KSES: Allow CSS anchor positioning in safecss_filter_attr()

[dhrupo]

Summary

Allow CSS anchor positioning in safecss_filter_attr() so it is no longer stripped from style attributes filtered through KSES.

Trac ticket: https://core.trac.wordpress.org/ticket/64972

Problem

On trunk, every anchor positioning declaration is stripped:

safecss_filter_attr( 'anchor-name: --tooltip' );        // ''
safecss_filter_attr( 'position-anchor: --tooltip' );    // ''
safecss_filter_attr( 'top: anchor(--tooltip bottom)' ); // ''
safecss_filter_attr( 'width: anchor-size(--tooltip width)' ); // ''

This is two separate gaps:

1. The anchor positioning properties are not in the safe_style_css allowlist.
2. The anchor() and anchor-size() functions are not in the allowlist of CSS functions. safecss_filter_attr() rejects any declaration whose value still contains a function call after the known functions (var, calc, min, max, minmax, clamp, repeat) are removed.

Why a properties-only fix is not enough

There is an existing PR, #11419, which adds the anchor positioning properties only. That is necessary but not sufficient: anchor positioning is driven by the anchor() and anchor-size() functions used in standard inset and sizing properties (e.g. top: anchor(--tooltip bottom), width: anchor-size(--tooltip width)). Because those functions are not allowlisted, such declarations are still stripped, so the feature remains unusable after #11419, and its test only exercises simple values such as position-area: top so the gap is not caught.

This PR is a superset of #11419: it adds the same properties and the anchor() / anchor-size() functions, with tests that cover the function usage.

Changes

• Add the anchor positioning properties to the safe_style_css allowlist: anchor-name, anchor-scope, position-anchor, position-area, position-try, position-try-fallbacks, position-try-order, position-visibility.
• Add anchor and anchor-size to the allowed CSS functions, handled the same way as the existing var()/calc()/clamp() allowlist. Unknown functions such as expression() are still stripped, so sanitization is not weakened.
• Update the @since docblock.
• Add regression tests covering the properties, the anchor()/anchor-size() functions (including nesting inside calc()), and that an unknown function is still rejected.

Testing instructions

phpunit --filter Tests_Kses tests/phpunit/tests/kses.php

Or manually:

// Before this change all of these return ''. After, each is preserved:
safecss_filter_attr( 'anchor-name: --tooltip' );
safecss_filter_attr( 'top: anchor(--tooltip bottom)' );
safecss_filter_attr( 'width: anchor-size(--tooltip width)' );
safecss_filter_attr( 'margin-left: calc(anchor-size(width) / 2)' );
// Still stripped (sanitization preserved):
safecss_filter_attr( 'width: expression(alert(1))' ); // ''

Relationship to #11419

This supersedes #11419, which only allowlists the properties. If preferred, the property list here could instead be merged into #11419 and this PR reduced to the function allowlist — happy to coordinate either way.

Use of AI Tools

• AI assistance: Yes
• Tool(s): Claude Code
• Model(s): Claude Opus 4.8
• Used for: Root-cause analysis (identifying the function-allowlist gap missed by the properties-only patch), drafting the change and the PHPUnit tests. All changes were reviewed, reproduced against trunk in the wordpress-develop Docker environment, and verified with PHPUnit and PHPCS by me.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props dhrupo.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[github-actions]

Hi there! 👋

Thank you for your contribution to WordPress! 💖

It looks like this is your first pull request to wordpress-develop. Here are a few things to be aware of that may help you out!

No one monitors this repository for new pull requests. Pull requests must be attached to a Trac ticket to be considered for inclusion in WordPress Core. To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description.

Pull requests are never merged on GitHub. The WordPress codebase continues to be managed through the SVN repository that this GitHub repository mirrors. Please feel free to open pull requests to work on any contribution you are making.

More information about how GitHub pull requests can be used to contribute to WordPress can be found in the Core Handbook.

Please include automated tests. Including tests in your pull request is one way to help your patch be considered faster. To learn about WordPress' test suites, visit the Automated Testing page in the handbook.

If you have not had a chance, please review the Contribute with Code page in the WordPress Core Handbook.

The Developer Hub also documents the various coding standards that are followed:

• PHP Coding Standards
• CSS Coding Standards
• HTML Coding Standards
• JavaScript Coding Standards
• Accessibility Coding Standards
• Inline Documentation Standards

Thank you,
The WordPress Project

[github-actions]

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

• All changes will be lost when closing a tab with a Playground instance.
• All changes will be lost when refreshing the page.
• A fresh instance is created each time the link below is clicked.
• Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
  it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.