wp_kses_one_attr

The timeline below displays how wordpress function wp_kses_one_attr has changed across different WordPress versions. If a version is not listed, refer to the next available version below.

WordPress Version: 6.3

/**
 * Filters one HTML attribute and ensures its value is allowed.
 *
 * This function can escape data in some situations where `wp_kses()` must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $attr    The 'whole' attribute, including name and value.
 * @param string $element The HTML element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($attr, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $attr = wp_kses_no_null($attr, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $attr, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $attr, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $attr = substr($attr, strlen($lead));
    } else {
        $attr = substr($attr, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $attr, 2);
    $name = $split[0];
    if (count($split) === 2) {
        $value = $split[1];
        /*
         * Remove quotes surrounding $value.
         * Also guarantee correct quoting in $attr for this one attribute.
         */
        if ('' === $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' === $quote || "'" === $quote) {
            if (!str_ends_with($value, $quote)) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris, true)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $attr = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $attr, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $attr . $trail;
}

WordPress Version: 6.2

/**
 * Filters one HTML attribute and ensures its value is allowed.
 *
 * This function can escape data in some situations where `wp_kses()` must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $attr    The 'whole' attribute, including name and value.
 * @param string $element The HTML element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($attr, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $attr = wp_kses_no_null($attr, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $attr, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $attr, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $attr = substr($attr, strlen($lead));
    } else {
        $attr = substr($attr, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $attr, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $attr for this one attribute.
        if ('' === $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' === $quote || "'" === $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris, true)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $attr = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $attr, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $attr . $trail;
}

WordPress Version: 5.5

/**
 * Filters one HTML attribute and ensures its value is allowed.
 *
 * This function can escape data in some situations where `wp_kses()` must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string  The 'whole' attribute, including name and value.
 * @param string $element The HTML element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' === $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' === $quote || "'" === $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris, true)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 5.1

/**
 * Filters one HTML attribute and ensures its value is allowed.
 *
 * This function can escape data in some situations where `wp_kses()` must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string  The 'whole' attribute, including name and value.
 * @param string $element The HTML element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 0.1

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 5.0

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 9.9

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 9.3

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .20

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 9.2

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .10

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 4.9

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 8.8

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 8.2

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .10

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 4.7

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 6.3

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .20

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 6.2

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .13

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 5.4

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .30

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 5.3

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .20

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 5.2

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .16

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 4.4

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .30

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 4.3

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .20

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 4.2

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .17

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 3.4

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .30

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 3.3

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .20

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 3.2

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .18

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 4.3

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes, angle braces, and entities.
        $value = esc_attr($value);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 2.4

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes and angle braces.
        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .30

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes and angle braces.
        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 2.3

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes and angle braces.
        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .22

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes and angle braces.
        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 1.6

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes and angle braces.
        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .25

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes and angle braces.
        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 0.6

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes and angle braces.
        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .25

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes and angle braces.
        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 8.9

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes and angle braces.
        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .28

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes and angle braces.
        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: 7.9

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes and angle braces.
        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .28

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = wp_kses_uri_attributes();
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes and angle braces.
        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}

WordPress Version: .10

/**
 * Filters one attribute only and ensures its value is allowed.
 *
 * This function has the advantage of being more secure than esc_attr() and can
 * escape data in some situations where wp_kses() must strip the whole attribute.
 *
 * @since 4.2.3
 *
 * @param string $string The 'whole' attribute, including name and value.
 * @param string $element The element name to which the attribute belongs.
 * @return string Filtered attribute.
 */
function wp_kses_one_attr($string, $element)
{
    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
    $allowed_html = wp_kses_allowed_html('post');
    $allowed_protocols = wp_allowed_protocols();
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    // Preserve leading and trailing whitespace.
    $matches = array();
    preg_match('/^\s*/', $string, $matches);
    $lead = $matches[0];
    preg_match('/\s*$/', $string, $matches);
    $trail = $matches[0];
    if (empty($trail)) {
        $string = substr($string, strlen($lead));
    } else {
        $string = substr($string, strlen($lead), -strlen($trail));
    }
    // Parse attribute name and value from input.
    $split = preg_split('/\s*=\s*/', $string, 2);
    $name = $split[0];
    if (count($split) == 2) {
        $value = $split[1];
        // Remove quotes surrounding $value.
        // Also guarantee correct quoting in $string for this one attribute.
        if ('' == $value) {
            $quote = '';
        } else {
            $quote = $value[0];
        }
        if ('"' == $quote || "'" == $quote) {
            if (substr($value, -1) != $quote) {
                return '';
            }
            $value = substr($value, 1, -1);
        } else {
            $quote = '"';
        }
        // Sanitize quotes and angle braces.
        $value = htmlspecialchars($value, ENT_QUOTES, null, false);
        // Sanitize URI values.
        if (in_array(strtolower($name), $uris)) {
            $value = wp_kses_bad_protocol($value, $allowed_protocols);
        }
        $string = "{$name}={$quote}{$value}{$quote}";
        $vless = 'n';
    } else {
        $value = '';
        $vless = 'y';
    }
    // Sanitize attribute by name.
    wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
    // Restore whitespace.
    return $lead . $string . $trail;
}