From 305a91d7368d06f892a927bdcc7e830a4036a78a Mon Sep 17 00:00:00 2001
From: Dennis Snell <dennis.snell@automattic.com>
Date: Wed, 10 Jan 2024 22:24:08 -0500
Subject: [PATCH 1/4] HTML API: Introduce HTML Template Renderer

---
 .../html-api/class-wp-html-tag-processor.php  |   4 +-
 .../html-api/class-wp-html-template.php       | 189 ++++++++++++++++++
 src/wp-includes/html-api/class-wp-html.php    |  84 ++++++++
 src/wp-settings.php                           |   2 +
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 106 ++++++++++
 5 files changed, 383 insertions(+), 2 deletions(-)
 create mode 100644 src/wp-includes/html-api/class-wp-html-template.php
 create mode 100644 src/wp-includes/html-api/class-wp-html.php
 create mode 100644 tests/phpunit/tests/html-api/wpHtmlTemplate.php

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 169fabe750fcf..e0c8df835114c 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -2038,8 +2038,8 @@ private function after_tag() {
 		$this->token_length         = null;
 		$this->tag_name_starts_at   = null;
 		$this->tag_name_length      = null;
-		$this->text_starts_at       = 0;
-		$this->text_length          = 0;
+		$this->text_starts_at       = null;
+		$this->text_length          = null;
 		$this->is_closing_tag       = null;
 		$this->attributes           = array();
 		$this->comment_type         = null;
diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
new file mode 100644
index 0000000000000..3ad279bf559e1
--- /dev/null
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -0,0 +1,189 @@
+<?php
+/**
+ * HTML API: WP_HTML_Template helper class
+ *
+ * Provides the rendering code for the WP_HTML class. This needs to exist separately as
+ * implemented so that it can subclass the WP_HTML_Tag_Processor class and gain access
+ * to the bookmarks and lexical updates, which it uses to perform string operations.
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ * @since 6.5.0
+ */
+
+/**
+ * WP_HTML_Template class.
+ *
+ * To be used only by the WP_HTML class.
+ *
+ * @since 6.5.0
+ *
+ * @access private
+ */
+class WP_HTML_Template extends WP_HTML_Tag_Processor {
+	/**
+	 * Renders an HTML template, replacing the placeholders with the provided values.
+	 *
+	 * This function looks for placeholders in the template string and will replace
+	 * them with appropriately-escaped substitutions from the given arguments, if
+	 * provided and if those arguments are strings or valid attribute values.
+	 *
+	 * Example:
+	 *
+	 *     echo WP_HTML_Template::render(
+	 *         '<a href="</%profile_url>"></%name></a>',
+	 *         array(
+	 *             'profile_url' => 'https://profiles.example.com/username',
+	 *             'name'        => $user->display_name
+	 *         )
+	 *     );
+	 *     // Outputs: <a href="https://profiles.example.com/username">Bobby Tables</a>
+	 *
+	 * Do not escape the values supplied to the argument array! This function will escape each
+	 * parameter's value as needed and additional manual escaping may lead to incorrect output.
+	 *
+	 * ## Syntax.
+	 *
+	 * ### Substitution Placeholders.
+	 *
+	 *  - `</%named_arg>` finds `named_arg` in the arguments array, escapes its value if possible,
+	 *    and replaces the placeholder with the escaped value. These may exist inside double-quoted
+	 *    HTML tag attributes or in HTML text content between tags. They cannot be used to output a tag
+	 *    name or content inside a comment.
+	 *
+	 * ### Spread Attributes.
+	 *
+	 *  - `...named_arg` when found within an HTML tag will lookup `named_arg` in the arguments array
+	 *    and, if it's an array, will set the attribute on the tag for each key/value pair whose value
+	 *    is a string, boolean, or `null`.
+	 *
+	 * ## Notes.
+	 *
+	 *  - Attributes may only be supplied for a limited set of types: a string value assigns a double-quoted
+	 *    attribute value; `true` sets the attribute as a boolean attribute; `null` removes the attribute.
+	 *    If provided any other type of value the attribute will be ignored and its existing value persists.
+	 *
+	 *  - If multiple HTML attributes are specified for a given tag they will be applied as if calling
+	 *    `set_attribute()` in the order they are specified in the template. This includes any attributes
+	 *    assigned through the attribute spread syntax.
+	 *
+	 *  - Substitutions in text nodes may only contain string values. If provided any other type of value
+	 *    the placeholder will be removed with nothing in its place.
+	 *
+	 *  - This function currently escapes all value provided in the arguments array. In the future
+	 *    it may provide the ability to nest pre-rendered HTML into the template, but this functionality
+	 *    is deferred for a future update.
+	 *
+	 *  - This function will not replace content inside of SCRIPT, or STYLE elements.
+	 *
+	 * @since 6.5.0
+	 *
+	 * @access private
+	 *
+	 * @param string $template The HTML template.
+	 * @param string $args     Array of key/value pairs providing substitue values for the placeholders.
+	 * @return string The rendered HTML.
+	 */
+	public static function render( $template, $args = array() ) {
+		$processor = new self( $template );
+		while ( $processor->next_token() ) {
