From 957a3e85ae45616dca10b3ec8a0277c3ff7d0b7d Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 23 Dec 2025 20:11:08 +0100
Subject: [PATCH 01/66] First sketching on templates

---
 .../html-api/class-wp-html-template.php       |  63 ++++++++
 src/wp-settings.php                           |   1 +
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 146 ++++++++++++++++++
 3 files changed, 210 insertions(+)
 create mode 100644 src/wp-includes/html-api/class-wp-html-template.php
 create mode 100644 tests/phpunit/tests/html-api/wpHtmlTemplate.php

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
new file mode 100644
index 0000000000000..5cd17a19d4a20
--- /dev/null
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -0,0 +1,63 @@
+<?php
+/**
+ * HTML API: WP_HTML_Template class
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ * @since 7.0.0
+ */
+
+class WP_HTML_Template {
+	/**
+	 * The template string.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @var string
+	 */
+	private string $template_string;
+
+	private function __construct( string $template_string ) {
+		$this->template_string = $template_string;
+	}
+
+	/**
+	 * @todo remove type hint from argument.
+	 * @todo obviously bad name…
+	 */
+	public static function sprintf( string $template_string, array $replacements = array() ): string {
+		return self::from( $template_string )->render( $replacements );
+	}
+
+	/**
+	 * @todo remove type hint from argument.
+	 */
+	public static function from( string $template_string ): static {
+		if ( ! is_string( $template_string ) ) {
+			_doing_it_wrong(
+				__METHOD__,
+				__( 'The template string must be a string.' ),
+				'7.0.0'
+			);
+			$template_string = '';
+		}
+
+		return new static( $template_string );
+	}
+
+	/**
+	 * @todo remove type hint from argument.
+	 */
+	public function render( array $replacements ): string {
+		if ( ! is_array( $replacements ) ) {
+			_doing_it_wrong(
+				__METHOD__,
+				__( 'The replacements must be an array.' ),
+				'7.0.0'
+			);
+			$replacements = array();
+		}
+
+		return WP_HTML_Processor::normalize( $this->template_string );
+	}
+}
diff --git a/src/wp-settings.php b/src/wp-settings.php
index 60c220100f539..b80167116f541 100644
--- a/src/wp-settings.php
+++ b/src/wp-settings.php
@@ -276,6 +276,7 @@
 require ABSPATH . WPINC . '/html-api/class-wp-html-stack-event.php';
 require ABSPATH . WPINC . '/html-api/class-wp-html-processor-state.php';
 require ABSPATH . WPINC . '/html-api/class-wp-html-processor.php';
+require ABSPATH . WPINC . '/html-api/class-wp-html-template.php';
 require ABSPATH . WPINC . '/class-wp-block-processor.php';
 require ABSPATH . WPINC . '/class-wp-http.php';
 require ABSPATH . WPINC . '/class-wp-http-streams.php';
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
new file mode 100644
index 0000000000000..c65eb13f0c803
--- /dev/null
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -0,0 +1,146 @@
+<?php
+/**
+ * Unit tests covering WP_HTML_Template functionality.
