From fd9519e7b2f1e6e02e0bfbbced0e18e76705d1ba Mon Sep 17 00:00:00 2001
From: Bernhard Reiter <Bernhard Reiter@git.wordpress.org>
Date: Thu, 28 Nov 2024 14:27:18 +0000
Subject: [PATCH] HTML API: Make non-body fragment creation methods private.

The current implementation of `create_fragment` (and the underlying `create_fragment_at_current_node`) allows passing in a context that might result in a tree that cannot be represented by HTML. For example, a user might use `<p>` as context, and attempt to create a fragment that also consists of a paragraph element, `<p>like this`. This would result in a paragraph node nested inside another -- something that can never result from parsing HTML.

To prevent this, this changeset makes `create_fragment_at_current_node` private and limits `create_fragment` to only `<body>` as context, while a comprehensive solution to allow other contexts is being worked on.

Follow-up to [59444], [59467].
Props jonsurrell, dmsnell, bernhard-reiter.
Fixes #62584.
Built from https://develop.svn.wordpress.org/trunk@59469


git-svn-id: http://core.svn.wordpress.org/trunk@58855 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 .../html-api/class-wp-html-processor.php      | 38 +++++--------------
 wp-includes/version.php                       |  2 +-
 2 files changed, 10 insertions(+), 30 deletions(-)

diff --git a/wp-includes/html-api/class-wp-html-processor.php b/wp-includes/html-api/class-wp-html-processor.php
index 1be795c5c7..e88757ec7b 100644
--- a/wp-includes/html-api/class-wp-html-processor.php
+++ b/wp-includes/html-api/class-wp-html-processor.php
@@ -279,44 +279,24 @@ class WP_HTML_Processor extends WP_HTML_Tag_Processor {
 	 * form is provided because a context element may have attributes that
 	 * impact the parse, such as with a SCRIPT tag and its `type` attribute.
 	 *
-	 * Example:
+	 * ## Current HTML Support
 	 *
-	 *     // Usually, snippets of HTML ought to be processed in the default `<body>` context:
-	 *     $processor = WP_HTML_Processor::create_fragment( '<p>Hi</p>' );
-	 *
-	 *     // Some fragments should be processed in the correct context like this SVG:
-	 *     $processor = WP_HTML_Processor::create_fragment( '<rect width="10" height="10" />', '<svg>' );
-	 *
-	 *     // This fragment with TD tags should be processed in a TR context:
-	 *     $processor = WP_HTML_Processor::create_fragment(
-	 *         '<td>1<td>2<td>3',
-	 *         '<table><tbody><tr>'
-	 *     );
-	 *
-	 * In order to create a fragment processor at the correct location, the
-	 * provided fragment will be processed as part of a full HTML document.
-	 * The processor will search for the last opener tag in the document and
-	 * create a fragment processor at that location. The document will be
-	 * forced into "no-quirks" mode by including the HTML5 doctype.
-	 *
-	 * For advanced usage and precise control over the context element, use
-	 * `WP_HTML_Processor::create_full_processor()` and
-	 * `WP_HTML_Processor::create_fragment_at_current_node()`.
-	 *
-	 * UTF-8 is the only allowed encoding. If working with a document that
-	 * isn't UTF-8, first convert the document to UTF-8, then pass in the
-	 * converted HTML.
+	 *  - The only supported context is `<body>`, which is the default value.
+	 *  - The only supported document encoding is `UTF-8`, which is the default value.
 	 *
 	 * @since 6.4.0
 	 * @since 6.6.0 Returns `static` instead of `self` so it can create subclass instances.
-	 * @since 6.8.0 Can create fragments with any context element.
 	 *
 	 * @param string $html     Input HTML fragment to process.
-	 * @param string $context  Context element for the fragment. Defaults to `<body>`.
+	 * @param string $context  Context element for the fragment, must be default of `<body>`.
 	 * @param string $encoding Text encoding of the document; must be default of 'UTF-8'.
 	 * @return static|null The created processor if successful, otherwise null.
 	 */
 	public static function create_fragment( $html, $context = '<body>', $encoding = 'UTF-8' ) {
+		if ( '<body>' !== $context || 'UTF-8' !== $encoding ) {
+			return null;
+		}
+
 		$context_processor = static::create_full_parser( "<!DOCTYPE html>{$context}", $encoding );
 		if ( null === $context_processor ) {
 			return null;
@@ -475,7 +455,7 @@ class WP_HTML_Processor extends WP_HTML_Tag_Processor {
 	 * @param string $html Input HTML fragment to process.
 	 * @return static|null The created processor if successful, otherwise null.
 	 */
-	public function create_fragment_at_current_node( string $html ) {
+	private function create_fragment_at_current_node( string $html ) {
 		if ( $this->get_token_type() !== '#tag' || $this->is_tag_closer() ) {
 			_doing_it_wrong(
 				__METHOD__,
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 50fa57f4fe..ba2df33454 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.8-alpha-59467';
+$wp_version = '6.8-alpha-59469';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.