+			$type = $processor->get_token_type();
+			$text = $processor->get_modifiable_text();
+
+			// Replace placeholders that are found inside #text nodes.
+			if ( '#funky-comment' === $type && strlen( $text ) > 0 && '%' === $text[0] ) {
+				$name  = substr( $text, 1 );
+				$value = isset( $args[ $name ] ) && is_string( $args[ $name ] ) ? $args[ $name ] : null;
+				$processor->set_bookmark( 'here' );
+				$processor->lexical_updates[] = new WP_HTML_Text_Replacement(
+					$processor->bookmarks['here']->start,
+					$processor->bookmarks['here']->length,
+					null === $value ? '' : esc_html( $value )
+				);
+				continue;
+			}
+
+			// For every tag, scan the attributes to look for placeholders.
+			if ( '#tag' === $type ) {
+				foreach ( $processor->get_attribute_names_with_prefix( '' ) ?? array() as $attribute_name ) {
+					if ( str_starts_with( $attribute_name, '...' ) ) {
+						$spread_name = substr( $attribute_name, 3 );
+						if ( isset( $args[ $spread_name ] ) && is_array( $args[ $spread_name ] ) ) {
+							foreach ( $args[ $spread_name ] as $key => $value ) {
+								if ( true === $value || null === $value || is_string( $value ) ) {
+									$processor->set_attribute( $key, $value );
+								}
+							}
+						}
+						$processor->remove_attribute( $attribute_name );
+					}
+
+					$value = $processor->get_attribute( $attribute_name );
+
+					if ( ! is_string( $value ) ) {
+						continue;
+					}
+
+					// Replace entire attributes if their content is exclusively a placeholder, e.g. `title="</%title>"`.
+					$full_match = null;
+					if ( preg_match( '~^</%([^>]+)>$~', $value, $full_match ) ) {
+						$name = $full_match[1];
+
+						if ( array_key_exists( $name, $args ) ) {
+							$value = $args[ $name ];
+							if ( null === $value ) {
+								$processor->remove_attribute( $attribute_name );
+							} elseif ( true === $value ) {
+								$processor->set_attribute( $attribute_name, true );
+							} elseif ( is_string( $value ) ) {
+								$processor->set_attribute( $attribute_name, $args[ $name ] );
+							} else {
+								$processor->remove_attribute( $attribute_name );
+							}
+						} else {
+							$processor->remove_attribute( $attribute_name );
+						}
+
+						continue;
+					}
+
+					// Replace placeholders embedded in otherwise-static attribute values, e.g. `title="Post: </%title>"`.
+					$new_value = preg_replace_callback(
+						'~</%([^>]+)>~',
+						static function ( $matches ) use ( $args ) {
+							return is_string( $args[ $matches[1] ] )
+								? esc_attr( $args[ $matches[1] ] )
+								: '';
+						},
+						$value
+					);
+
+					if ( $new_value !== $value ) {
+						$processor->set_attribute( $attribute_name, $new_value );
+					}
+				}
+
+				// Update TEXTAREA and TITLE contents.
+				$tag_name = $processor->get_tag();
+				if ( 'TEXTAREA' === $tag_name || 'TITLE' === $tag_name ) {
+					// Replace placeholders inside these RCDATA tags.
+					$new_text = preg_replace_callback(
+						'~</%([^>]+)>~',
+						static function ( $matches ) use ( $args ) {
+							return is_string( $args[ $matches[1] ] )
+								? $args[ $matches[1] ]
+								: '';
+						},
+						$text
+					);
+
+					if ( $new_text !== $text ) {
+						$processor->set_modifiable_text( $new_text );
+					}
+				}
+			}
+		}
+
+		return $processor->get_updated_html();
+	}
+}
diff --git a/src/wp-includes/html-api/class-wp-html.php b/src/wp-includes/html-api/class-wp-html.php
new file mode 100644
index 0000000000000..606296d2a9c7c
--- /dev/null
+++ b/src/wp-includes/html-api/class-wp-html.php
@@ -0,0 +1,84 @@
+<?php
+/**
+ * HTML API: WP_HTML class
+ *
+ * Provides a public interface for HTML-related functionality in WordPress.
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ * @since 6.5.0
+ */
+
+/**
+ * WP_HTML class.
+ *
+ * @since 6.5.0
+ */
+class WP_HTML {
+	/**
+	 * Renders an HTML template, replacing the placeholders with the provided values.
+	 *
+	 * This function looks for placeholders in the template string and will replace
+	 * them with appropriately-escaped substitutions from the given arguments, if
+	 * provided and if those arguments are strings or valid attribute values.
+	 *
+	 * Example:
+	 *
+	 *     echo WP_HTML::render(
+	 *         '<a href="</%profile_url>"></%name></a>',
+	 *         array(
+	 *             'profile_url' => 'https://profiles.example.com/username',
+	 *             'name'        => $user->display_name
+	 *         )
+	 *     );
+	 *     // Outputs: <a href="https://profiles.example.com/username">Bobby Tables</a>
+	 *
+	 * Do not escape the values supplied to the argument array! This function will escape each
+	 * parameter's value as needed and additional manual escaping may lead to incorrect output.
+	 *
+	 * ## Syntax.
+	 *
+	 * ### Substitution Placeholders.
+	 *
+	 *  - `</%named_arg>` finds `named_arg` in the arguments array, escapes its value if possible,
+	 *    and replaces the placeholder with the escaped value. These may exist inside double-quoted
+	 *    HTML tag attributes or in HTML text content between tags. They cannot be used to output a tag
+	 *    name or content inside a comment.
+	 *
+	 * ### Spread Attributes.
+	 *