+ *
+ * @package WordPress
+ * @subpackage HTML-API
+ *
+ * @since 7.0.0
+ *
+ * @group html-api
+ * @group TBD
+ *
+ * @coversDefaultClass WP_HTML_Template
+ */
+
+use WP_HTML_Template as T;
+
+class Tests_HtmlApi_WpHtmlTemplate extends WP_UnitTestCase {
+	public function test_1() {
+		$t = T::from( '<p>Hello, </%name>!</p>' );
+		$result = $t->render( array( 'name' => 'World' ) );
+		$this->assertSame( $result, T::sprintf( '<p>Hello, </%name>!</p>', array( 'name' => 'World' ) ) );
+
+		$expected =
+			<<<'HTML'
+			<p>Hello, World!</p>
+			HTML;
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	public function test_2() {
+		$template_string = '<p>Hello, </%placeholder>!</p>';
+		$replacements = array( 'placeholder' => 'Alice & Bob' );
+
+		$t = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+
+		$expected =
+			<<<'HTML'
+			<p>Hello, Alice &amp; Bob!</p>
+			HTML;
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	public function test_3() {
+		$template_string = '<p>Hello, </%1>, </%1>, </%2>, & </%2>!</p>';
+		$replacements = array( 'Alice', 'Bob' );
+
+		$t = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+
+		$expected =
+			<<<'HTML'
+			<p>Hello, Alice, Alice, Bob, &amp; Bob!</p>
+			HTML;
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	public function test_4() {
+		$template_string = '<p>Hello, </%html>';
+		$replacements = array( 'html' => T::from( '<i>Alice</i> & <i>Bob</i>' ) );
+
+		$t = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+
+		$expected =
+			<<<'HTML'
+			<p>Hello, <i>Alice</i> &amp; <i>Bob</i></p>
+			HTML;
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	public function test_attr() {
+		$template_string = '<meta name="</%n>" content="</%c>">';
+		$replacements = array(
+			'n' => 'the name',
+			'c' => 'the "content" & whatever else',
+		);
+
+		$t = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+
+		$expected =
+			<<<'HTML'
+			<meta name="name" content="the &quot;content&quot; &amp; whatever else">
+			HTML;
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	/**
+	 * @expectedIncorrectUsage WP_HTML_Template::render
+	 */
+	public function test_attr_rejects_html() {
+		$template_string = '<meta name="not-allowed" description="</%html>">';
+		$replacements = array(
+			'html' => T::from( '<strong>This is not allowed!</strong>') ,
+		);
+		$this->assertFalse( T::sprintf( $template_string, $replacements ) );
+	}
+
+	/**
+	 * @dataProvider data_template
+	 *
+	 * @ticket 60229
+	 * @covers ::from
+	 * @covers ::render
+	 */
+	public function xtest_template( string $template_string, array $replacements, string $expected ) {
+		$result = WP_HTML_Template::sprintf( $template_string, $replacements );
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	public static function data_template() {
+		return array(
+			'Basic template' => array(
+				'<p>Hi!</p>',
+				array(),
+				'<p>Hi!</p>',
+			),
+
+			'HTML text replacement (basic)' => array(
+				'<p>Hello, </%name>!</p>',
+				array( 'name' => 'World!' ),
+				'<p>Hello, World!</p>',
+			),
+
+			'HTML text replacement (escaped)' => array(
+				'<p>Hello, </%name>!</p>',
+				array( 'name' => '<little-bobby-tags>' ),
+				'<p>Hello, &lt;little-bobby-tags&gt;</p>',
+			),
+
+			'HTML replacement with template' => array(
+				'<p>Hello, </%name>!</p>',
+				array(
+					'name' => WP_HTML_Template::from( '<i>World</i>' )
+				),
+				'<p>Hello, <i>World</i>!</p>',
+			),
+		);
+	}
+}

From afc63eb9d69e03978686bee3b41b5a964a034244 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 2 Feb 2026 16:10:11 +0100
Subject: [PATCH 02/66] DROPME: Collect examples

---
 templating-examples.php | 205 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 205 insertions(+)
 create mode 100644 templating-examples.php

diff --git a/templating-examples.php b/templating-examples.php
new file mode 100644
index 0000000000000..2c9e4e80b83f3
--- /dev/null
+++ b/templating-examples.php
@@ -0,0 +1,205 @@
+<?php
+/**
+ * HTML Templating API - Usage Examples
+ *
+ * This file documents real patterns from WordPress core that could benefit
+ * from the WP_HTML_Template API. These are reference examples for API design.
+ *
+ * @see Trac #60229 - HTML API: Introduce HTML Templating
+ */
+
+die( 'demonstration - not for execution' );
+
+/**
+ * =============================================================================
+ * PATTERN 1: Translation functions with embedded HTML
+ * =============================================================================
+ *
+ * These patterns have HTML tags directly in the translatable string.
+ * Translators see the HTML, which is problematic.
