Preserve more Core behaviors

Author: dmsnell

src/wp-includes/formatting.php

@@ -1079,8 +1079,8 @@ function _esc_attr_single_pass_utf8( $text ) {
 					 * There's an established valid numeric character reference. Trim its leading zeros
 					 * unless it's a single quote, in which case there's an exception for legacy `'`.
 					 */
-					$zero       = 39 === $code_point ? '0' : '';
-					$hex_prefix = 16 === $numeric_base ? 'x' : '';
+					$zero       = ( 10 === $numeric_base && 39 === $code_point ) ? '0' : '';
+					$hex_prefix = 16 === $numeric_base ? $text[ $at + 2 ] : '';
 					$digits     = strtoupper( substr( $text, $digits_at, $digit_count ) );
 					$output    .= '&#' . $hex_prefix . $zero . $digits . ';';
 					$at         = $num_at + 1;

tests/phpunit/tests/formatting/escAttr.php

@@ -31,4 +31,67 @@ public function test_esc_attr_amp() {
 		$out = esc_attr( 'foo & bar &baz;  ' );
 		$this->assertSame( 'foo & bar &baz;  ', $out );
 	}
+
+	/**
+	 * Verifies the conversion of various kinds of decimal numeric references.
+	 *
+	 * @ticket {TICKET_NUMBER}
+	 *
+	 * @dataProvider data_decimal_numeric_references
+	 *
+	 * @param string $input  Attribute value with decimal character references.
+	 * @param string $output How WordPress is expected to transform the attribute value.
+	 */
+	public function test_converts_decimal_numeric_references( $input, $output ) {
+		$this->assertSame( $output, esc_attr( $input ), 'Failed to properly convert input.' );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[].
+	 */
+	public function data_decimal_numeric_references() {
+		return array(
+			'Basic decimal'       => array( '‣', '‣' ),
+			'Control character'   => array( '', '' ),
+			'Leading zeros'       => array( 'A', 'A' ),
+			'Leading zeros on \'' => array( ''', ''' ),
+			'Leading zero  on \'' => array( ''', ''' ),
+			'Surrogate half'      => array( '�', '�' ),
+			'Code point too high' => array( '�', '�' ),
+		);
+	}
+
+	/**
+	 * Verifies the conversion of various kinds of hexadecimal numeric references.
+	 *
+	 * @ticket {TICKET_NUMBER}
+	 *
+	 * @dataProvider data_hexadecimal_numeric_references
+	 *
+	 * @param string $input  Attribute value with hexadecimal character references.
+	 * @param string $output How WordPress is expected to transform the attribute value.
+	 */
+	public function test_converts_hexadecimal_numeric_references( $input, $output ) {
+		$this->assertSame( $output, esc_attr( $input ), 'Failed to properly convert input.' );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[].
+	 */
+	public function data_hexadecimal_numeric_references() {
+		return array(
+			'Basic lower hex'     => array( '‣', '‣' ),
+			'Basic upper hex'     => array( '‣', '‣' ),
+			'Control character'   => array( '', '' ),
+			'Leading zeros'       => array( 'e', 'e' ),
+			'Leading zeros on \'' => array( ''', ''' ),
+			'Leading zero  on \'' => array( ''', ''' ),
+			'Surrogate half'      => array( '�', '�' ),
+			'Code point too high' => array( '', '' ),
+		);
+	}
 }