Defensive coding for non-strings in ::create_fragment and ::create_fu…

…ll_parser
WordPress · kraftbj · Aug 20, 2025 · Aug 22, 2025 · Aug 22, 2025 · Sep 30, 2025
commit 884dc042d1bf7152f7fd96723923b41c87f79c44
diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php
@@ -297,6 +297,15 @@ public static function create_fragment( $html, $context = '<body>', $encoding =
 			return null;
 		}
 
+		if ( ! is_string( $html ) ) {
+			_doing_it_wrong(
+				__METHOD__,
+				__( 'The HTML parameter must be a string.' ),
+				'6.9.0'
+			);
+			return null;
+		}
+
 		$context_processor = static::create_full_parser( "<!DOCTYPE html>{$context}", $encoding );
 		if ( null === $context_processor ) {
 			return null;
@@ -339,6 +348,14 @@ public static function create_full_parser( $html, $known_definite_encoding = 'UT
 		if ( 'UTF-8' !== $known_definite_encoding ) {
 			return null;
 		}
+		if ( ! is_string( $html ) ) {
+			_doing_it_wrong(
+				__METHOD__,
+				__( 'The HTML parameter must be a string.' ),
+				'6.9.0'
+			);
+			return null;
+		}
 
 		$processor                             = new static( $html, self::CONSTRUCTOR_UNLOCK_CODE );
 		$processor->state->encoding            = $known_definite_encoding;