+ */
+
+// src/wp-includes/functions.php:1620
+// Simple HTML tag in translation
+wp_die( __( '<strong>Error:</strong> This is not a valid feed template.' ), '', array( 'response' => 404 ) );
+
+// src/wp-includes/functions.php:1844-1845
+// Link with placeholder inside translation
+$wpdb->error = sprintf(
+	/* translators: %s: Database repair URL. */
+	__( 'One or more database tables are unavailable. The database may need to be <a href="%s">repaired</a>.' ),
+	'maint/repair.php?referrer=is_blog_installed'
+);
+
+// src/wp-admin/edit-form-advanced.php:185
+// HTML wrapper injected as sprintf parameter
+$messages['post'][9] = sprintf( __( 'Post scheduled for: %s.' ), '<strong>' . $scheduled_date . '</strong>' ) . $scheduled_post_link_html;
+
+// src/wp-admin/revision.php:145-147
+// Multiple strong tags for emphasis in help text
+$revisions_overview .= '<ul><li>' . __( 'To navigate between revisions, <strong>drag the slider handle left or right</strong> or <strong>use the Previous or Next buttons</strong>.' ) . '</li>';
+$revisions_overview .= '<li>' . __( 'Compare two different revisions by <strong>selecting the &#8220;Compare any two revisions&#8221; box</strong> to the side.' ) . '</li>';
+$revisions_overview .= '<li>' . __( 'To restore a revision, <strong>click Restore This Revision</strong>.' ) . '</li></ul>';
+
+// src/wp-includes/theme.php:978-979
+// Context translation (_x) with HTML error prefix
+return new WP_Error(
+	'theme_wp_php_incompatible',
+	sprintf(
+		/* translators: %s: Theme name. */
+		_x( '<strong>Error:</strong> Current WordPress and PHP versions do not meet minimum requirements for %s.', 'theme' ),
+		$theme->display( 'Name' )
+	)
+);
+
+// src/wp-includes/widgets/class-wp-widget-text.php:542
+// Complex: _e() with embedded link and HTML entities
+_e( 'Did you know there is a &#8220;Custom HTML&#8221; widget now? You can find it by pressing the &#8220;<a class="add-widget" href="#">Add a Widget</a>&#8221; button and searching for &#8220;HTML&#8221;. Check it out to add some custom code to your site!' );
+
+// src/wp-includes/blocks/comments-title.php:29
+// HTML entities (curly quotes) in translation
+$post_title = sprintf( __( '&#8220;%s&#8221;' ), get_the_title() );
+
+// src/wp-includes/blocks/latest-posts.php:164-166
+// Complex nested HTML with multiple escaped placeholders
+$trimmed_excerpt .= sprintf(
+	/* translators: 1: A URL to a post, 2: Hidden accessibility text: Post title */
+	__( '… <a class="wp-block-latest-posts__read-more" href="%1$s" rel="noopener noreferrer">Read more<span class="screen-reader-text">: %2$s</span></a>' ),
+	esc_url( $post_link ),
+	esc_html( $title )
+);
+
+// src/wp-admin/includes/class-plugin-upgrader.php:60
+// HTML span wrapping another placeholder (double sprintf)
+$this->strings['downloading_package'] = sprintf( __( 'Downloading update from %s&#8230;' ), '<span class="code pre">%s</span>' );
+
+// src/wp-admin/includes/privacy-tools.php:404
+// Code tag wrapping technical reference
+sprintf( __( 'The %s post meta must be an array.' ), '<code>_export_data_grouped</code>' );
+
+// src/wp-admin/widgets.php:24
+// Full paragraph with embedded documentation link
+wp_die( __( 'The theme you are currently using is not widget-aware, meaning that it has no sidebars that you are able to change. For information on making your theme widget-aware, please <a href="https://developer.wordpress.org/themes/functionality/widgets/">follow these instructions</a>.' ) );
+
+// src/wp-admin/revision.php:158
+// Link in translation without placeholders
+$revisions_sidebar .= '<p>' . __( '<a href="https://wordpress.org/documentation/article/revisions/">Revisions Management</a>' ) . '</p>';
+
+
+/**
+ * =============================================================================
+ * PATTERN 2: sprintf with manual escaping (non-translation)
+ * =============================================================================
+ *
+ * These patterns require developers to choose the correct escape function
+ * for each context (esc_url, esc_attr, esc_html).