+	 *  - `...named_arg` when found within an HTML tag will lookup `named_arg` in the arguments array
+	 *    and, if it's an array, will set the attribute on the tag for each key/value pair whose value
+	 *    is a string. The
+	 *
+	 * ## Notes.
+	 *
+	 *  - Attributes may only be supplied for a limited set of types: a string value assigns a double-quoted
+	 *    attribute value; `true` sets the attribute as a boolean attribute; `null` removes the attribute.
+	 *    If provided any other type of value the attribute will be ignored and its existing value persists.
+	 *
+	 *  - If multiple HTML attributes are specified for a given tag they will be applied as if calling
+	 *    `set_attribute()` in the order they are specified in the template. This includes any attributes
+	 *    assigned through the attribute spread syntax.
+	 *
+	 *  - Substitutions in text nodes may only contain string values. If provided any other type of value
+	 *    the placeholder will be removed with nothing in its place.
+	 *
+	 *  - This function currently escapes all value provided in the arguments array. In the future
+	 *    it may provide the ability to nest pre-rendered HTML into the template, but this functionality
+	 *    is deferred for a future update.
+	 *
+	 *  - This function will not replace content inside of SCRIPT, or STYLE elements.
+	 *
+	 * @since 6.5.0
+	 *
+	 * @access private
+	 *
+	 * @param string $template The HTML template.
+	 * @param string $args     Array of key/value pairs providing substitue values for the placeholders.
+	 * @return string The rendered HTML.
+	 */
+	public static function render( $template, $args ) {
+		return WP_HTML_Template::render( $template, $args );
+	}
+}
diff --git a/src/wp-settings.php b/src/wp-settings.php
index 893517a119824..8a79dd3185ec5 100644
--- a/src/wp-settings.php
+++ b/src/wp-settings.php
@@ -252,6 +252,8 @@
 require ABSPATH . WPINC . '/html-api/class-wp-html-token.php';
 require ABSPATH . WPINC . '/html-api/class-wp-html-processor-state.php';
 require ABSPATH . WPINC . '/html-api/class-wp-html-processor.php';
+require ABSPATH . WPINC . '/html-api/class-wp-html-template.php';
+require ABSPATH . WPINC . '/html-api/class-wp-html.php';
 require ABSPATH . WPINC . '/class-wp-http.php';
 require ABSPATH . WPINC . '/class-wp-http-streams.php';
 require ABSPATH . WPINC . '/class-wp-http-curl.php';
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
new file mode 100644
index 0000000000000..dd4859fb2f14b
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -0,0 +1,106 @@
+<?php
+/**
+ * Unit tests covering WP_HTML_Template functionality.
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ *
+ * @since 6.5.0
+ *
+ * @group html-api
+ *
+ * @coversDefaultClass WP_HTML_Template
+ */
+
+class Tests_HtmlApi_WpHtmlTemplate extends WP_UnitTestCase {
+	/**
+	 * Demonstrates how to pass values into an HTML template.
+	 *
+	 * @ticket 60229
+	 */
+	public function test_basic_render() {
+		$html = WP_HTML_Template::render(
+			'<div class="is-test </%class>" ...div-args inert="</%is_inert>">Just a </%count> test</div>',
+			array(
+				'count'    => '<strong>Hi <3</strong>',
+				'class'    => '5>4',
+				'is_inert' => 'inert',
+				'div-args' => array(
+					'class'    => 'hoover',
+					'disabled' => true,
+				),
+			)
+		);
+
+		$this->assertSame(
+			'<div disabled class="hoover"  inert="inert">Just a &lt;strong&gt;Hi &lt;3&lt;/strong&gt; test</div>',
+			$html,
+			'Failed to properly render template.'
+		);
+	}
+
+	/**
+	 * Ensures that basic attacks on attribute names and values are blocked.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers WP_HTML::render
+	 */
+	public function test_cannot_break_out_of_tag_with_malicious_attribute_name() {
+		$html = WP_HTML_Template::render(
+			'<div class="</%class>" ...args>',
+			array(
+				'class' => '"><script>alert("hi")</script>',
+				'args'  => array(
+					'"> double-quoted escape' => 'busted!',
+					'> tag escape'            => 'busted!',
+				),
+			)
+		);
+
+		// The output here should include an escaped `class` attribute and no others, also no other tags.
+		$processor = new WP_HTML_Tag_Processor( $html );
+		$processor->next_tag();
+
+		$this->assertSame(
+			'DIV',
+			$processor->get_tag(),
+			"Expected to find DIV tag but found {$processor->get_tag()} instead."
+		);
+
+		$this->assertSame(
+			'"><script>alert("hi")</script>',
+			$processor->get_attribute( 'class' ),
+			'Should have found escaped `class` attribute.'
+		);
+
+		$this->assertSame(
+			array( 'class' ),
+			$processor->get_attribute_names_with_prefix( '' ),
+			'Should have set `class` attribute and no others.'
+		);
+
+		$this->assertFalse(
+			$processor->next_tag(),
+			"Should not have found any other tags but found {$processor->get_tag()} instead."
+		);
+	}
+
+	/**
+	 * Ensures that basic replacement inside a TEXTAREA subtitutes placeholders.
+	 *
+	 * @ticket 60229
+	 */
+	public function test_replaces_textarea_placeholders() {
+		$html = WP_HTML_Template::render(
+			'<textarea>The </%big> one.</textarea>',
+			array( 'big' => '<HUGE> (</textarea>)' )
+		);
+
+		$this->assertSame(
+			'<textarea>The <HUGE> (&lt;/textarea>) one.</textarea>',
+			$html,
+			'Should have replaced placeholder with RCDATA escaping rules.'
+		);
+	}
+}

