Fix srcset URI sanitization for URLs with commas

CDN image resizers (e.g. Cloudflare) use commas in URL paths
like cdn-cgi/image/format=auto,quality=80,width=412/...
which were incorrectly split by the naive comma-based
preg_split in wp_kses_sanitize_uris(). This rewrites the
splitting to use the srcset descriptor pattern (e.g. 480w,
2x) as entry boundaries, preserving commas within URLs.
Also preserves original whitespace around separators instead
of normalizing with implode.

Author: adamsilverstein

src/wp-includes/kses.php

@@ -1686,19 +1686,46 @@ function wp_kses_sanitize_uris( $attrname, $attrvalue, $allowed_protocols, $mult
 
 	if ( ! in_array( strtolower( $attrname ), $uris, true ) ) {
 		return $attrvalue;
-	} else {
-		if ( in_array( strtolower( $attrname ), $multi_uri, true ) ) {
-			$thesevals = preg_split( '/\s*,\s*/', $attrvalue );
-		} else {
-			$thesevals = array( $attrvalue );
-		}
 	}
 
-	foreach ( (array) $thesevals as $key => $val ) {
-		$thesevals[ $key ] = wp_kses_bad_protocol( $val, $allowed_protocols );
+	if ( in_array( strtolower( $attrname ), $multi_uri, true ) ) {
+		/*
+		 * Parse srcset-style attributes using the descriptor to find entry boundaries.
+		 *
+		 * Srcset entries are: URL [descriptor], URL [descriptor], ...
+		 * Descriptors match patterns like "480w" or "2x".
+		 *
+		 * A naive split on commas breaks URLs that contain commas internally
+		 * (e.g. CDN image resizer URLs like cdn-cgi/image/format=auto,quality=80/...).
+		 *
+		 * Instead, split on: whitespace + descriptor + comma (+ optional whitespace).
+		 * This correctly identifies only the commas that separate srcset entries.
+		 */
+		$parts  = preg_split( '/(\s+\d+[wx]\s*,\s*)/i', $attrvalue, -1, PREG_SPLIT_DELIM_CAPTURE );
+		$result = '';
+
+		for ( $i = 0, $len = count( $parts ); $i < $len; $i++ ) {
+			if ( preg_match( '/^\s+\d+[wx]\s*,\s*$/i', $parts[ $i ] ) ) {
+				// This is a delimiter: space + descriptor + comma. Append it as-is.
+				$result .= $parts[ $i ];
+			} else {
+				// This is a URL (possibly with a trailing descriptor for the last entry).
+				$entry = $parts[ $i ];
+				if ( preg_match( '/^(\s*)(.*?)(\s+\d+[wx])?\s*$/i', $entry, $m ) ) {
+					$leading_ws = $m[1];
+					$url        = $m[2];
+					$descriptor = isset( $m[3] ) ? $m[3] : '';
+					$result    .= $leading_ws . wp_kses_bad_protocol( $url, $allowed_protocols ) . $descriptor;
+				} else {
+					$result .= wp_kses_bad_protocol( $entry, $allowed_protocols );
+				}
+			}
+		}
+
+		return $result;
 	}
 
-	return implode( ', ', $thesevals );
+	return wp_kses_bad_protocol( $attrvalue, $allowed_protocols );
 }
 
 /**

tests/phpunit/tests/kses.php

@@ -2502,7 +2502,7 @@ public function data_wp_kses_srcset() {
 			),
 			array(
 				'http://localhost/test.png,big 1x, bad://localhost/test.png,medium 2x',
-				'http://localhost/test.png, big 1x, //localhost/test.png, medium 2x',
+				'http://localhost/test.png,big 1x, //localhost/test.png,medium 2x',
 			),
 			array(
 				'path/to/test.png 1x, path/to/test-2x.png 2x',
@@ -2580,8 +2580,8 @@ public function data_wp_kses_srcset_edge_cases() {
 			// Test an empty srcset.
 			array( '', '' ),
 
-			// Srcset with extra whitespace.
-			array( '  image1.jpg 1x  ,   image2.jpg 2x  ', '  image1.jpg 1x, image2.jpg 2x  ' ),
+			// Srcset with extra whitespace (trailing whitespace trimmed, internal spacing preserved).
+			array( '  image1.jpg 1x  ,   image2.jpg 2x  ', '  image1.jpg 1x  ,   image2.jpg 2x' ),
 
 			// Srcset with single URL and no descriptor.
 			array( 'image.jpg', 'image.jpg' ),