+ */
+
+// src/wp-includes/blocks/post-title.php:41
+// Link with multiple escaped attributes
+$rel   = ! empty( $attributes['rel'] ) ? 'rel="' . esc_attr( $attributes['rel'] ) . '"' : '';
+$title = sprintf(
+	'<a href="%1$s" target="%2$s" %3$s>%4$s</a>',
+	esc_url( get_the_permalink( $block->context['postId'] ) ),
+	esc_attr( $attributes['linkTarget'] ),
+	$rel,    // Note: $rel already has esc_attr inside
+	$title   // Note: $title escaping unclear
+);
+
+// src/wp-includes/blocks/avatar.php:68
+// Similar link pattern for avatar
+$avatar_block = sprintf(
+	'<a href="%1$s" target="%2$s" %3$s class="wp-block-avatar__link">%4$s</a>',
+	esc_url( get_author_posts_url( $author_id ) ),
+	esc_attr( $attributes['linkTarget'] ),
+	$label,        // aria-label attribute, already escaped
+	$avatar_block  // Inner HTML
+);
+
+// src/wp-includes/formatting.php:3476
+// Image tag with esc_url and esc_attr
+return sprintf(
+	'<img src="%s" alt="%s" class="wp-smiley" style="height: 1em; max-height: 1em;" />',
+	esc_url( $src_url ),
+	esc_attr( $smiley )
+);
+
+// src/wp-includes/class-wp-styles.php:204-211
+// Link tag with nested sprintf for conditional attribute
+$tag = sprintf(
+	"<link rel='%s' id='%s-css'%s href='%s' media='%s' />\n",
+	$rel,                                                    // Not escaped
+	esc_attr( $handle ),
+	$title ? sprintf( " title='%s'", esc_attr( $title ) ) : '',
+	$href,                                                   // Not escaped
+	esc_attr( $media )
+);
+
+
+/**
+ * =============================================================================
+ * PATTERN 3: Building aria-label attributes
+ * =============================================================================
+ */
+
+// src/wp-includes/blocks/avatar.php:65
+// Aria label with translation and escaping
+$label = 'aria-label="' . esc_attr( sprintf( __( '(%s author archive, opens in a new tab)' ), $author_name ) ) . '"';
+
+
+/**
+ * =============================================================================
+ * POTENTIAL TEMPLATING ALTERNATIVES
+ * =============================================================================
+ *
+ * How these patterns could look with WP_HTML_Template.
+ */
+
+/*
+ * OPTION A: Template wraps translation (structure in code, text translated)
+ *
+ * HTML structure stays in PHP code, only text content is translated.
+ */
+
+// Instead of: __( '<strong>Error:</strong> This is not a valid feed template.' )
+WP_HTML_Template::render(
+	'<strong></%label></strong> </%message>',
+	array(
+		'label'   => __( 'Error:' ),
+		'message' => __( 'This is not a valid feed template.' ),
+	)
+);
+
+// Instead of: sprintf( __( 'Post scheduled for: %s.' ), '<strong>' . $date . '</strong>' )
+WP_HTML_Template::render(
+	__( 'Post scheduled for: %s.', 'template-placeholder' ), // Special handling?
+	// Or:
+	'</%before><strong></%date></strong></%after>',
+	array(
+		'before' => __( 'Post scheduled for: ' ),
+		'date'   => $scheduled_date,
+		'after'  => '',
+	)
+);
+
+/*
+ * OPTION B: Translation contains template placeholders
+ *
+ * Translated string includes the </%name> syntax directly.
+ * This is closer to how WordPress translations work today.