From 24a2d64a2b7f8ea5f29e754c65688f44c6820c20 Mon Sep 17 00:00:00 2001
From: Dennis Snell <dennis.snell@automattic.com>
Date: Mon, 15 Jan 2024 16:56:05 -0600
Subject: [PATCH 2/4] Test refactor of wp_video_shortcut

---
 .../html-api/class-wp-html-tag-processor.php  | 27 +++++++-
 .../html-api/class-wp-html-template.php       |  4 +-
 src/wp-includes/media.php                     | 68 ++++++++++---------
 3 files changed, 64 insertions(+), 35 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index e0c8df835114c..fe4ac3cba3b64 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -2899,14 +2899,37 @@ public function set_attribute( $name, $value ) {
 		 * > To represent a false value, the attribute has to be omitted altogether.
 		 *     - HTML5 spec, https://html.spec.whatwg.org/#boolean-attributes
 		 */
-		if ( false === $value ) {
+		if ( false === $value || null === $value ) {
 			return $this->remove_attribute( $name );
 		}
 
 		if ( true === $value ) {
 			$updated_attribute = $name;
 		} else {
-			$escaped_new_value = esc_attr( $value );
+			$tag_name        = $this->get_tag();
+			$comparable_name = strtolower( $name );
+
+			/*
+			 * Escape URL attributes.
+			 *
+			 * @see https://html.spec.whatwg.org/#attributes-3
+			 */
+			if (
+				! str_starts_with( $value, 'data:' ) && (
+					'cite' === $comparable_name ||
+					'formaction' === $comparable_name ||
+					'href' === $comparable_name ||
+					'ping' === $comparable_name ||
+					'src' === $comparable_name ||
+					( 'FORM' === $tag_name && 'action' === $comparable_name ) ||
+					( 'OBJECT' === $tag_name && 'data' === $comparable_name ) ||
+					( 'VIDEO' === $tag_name && 'poster' === $comparable_name )
+				)
+			) {
+				$escaped_new_value = esc_url( $value );
+			} else {
+				$escaped_new_value = esc_attr( $value );
+			}
 			$updated_attribute = "{$name}=\"{$escaped_new_value}\"";
 		}
 
diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 3ad279bf559e1..14ee1b3c670e9 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -110,7 +110,7 @@ public static function render( $template, $args = array() ) {
 						$spread_name = substr( $attribute_name, 3 );
 						if ( isset( $args[ $spread_name ] ) && is_array( $args[ $spread_name ] ) ) {
 							foreach ( $args[ $spread_name ] as $key => $value ) {
-								if ( true === $value || null === $value || is_string( $value ) ) {
+								if ( true === $value || false === $value || null === $value || is_string( $value ) ) {
 									$processor->set_attribute( $key, $value );
 								}
 							}
@@ -131,7 +131,7 @@ public static function render( $template, $args = array() ) {
 
