HTML API: Ensure non-string HTML input is safely handled.

sirreal · sirreal · commit b271950c27d0 · 2025-10-01T12:59:32.000Z
Prevents an issue where passing `null` to HTML API constructors could result in runtime errors. Developed in WordPress/wordpress-develop#9545. Props kraftbj, jonsurrell, westonruter. Fixes #63854. Built from https://develop.svn.wordpress.org/trunk@60887 git-svn-id: http://core.svn.wordpress.org/trunk@60223 1a063a9b-81f0-0310-95a4-ce76da25c4cd
diff --git a/wp-includes/html-api/class-wp-html-processor.php b/wp-includes/html-api/class-wp-html-processor.php
@@ -297,6 +297,15 @@ public static function create_fragment( $html, $context = '<body>', $encoding =
 			return null;
 		}
 
+		if ( ! is_string( $html ) ) {
+			_doing_it_wrong(
+				__METHOD__,
+				__( 'The HTML parameter must be a string.' ),
+				'6.9.0'
+			);
+			return null;
+		}
+
 		$context_processor = static::create_full_parser( "<!DOCTYPE html>{$context}", $encoding );
 		if ( null === $context_processor ) {
 			return null;
@@ -339,6 +348,14 @@ public static function create_full_parser( $html, $known_definite_encoding = 'UT
 		if ( 'UTF-8' !== $known_definite_encoding ) {
 			return null;
 		}
+		if ( ! is_string( $html ) ) {
+			_doing_it_wrong(
+				__METHOD__,
+				__( 'The HTML parameter must be a string.' ),
+				'6.9.0'
+			);
+			return null;
+		}
 
 		$processor                             = new static( $html, self::CONSTRUCTOR_UNLOCK_CODE );
 		$processor->state->encoding            = $known_definite_encoding;
diff --git a/wp-includes/html-api/class-wp-html-tag-processor.php b/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -834,6 +834,14 @@ class WP_HTML_Tag_Processor {
 	 * @param string $html HTML to process.
 	 */
 	public function __construct( $html ) {
+		if ( ! is_string( $html ) ) {
+			_doing_it_wrong(
+				__METHOD__,
+				__( 'The HTML parameter must be a string.' ),
+				'6.9.0'
+			);
+			$html = '';
+		}
 		$this->html = $html;
 	}
 
diff --git a/wp-includes/version.php b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.9-alpha-60886';
+$wp_version = '6.9-alpha-60887';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`	`*`
`17`	`17`	`* @global string $wp_version`
`18`	`18`	`*/`
`19`		`-$wp_version = '6.9-alpha-60886';`
	`19`	`+$wp_version = '6.9-alpha-60887';`
`20`	`20`
`21`	`21`	`/**`
`22`	`22`	`* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.`