+ */
+
+// Instead of: sprintf( __( '... <a href="%s">repaired</a>.' ), $url )
+WP_HTML_Template::render(
+	__( 'One or more database tables are unavailable. The database may need to be <a href="</%url>">repaired</a>.' ),
+	array( 'url' => 'maint/repair.php?referrer=is_blog_installed' )
+);
+
+// Instead of: sprintf( __( '... href="%1$s" ... %2$s ...' ), esc_url($url), esc_html($title) )
+WP_HTML_Template::render(
+	__( '… <a class="wp-block-latest-posts__read-more" href="</%url>" rel="noopener noreferrer">Read more<span class="screen-reader-text">: </%title></span></a>' ),
+	array(
+		'url'   => $post_link,   // Auto-escaped as URL in href context
+		'title' => $title,       // Auto-escaped as text in text context
+	)
+);

From 75ecbe70b9500f4df53bebefcb16b283cdbce207 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 2 Feb 2026 17:43:14 +0100
Subject: [PATCH 03/66] Introduce test suite based on existing examples

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 230 ++++++++++++++++++
 1 file changed, 230 insertions(+)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index c65eb13f0c803..e27c4ebb0ee2c 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -143,4 +143,234 @@ public static function data_template() {
 			),
 		);
 	}
+
+	/**
+	 * Test real-world patterns from WordPress core.
+	 *
+	 * @dataProvider data_real_world_examples
+	 *
+	 * @ticket 60229
+	 * @covers ::sprintf
+	 */
+	public function test_real_world_examples( string $template_string, array $replacements, string $expected ) {
+		$result = WP_HTML_Template::sprintf( $template_string, $replacements );
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	/**
+	 * Data provider with real-world patterns from WordPress core.
+	 *
+	 * Each test case is based on actual code patterns found in WordPress core
+	 * that could benefit from the WP_HTML_Template API.
+	 *
+	 * @return array[]
+	 */
+	public static function data_real_world_examples() {
+		return array(
+			/*
+			 * Group 1: Simple sprintf patterns with manual escaping.
+			 *
+			 * These patterns currently require developers to manually choose
+			 * the correct escape function (esc_url, esc_attr, esc_html).
+			 */
+
+			// src/wp-includes/formatting.php:3476 - Smiley image
+			'formatting.php:3476 - smiley image tag' => array(
+				'<img src="</%src>" alt="</%alt>" class="wp-smiley" style="height: 1em; max-height: 1em;" />',
+				array(
+					'src' => 'https://example.com/smilies/:).png',
+					'alt' => ':)',
+				),
+				'<img src="https://example.com/smilies/:).png" alt=":)" class="wp-smiley" style="height: 1em; max-height: 1em;" />',
+			),
+
+			// src/wp-includes/blocks/post-title.php:41 - Post title link
+			'blocks/post-title.php:41 - post title link' => array(
+				'<a href="</%url>" target="</%target>"></%title></a>',
+				array(
+					'url'    => 'https://example.com/hello-world/',
+					'target' => '_blank',
+					'title'  => 'Hello World',
+				),
+				'<a href="https://example.com/hello-world/" target="_blank">Hello World</a>',
+			),
+
+			// Same pattern with escaping needed
+			'blocks/post-title.php:41 - post title link with special chars' => array(
+				'<a href="</%url>" target="</%target>"></%title></a>',
+				array(
+					'url'    => 'https://example.com/hello-world/?foo=1&bar=2',
+					'target' => '_blank',
+					'title'  => 'Hello <World> & "Friends"',
+				),
+				'<a href="https://example.com/hello-world/?foo=1&amp;bar=2" target="_blank">Hello &lt;World&gt; &amp; "Friends"</a>',
+			),
+
+			/*
+			 * Group 2: Translation patterns with embedded HTML.
+			 *
+			 * These patterns have HTML directly in translatable strings.