 						if ( array_key_exists( $name, $args ) ) {
 							$value = $args[ $name ];
-							if ( null === $value ) {
+							if ( false === $value || null === $value ) {
 								$processor->remove_attribute( $attribute_name );
 							} elseif ( true === $value ) {
 								$processor->set_attribute( $attribute_name, true );
diff --git a/src/wp-includes/media.php b/src/wp-includes/media.php
index 38ec2213b7506..ecf4fd83b5cef 100644
--- a/src/wp-includes/media.php
+++ b/src/wp-includes/media.php
@@ -381,14 +381,10 @@ function set_post_thumbnail_size( $width = 0, $height = 0, $crop = false ) {
  * @return string HTML IMG element for given image attachment.
  */
 function get_image_tag( $id, $alt, $title, $align, $size = 'medium' ) {
-
 	list( $img_src, $width, $height ) = image_downsize( $id, $size );
-	$hwstring                         = image_hwstring( $width, $height );
-
-	$title = $title ? 'title="' . esc_attr( $title ) . '" ' : '';
 
 	$size_class = is_array( $size ) ? implode( 'x', $size ) : $size;
-	$class      = 'align' . esc_attr( $align ) . ' size-' . esc_attr( $size_class ) . ' wp-image-' . $id;
+	$class      = "align{$align} size-{$size_class} wp-image-{$id}";
 
 	/**
 	 * Filters the value of the attachment's image tag class attribute.
@@ -403,7 +399,19 @@ function get_image_tag( $id, $alt, $title, $align, $size = 'medium' ) {
 	 */
 	$class = apply_filters( 'get_image_tag_class', $class, $id, $align, $size );
 
-	$html = '<img src="' . esc_url( $img_src ) . '" alt="' . esc_attr( $alt ) . '" ' . $title . $hwstring . 'class="' . $class . '" />';
+	$html = WP_HTML::render(
+		<<<'HTML'
+<img src="</%src>" alt="</%alt>" title="</%title>" class="</%class>" height="</%height>" width="</%width>">
+HTML,
+		array(
+			'alt'    => $alt,
+			'class'  => $class,
+			'height' => (string) $height,
+			'src'    => $img_src,
+			'title'  => empty( $title ) ? null : $title,
+			'width'  => (string) $width,
+		)
+	);
 
 	/**
 	 * Filters the HTML content for the image tag.
@@ -3603,37 +3611,24 @@ function wp_video_shortcode( $attr, $content = '' ) {
 	$html_atts = array(
 		'class'    => $atts['class'],
 		'id'       => sprintf( 'video-%d-%d', $post_id, $instance ),
-		'width'    => absint( $atts['width'] ),
-		'height'   => absint( $atts['height'] ),
-		'poster'   => esc_url( $atts['poster'] ),
+		'width'    => (string) absint( $atts['width'] ),
+		'height'   => (string) absint( $atts['height'] ),
+		'poster'   => empty( $atts['poster'] ) ? null : $atts['poster'],
 		'loop'     => wp_validate_boolean( $atts['loop'] ),
 		'autoplay' => wp_validate_boolean( $atts['autoplay'] ),
 		'muted'    => wp_validate_boolean( $atts['muted'] ),
-		'preload'  => $atts['preload'],
+		'preload'  => empty( $atts['preload'] ) ? null : $attr['preload'],
 	);
 
-	// These ones should just be omitted altogether if they are blank.
-	foreach ( array( 'poster', 'loop', 'autoplay', 'preload', 'muted' ) as $a ) {
-		if ( empty( $html_atts[ $a ] ) ) {
-			unset( $html_atts[ $a ] );
-		}
-	}
-
-	$attr_strings = array();
-	foreach ( $html_atts as $k => $v ) {
-		$attr_strings[] = $k . '="' . esc_attr( $v ) . '"';
-	}
-
 	$html = '';
 
 	if ( 'mediaelement' === $library && 1 === $instance ) {
 		$html .= "<!--[if lt IE 9]><script>document.createElement('video');</script><![endif]-->\n";
 	}
 
-	$html .= sprintf( '<video %s controls="controls">', implode( ' ', $attr_strings ) );
+	$html .= WP_HTML::render( '<video controls="controls" ...args>', array( 'args' => $html_atts ) );
 
 	$fileurl = '';
-	$source  = '<source type="%s" src="%s" />';
 
 	foreach ( $default_types as $fallback ) {
 		if ( ! empty( $atts[ $fallback ] ) ) {
@@ -3647,8 +3642,14 @@ function wp_video_shortcode( $attr, $content = '' ) {
 			} else {
 				$type = wp_check_filetype( $atts[ $fallback ], wp_get_mime_types() );
 			}
-			$url   = add_query_arg( '_', $instance, $atts[ $fallback ] );
-			$html .= sprintf( $source, $type['type'], esc_url( $url ) );
+
+			$html .= WP_HTML::render(
+				'<source type="</%source>" src="</%src>">',
+				array(
+					'source' => $type['type'],
+					'src'    => add_query_arg( '_', $instance, $atts[ $fallback ] ),
+				)
+			);
 		}
 	}
 
