !== 0 ) {
        return 'Please remove the disallowed HTML from this field to submit.<br />
        Entered:' . stripslashes($value) . '<br />
        <p>Cleaned:</p>' . $value2;
    }

    return $valid;
}

Leave a Comment