+			 */
+
+			// src/wp-includes/functions.php:1620 - Error message (static, no placeholders)
+			'functions.php:1620 - static error message' => array(
+				'<strong>Error:</strong> This is not a valid feed template.',
+				array(),
+				'<strong>Error:</strong> This is not a valid feed template.',
+			),
+
+			// src/wp-includes/functions.php:1844-1845 - Database repair link
+			'functions.php:1844 - database repair link' => array(
+				'One or more database tables are unavailable. The database may need to be <a href="</%url>">repaired</a>.',
+				array(
+					'url' => 'maint/repair.php?referrer=is_blog_installed',
+				),
+				'One or more database tables are unavailable. The database may need to be <a href="maint/repair.php?referrer=is_blog_installed">repaired</a>.',
+			),
+
+			// src/wp-admin/edit-form-advanced.php:185 - Scheduled post date
+			'edit-form-advanced.php:185 - scheduled post date' => array(
+				'Post scheduled for: <strong></%date></strong>.',
+				array(
+					'date' => 'March 15, 2025 at 10:30 am',
+				),
+				'Post scheduled for: <strong>March 15, 2025 at 10:30 am</strong>.',
+			),
+
+			// src/wp-includes/blocks/latest-posts.php:164-166 - Read more link with nested elements
+			'blocks/latest-posts.php:164 - read more link with screen reader text' => array(
+				'… <a class="wp-block-latest-posts__read-more" href="</%url>" rel="noopener noreferrer">Read more<span class="screen-reader-text">: </%title></span></a>',
+				array(
+					'url'   => 'https://example.com/my-post/',
+					'title' => 'My Amazing Post',
+				),
+				'… <a class="wp-block-latest-posts__read-more" href="https://example.com/my-post/" rel="noopener noreferrer">Read more<span class="screen-reader-text">: My Amazing Post</span></a>',
+			),
+
+			// Same pattern with escaping needed
+			'blocks/latest-posts.php:164 - read more with XSS attempt' => array(
+				'… <a class="wp-block-latest-posts__read-more" href="</%url>" rel="noopener noreferrer">Read more<span class="screen-reader-text">: </%title></span></a>',
+				array(
+					'url'   => 'javascript:alert("xss")',
+					'title' => '<script>alert("xss")</script>',
+				),
+				'… <a class="wp-block-latest-posts__read-more" href="javascript:alert(&quot;xss&quot;)" rel="noopener noreferrer">Read more<span class="screen-reader-text">: &lt;script&gt;alert("xss")&lt;/script&gt;</span></a>',
+			),
+
+			// src/wp-includes/theme.php:978-979 - Theme error with name
+			'theme.php:978 - theme error message' => array(
+				'<strong>Error:</strong> Current WordPress and PHP versions do not meet minimum requirements for </%theme_name>.',
+				array(
+					'theme_name' => 'Twenty Twenty-Five',
+				),
+				'<strong>Error:</strong> Current WordPress and PHP versions do not meet minimum requirements for Twenty Twenty-Five.',
+			),
+
+			// src/wp-admin/includes/privacy-tools.php:404 - Code tag in error
+			'privacy-tools.php:404 - code in error message' => array(
+				'The <code></%meta_key></code> post meta must be an array.',
+				array(
+					'meta_key' => '_export_data_grouped',
+				),
+				'The <code>_export_data_grouped</code> post meta must be an array.',
+			),
+
+			/*
+			 * Group 3: Edge cases.