@@ -3664,11 +3665,16 @@ function wp_video_shortcode( $attr, $content = '' ) {
 	}
 	$html .= '</video>';
 
-	$width_rule = '';
-	if ( ! empty( $atts['width'] ) ) {
-		$width_rule = sprintf( 'width: %dpx;', $atts['width'] );
-	}
-	$output = sprintf( '<div style="%s" class="wp-video">%s</div>', $width_rule, $html );
+	$output = (
+		WP_HTML::render(
+			'<div class="wp-video" style="</%width>">',
+			array(
+				'width' => ! empty( $atts['width'] ) ? "width: {$atts['width']}px;" : null,
+			)
+		) .
+		$html .
+		'</div>'
+	);
 
 	/**
 	 * Filters the output of the video shortcode.

From f841f04c55ec535d98e1b75f099aa1d69998fa41 Mon Sep 17 00:00:00 2001
From: Dennis Snell <dennis.snell@automattic.com>
Date: Mon, 15 Jan 2024 17:12:15 -0600
Subject: [PATCH 3/4] Explore refactors in post-template

---
 src/wp-includes/post-template.php | 38 +++++++++++++++++++------------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/src/wp-includes/post-template.php b/src/wp-includes/post-template.php
index f6635fdb4dba4..ff4a8668f1247 100644
--- a/src/wp-includes/post-template.php
+++ b/src/wp-includes/post-template.php
@@ -296,19 +296,21 @@ function get_the_content( $more_link_text = null, $strip_teaser = false, $post =
 	}
 
 	if ( null === $more_link_text ) {
-		$more_link_text = sprintf(
-			'<span aria-label="%1$s">%2$s</span>',
-			sprintf(
-				/* translators: %s: Post title. */
-				__( 'Continue reading %s' ),
-				the_title_attribute(
-					array(
-						'echo' => false,
-						'post' => $_post,
+		$more_link_text = WP_HTML::render(
+			'<span aria-label="</%label>"></%title></span>',
+			array(
+				'label' => sprintf(
+					/* translators: %s: Post title. */
+					__( 'Continue reading %s' ),
+					the_title_attribute(
+						array(
+							'echo' => false,
+							'post' => $_post,
+						)
 					)
-				)
-			),
-			__( '(more&hellip;)' )
+				),
+				'title' => __( '(more&hellip;)' ),
+			)
 		);
 	}
 
@@ -359,9 +361,17 @@ function get_the_content( $more_link_text = null, $strip_teaser = false, $post =
 
 	if ( count( $content ) > 1 ) {
 		if ( $elements['more'] ) {
-			$output .= '<span id="more-' . $_post->ID . '"></span>' . $content[1];
+			$output .= WP_HTML::render( '<span id="more-</%id>"></span>', array( 'id' => $_post->ID ) );
+			$output .= $content[1];
 		} else {
 			if ( ! empty( $more_link_text ) ) {
+				$link_html = WP_HTML::render(
+					'<a href="</%post_link>" class="more-link"></%link_text></a>',
+					array(
+						'post_link' => get_permalink( $_post ) . "#more-{$_post->ID}",
+						'link_text' => $more_link_text,
+					)
+				);
 
 				/**
 				 * Filters the Read More link text.
@@ -371,7 +381,7 @@ function get_the_content( $more_link_text = null, $strip_teaser = false, $post =
 				 * @param string $more_link_element Read More link element.
 				 * @param string $more_link_text    Read More text.
 				 */
-				$output .= apply_filters( 'the_content_more_link', ' <a href="' . get_permalink( $_post ) . "#more-{$_post->ID}\" class=\"more-link\">$more_link_text</a>", $more_link_text );
+				$output .= apply_filters( 'the_content_more_link', $link_html, $more_link_text );
 			}
 			$output = force_balance_tags( $output );
 		}

From 6d712f1d813e27d4a93043f757f4b30e96bb690d Mon Sep 17 00:00:00 2001
From: Dennis Snell <dennis.snell@automattic.com>
Date: Mon, 15 Jan 2024 21:10:39 -0600
Subject: [PATCH 4/4] Explore refactor of wp-editor code, adds
 set_modifiable_text()

