fix: add type and data-ajax-nonce to button kses allowlist

[superdav42]

Summary

• Adds type and data-ajax-nonce to the <button> allowlist in wu_kses_allowed_html(), fixing the setup wizard Network Activate button

Root Cause

The setup wizard requirements table HTML passes through wp_kses() twice — once in field-note.php (line 33) and again in default.php (line 20). The <button> element's kses allowlist only permitted disabled, name, and value.

This stripped two critical attributes from the Network Activate button:

Attribute	Effect of stripping
type="button"	Button defaults to type="submit", submitting the wizard form instead of firing the AJAX handler
data-ajax-nonce="..."	JS reads undefined, sends no nonce → server responds {"success":false,"data":[{"code":"bad-nonce",...}]}

PR #875 correctly moved the JS to an external file and switched to _ajax_nonce / data-ajax-nonce, but the button attributes were still stripped by wp_kses() before reaching the browser.

Fix

One-line change to inc/functions/helper.php — adds type and data-ajax-nonce to the button's kses allowlist. Both are standard HTML attributes that pose no XSS risk.

Verification

Tested on http://wordpress.local:8080 setup wizard:

• Button renders with type="button" and data-ajax-nonce="<valid>" in DOM
• AJAX request sends _ajax_nonce=<value> in POST body
• Server responds {"success":true}
• Page reloads with plugin network-activated

Summary by CodeRabbit

• Bug Fixes
  • Updated button element attribute handling to properly support additional functionality.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9caf0d81-5286-474f-b0ed-6afdf7dc7f2b

📥 Commits

Reviewing files that changed from the base of the PR and between 44c629d and f860fa5.

📒 Files selected for processing (1)

• inc/functions/helper.php

---

📝 Walkthrough

Walkthrough

The wu_kses_allowed_html() function in inc/functions/helper.php was modified to permit additional attributes on button elements: type and data-ajax-nonce. Existing attributes were also reordered within the allowlist.

Changes

Cohort / File(s)	Summary
HTML Sanitization Allowlist Update inc/functions/helper.php	Extended button element's allowed attributes to include type and data-ajax-nonce; reordered existing disabled, name, and value entries.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• fix: move network-activate handler to external JS file #871: Adds JavaScript functionality that reads the data-nonce attribute from button elements for AJAX operations, making it dependent on the allowlist change to permit data-ajax-nonce on buttons.

Poem

🐰 A button grows new powers bright,
With types and nonces held just right,
The allowlist expands with care,
So AJAX whispers float through air! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: adding type and data-ajax-nonce attributes to the button kses allowlist, which directly addresses the root cause of the bug described in the PR objectives.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bugfix/kses-strips-button-nonce

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[github-actions]

Performance Test Results

Performance test results for 9908421 are in 🛎️!

Note: the numbers in parentheses show the difference to the previous (baseline) test run. Differences below 2% or 0.5 in absolute values are not shown.

URL: /

Run	DB Queries	Memory	Before Template	Template	WP Total	LCP	TTFB	LCP - TTFB
0	40	37.78 MB	876.00 ms	163.50 ms	1066.00 ms	2042.00 ms	1953.10 ms	89.50 ms (-5.40 ms / -6% )
1	56	49.03 MB	911.50 ms (-20.00 ms / -2% )	147.50 ms	1056.50 ms	2056.00 ms	1975.55 ms	81.85 ms

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password