+			 */
+
+			// Placeholder reuse (same placeholder multiple times)
+			'placeholder reuse' => array(
+				'<label for="</%id>">Name:</label> <input id="</%id>" name="</%id>" type="text" />',
+				array(
+					'id' => 'user_name',
+				),
+				'<label for="user_name">Name:</label> <input id="user_name" name="user_name" type="text" />',
+			),
+
+			// Numeric placeholders like sprintf
+			'numeric placeholders' => array(
+				'<a href="</%0>"></%1></a> by <a href="</%2>"></%3></a>',
+				array(
+					'https://example.com/post/',
+					'Post Title',
+					'https://example.com/author/',
+					'Author Name',
+				),
+				'<a href="https://example.com/post/">Post Title</a> by <a href="https://example.com/author/">Author Name</a>',
+			),
+
+			// Nested template (pre-escaped HTML)
+			'nested template for complex structure' => array(
+				'<div class="error"></%icon> </%message></div>',
+				array(
+					'icon'    => WP_HTML_Template::from( '<span class="dashicons dashicons-warning"></span>' ),
+					'message' => 'Something went wrong.',
+				),
+				'<div class="error"><span class="dashicons dashicons-warning"></span> Something went wrong.</div>',
+			),
+
+			// Empty replacement
+			'empty replacement value' => array(
+				'<p>Hello</%suffix></p>',
+				array(
+					'suffix' => '',
+				),
+				'<p>Hello</p>',
+			),
+
+			// HTML entities in template (should be preserved)
+			'HTML entities in template' => array(
+				'<p>&#8220;</%quote>&#8221;</p>',
+				array(
+					'quote' => 'Hello World',
+				),
+				'<p>&#8220;Hello World&#8221;</p>',
+			),
+
+			// Multiple attributes on same element
+			'multiple attributes on element' => array(
+				'<input type="</%type>" name="</%name>" value="</%value>" placeholder="</%placeholder>" />',
+				array(
+					'type'        => 'text',
+					'name'        => 'user_email',
+					'value'       => 'test@example.com',
+					'placeholder' => 'Enter your email',
+				),
+				'<input type="text" name="user_email" value="test@example.com" placeholder="Enter your email" />',
+			),
+
+			// Attribute value with quotes and special characters
+			'attribute with quotes and ampersands' => array(
+				'<a href="</%url>" title="</%title>">Link</a>',
+				array(
+					'url'   => 'https://example.com/?a=1&b=2',
+					'title' => 'Click "here" for Tom & Jerry',
+				),
+				'<a href="https://example.com/?a=1&amp;b=2" title="Click &quot;here&quot; for Tom &amp; Jerry">Link</a>',
+			),
+
+			// Self-closing void element
+			'self-closing meta tag' => array(
+				'<meta name="</%name>" content="</%content>">',
+				array(
+					'name'    => 'description',
+					'content' => 'A page about "cats" & dogs',
+				),
+				'<meta name="description" content="A page about &quot;cats&quot; &amp; dogs">',
+			),
+
+			// src/wp-includes/blocks/avatar.php:68 - Complex link with aria-label
+			'blocks/avatar.php:68 - avatar link' => array(
+				'<a href="</%url>" target="</%target>" aria-label="</%aria_label>" class="wp-block-avatar__link"></%inner></a>',
+				array(
+					'url'        => 'https://example.com/author/johndoe/',
+					'target'     => '_blank',
+					'aria_label' => '(John Doe author archive, opens in a new tab)',
+					'inner'      => WP_HTML_Template::from( '<img src="https://example.com/avatar.jpg" alt="John Doe" />' ),
+				),
+				'<a href="https://example.com/author/johndoe/" target="_blank" aria-label="(John Doe author archive, opens in a new tab)" class="wp-block-avatar__link"><img src="https://example.com/avatar.jpg" alt="John Doe" /></a>',
+			),
+		);
+	}
 }

From 52836b96826618c4e2f23ac380fcb4d86fe3623c Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 2 Feb 2026 17:58:28 +0100
Subject: [PATCH 04/66] yield + nowdoc

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 370 ++++++++++--------
 1 file changed, 202 insertions(+), 168 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index e27c4ebb0ee2c..91eb966bf2512 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -166,211 +166,245 @@ public function test_real_world_examples( string $template_string, array $replac
 	 * @return array[]
 	 */
 	public static function data_real_world_examples() {
-		return array(
-			/*
-			 * Group 1: Simple sprintf patterns with manual escaping.
-			 *
-			 * These patterns currently require developers to manually choose
-			 * the correct escape function (esc_url, esc_attr, esc_html).
-			 */
-
-			// src/wp-includes/formatting.php:3476 - Smiley image
-			'formatting.php:3476 - smiley image tag' => array(
-				'<img src="</%src>" alt="</%alt>" class="wp-smiley" style="height: 1em; max-height: 1em;" />',
-				array(
-					'src' => 'https://example.com/smilies/:).png',
-					'alt' => ':)',
-				),
-				'<img src="https://example.com/smilies/:).png" alt=":)" class="wp-smiley" style="height: 1em; max-height: 1em;" />',
+		/*
+		 * Group 1: Simple sprintf patterns with manual escaping.