---
 src/wp-includes/class-wp-editor.php           | 85 +++++++++++++------
 .../html-api/class-wp-html-tag-processor.php  | 44 ++++++++++
 2 files changed, 103 insertions(+), 26 deletions(-)

diff --git a/src/wp-includes/class-wp-editor.php b/src/wp-includes/class-wp-editor.php
index 5d7ba224cc207..7f5ef265c6fbc 100644
--- a/src/wp-includes/class-wp-editor.php
+++ b/src/wp-includes/class-wp-editor.php
@@ -158,12 +158,8 @@ public static function parse_settings( $editor_id, $settings ) {
 	 */
 	public static function editor( $content, $editor_id, $settings = array() ) {
 		$set            = self::parse_settings( $editor_id, $settings );
-		$editor_class   = ' class="' . trim( esc_attr( $set['editor_class'] ) . ' wp-editor-area' ) . '"';
-		$tabindex       = $set['tabindex'] ? ' tabindex="' . (int) $set['tabindex'] . '"' : '';
 		$default_editor = 'html';
 		$buttons        = '';
-		$autocomplete   = '';
-		$editor_id_attr = esc_attr( $editor_id );
 
 		if ( $set['drag_drop_upload'] ) {
 			self::$drag_drop_upload = true;
@@ -180,8 +176,6 @@ public static function editor( $content, $editor_id, $settings = array() ) {
 		}
 
 		if ( self::$this_tinymce ) {
-			$autocomplete = ' autocomplete="off"';
-
 			if ( self::$this_quicktags ) {
 				$default_editor = $set['default_editor'] ? $set['default_editor'] : wp_default_editor();
 				// 'html' is used for the "Text" editor tab.
@@ -189,10 +183,16 @@ public static function editor( $content, $editor_id, $settings = array() ) {
 					$default_editor = 'tinymce';
 				}
 
-				$buttons .= '<button type="button" id="' . $editor_id_attr . '-tmce" class="wp-switch-editor switch-tmce"' .
-					' data-wp-editor-id="' . $editor_id_attr . '">' . _x( 'Visual', 'Name for the Visual editor tab' ) . "</button>\n";
-				$buttons .= '<button type="button" id="' . $editor_id_attr . '-html" class="wp-switch-editor switch-html"' .
-					' data-wp-editor-id="' . $editor_id_attr . '">' . _x( 'Text', 'Name for the Text editor tab (formerly HTML)' ) . "</button>\n";
+				$buttons .= WP_HTML::render( <<<HTML
+ <button type="button" id="</%id>-tmce" class="wp-switch-editor switch-tmce" data-wp-editor-id="</%id>"></%visual_label></button>
+ <button type="button" id="</%id>-html" class="wp-switch-editor switch-html" data-wp-editor-id="</%id>"></%text_label></button>
+HTML,
+					array(
+						'id'           => $editor_id,
+						'text_label'   => _x( 'Text', 'Name for the Text editor tab (formerly HTML)' ),
+						'visual_label' => _x( 'Visual', 'Name for the Visual editor tab' ),
+					)
+				);
 			} else {
 				$default_editor = 'tinymce';
 			}
@@ -201,11 +201,13 @@ public static function editor( $content, $editor_id, $settings = array() ) {
 		$switch_class = 'html' === $default_editor ? 'html-active' : 'tmce-active';
 		$wrap_class   = 'wp-core-ui wp-editor-wrap ' . $switch_class;
 
-		if ( $set['_content_editor_dfw'] ) {
-			$wrap_class .= ' has-dfw';
-		}
-
-		echo '<div id="wp-' . $editor_id_attr . '-wrap" class="' . $wrap_class . '">';
+		echo WP_HTML::render(
+			'<div id="wp-</%id>-wrap" class="wp-core-jui wp-editor-wrap </%has_dfw>">',
+			array(
+				'id'      => $editor_id,
+				'has_dfw' => $set['_content_editor_dfw'] ? 'has-dfw' : '',
+			)
+		);
 
 		if ( self::$editor_buttons_css ) {
 			wp_print_styles( 'editor-buttons' );
@@ -217,7 +219,10 @@ public static function editor( $content, $editor_id, $settings = array() ) {
 		}
 
 		if ( ! empty( $buttons ) || $set['media_buttons'] ) {
-			echo '<div id="wp-' . $editor_id_attr . '-editor-tools" class="wp-editor-tools hide-if-no-js">';
+			echo WP_HTML::render(
+				'<div id="wp-</%id>-editor-tools" class="wp-editor-tools hide-if-no-js">',
+				array( 'id' => $editor_id )
+			);
 
 			if ( $set['media_buttons'] ) {
 				self::$has_medialib = true;
@@ -226,7 +231,10 @@ public static function editor( $content, $editor_id, $settings = array() ) {
 					require ABSPATH . 'wp-admin/includes/media.php';
 				}
 
-				echo '<div id="wp-' . $editor_id_attr . '-media-buttons" class="wp-media-buttons">';
+				echo WP_HTML::render(
+					'<div id="wp-</%id>-media-button" class="wp-media-buttons">',
+					array( 'id' => $editor_id )
+				);
 
 				/**
 				 * Fires after the default media button(s) are displayed.
@@ -249,10 +257,13 @@ public static function editor( $content, $editor_id, $settings = array() ) {
 			if ( 'content' === $editor_id && ! empty( $GLOBALS['current_screen'] ) && 'post' === $GLOBALS['current_screen']->base ) {
 				$toolbar_id = 'ed_toolbar';
 			} else {
-				$toolbar_id = 'qt_' . $editor_id_attr . '_toolbar';
+				$toolbar_id = 'qt_' . $editor_id . '_toolbar';
 			}
 
-			$quicktags_toolbar = '<div id="' . $toolbar_id . '" class="quicktags-toolbar hide-if-no-js"></div>';
+			$quicktags_toolbar = WP_HTML::render(
+				'<div id="</%id>" class="quicktags-toolbar hide-if-no-js"></div>',
+				array( 'id' => $toolbar_id )
+			);
 		}
 
 		/**
@@ -264,10 +275,28 @@ public static function editor( $content, $editor_id, $settings = array() ) {
 		 */
 		$the_editor = apply_filters(
 			'the_editor',
-			'<div id="wp-' . $editor_id_attr . '-editor-container" class="wp-editor-container">' .
+			WP_HTML::render(
+				'<div id="wp-</%id>-editor-container" class="wp-editor-container">',
+				array( 'id' => $editor_id )
+			) .
 			$quicktags_toolbar .
-			'<textarea' . $editor_class . $height . $tabindex . $autocomplete . ' cols="40" name="' . esc_attr( $set['textarea_name'] ) . '" ' .
-			'id="' . $editor_id_attr . '">%s</textarea></div>'
+			WP_HTML::render(
+				<<<'HTML'
+<textarea class="</%editor_class>" ...height tabindex="</%tabindex>"
+ autocomplete="</%autocomplete>" cols="40" name="</%name>" id="</%id>">%s</textarea>
+HTML,
+				array(
+					'autocomplete' => self::$this_tinymce ? 'off' : null,
+					'editor_class' => trim( "{$set['editor_class']} wp-editor-area" ),
+					'height'       => ! empty( $set['editor_height'] )
+						? array( 'style' => "height: {$set['editor_height']}px;" )
+						: array( 'rows' => (string) $set['textarea_rows'] ),
+					'id'           => $editor_id,
+					'name'         => $set['textarea_name'],
+					'tabindex'     => $set['tabindex'] ? (string) $set['tabindex'] : null,
+				)
+			) .
+			'</div>'
 		);
 
 		// Prepare the content for the Visual or Text editor, only when TinyMCE is used (back-compat).
@@ -300,12 +329,16 @@ public static function editor( $content, $editor_id, $settings = array() ) {
 			$content = apply_filters_deprecated( 'richedit_pre', array( $content ), '4.3.0', 'format_for_editor' );
 		}
 
-		if ( false !== stripos( $content, 'textarea' ) ) {
-			$content = preg_replace( '%</textarea%i', '&lt;/textarea', $content );
+		$processor = new WP_HTML_Tag_Processor( $the_editor );
+		while ( $processor->next_tag( 'TEXTAREA' ) ) {
+			if ( $editor_id === $processor->get_attribute( 'id' ) ) {
+				$processor->set_modifiable_text( $content );
+				break;
+			}
 		}
+		$the_editor = $processor->get_updated_html();
 
-		printf( $the_editor, $content );
-		echo "\n</div>\n\n";
+		echo "{$the_editor}\n</div>\n\n";
 
 		self::editor_settings( $editor_id, $set );
 	}
diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index fe4ac3cba3b64..fa86d8a28dec6 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -2826,6 +2826,50 @@ public function get_modifiable_text() {
 		return $decoded;
 	}
 
+	/**
+	 * Sets the modifiable text for the matched token, if possible.
+	 *
+	 * @param string $text Replace the modifiable text with this string.
+	 * @return bool Whether the modifiable text was updated.
+	 */
+	public function set_modifiable_text( $text ) {
+		if ( null === $this->text_starts_at || ! is_string( $text ) ) {
+			return false;
+		}
+
+		switch ( $this->get_token_name() ) {
+			case '#text':
+				$this->lexical_updates[] = new WP_HTML_Text_Replacement(
+					$this->text_starts_at,
+					$this->text_length,
+					esc_html( $text )
+				);
+				break;
+
+			case 'TEXTAREA':
+				$this->lexical_updates[] = new WP_HTML_Text_Replacement(
+					$this->text_starts_at,
+					$this->text_length,
+					preg_replace( '~</textarea~i', '&lt;/textarea', $text )
+				);
+				break;
+
+			case 'TITLE':
+				$this->lexical_updates[] = new WP_HTML_Text_Replacement(
+					$this->text_starts_at,
+					$this->text_length,
+					preg_replace( '~</title~i', '&lt;/title', $text )
+				);
+				break;
+
+			default:
+				return false;
+		}
+
+		$this->get_updated_html();
+		return true;
+	}
+
 	/**
 	 * Updates or creates a new attribute on the currently matched tag with the passed value.
 	 *