+		 *
+		 * These patterns currently require developers to manually choose
+		 * the correct escape function (esc_url, esc_attr, esc_html).
+		 */
+
+		// src/wp-includes/formatting.php:3476 - Smiley image
+		yield 'formatting.php:3476 - smiley image tag' => array(
+			<<<'HTML'
+			<img src="</%src>" alt="</%alt>" class="wp-smiley" style="height: 1em; max-height: 1em;" />
+			HTML,
+			array(
+				'src' => 'https://example.com/smilies/:).png',
+				'alt' => ':)',
 			),
+			<<<'HTML'
+			<img src="https://example.com/smilies/:).png" alt=":)" class="wp-smiley" style="height: 1em; max-height: 1em;" />
+			HTML,
+		);
 
-			// src/wp-includes/blocks/post-title.php:41 - Post title link
-			'blocks/post-title.php:41 - post title link' => array(
-				'<a href="</%url>" target="</%target>"></%title></a>',
-				array(
-					'url'    => 'https://example.com/hello-world/',
-					'target' => '_blank',
-					'title'  => 'Hello World',
-				),
-				'<a href="https://example.com/hello-world/" target="_blank">Hello World</a>',
+		// src/wp-includes/blocks/post-title.php:41 - Post title link
+		yield 'blocks/post-title.php:41 - post title link' => array(
+			'<a href="</%url>" target="</%target>"></%title></a>',
+			array(
+				'url'    => 'https://example.com/hello-world/',
+				'target' => '_blank',
+				'title'  => 'Hello World',
 			),
+			'<a href="https://example.com/hello-world/" target="_blank">Hello World</a>',
+		);
 
-			// Same pattern with escaping needed
-			'blocks/post-title.php:41 - post title link with special chars' => array(
-				'<a href="</%url>" target="</%target>"></%title></a>',
-				array(
-					'url'    => 'https://example.com/hello-world/?foo=1&bar=2',
-					'target' => '_blank',
-					'title'  => 'Hello <World> & "Friends"',
-				),
-				'<a href="https://example.com/hello-world/?foo=1&amp;bar=2" target="_blank">Hello &lt;World&gt; &amp; "Friends"</a>',
+		// Same pattern with escaping needed
+		yield 'blocks/post-title.php:41 - post title link with special chars' => array(
+			'<a href="</%url>" target="</%target>"></%title></a>',
+			array(
+				'url'    => 'https://example.com/hello-world/?foo=1&bar=2',
+				'target' => '_blank',
+				'title'  => <<<'TEXT'
+				Hello <World> & "Friends"
+				TEXT,
 			),
+			<<<'HTML'
+			<a href="https://example.com/hello-world/?foo=1&amp;bar=2" target="_blank">Hello &lt;World&gt; &amp; "Friends"</a>
+			HTML,
+		);
 
-			/*
-			 * Group 2: Translation patterns with embedded HTML.
-			 *
-			 * These patterns have HTML directly in translatable strings.
-			 */
-
-			// src/wp-includes/functions.php:1620 - Error message (static, no placeholders)
-			'functions.php:1620 - static error message' => array(
-				'<strong>Error:</strong> This is not a valid feed template.',
-				array(),
-				'<strong>Error:</strong> This is not a valid feed template.',
-			),
+		/*
+		 * Group 2: Translation patterns with embedded HTML.
+		 *
+		 * These patterns have HTML directly in translatable strings.
+		 */
+
+		// src/wp-includes/functions.php:1620 - Error message (static, no placeholders)
+		yield 'functions.php:1620 - static error message' => array(
+			'<strong>Error:</strong> This is not a valid feed template.',
+			array(),
+			'<strong>Error:</strong> This is not a valid feed template.',
+		);
 
-			// src/wp-includes/functions.php:1844-1845 - Database repair link
-			'functions.php:1844 - database repair link' => array(
-				'One or more database tables are unavailable. The database may need to be <a href="</%url>">repaired</a>.',
-				array(
-					'url' => 'maint/repair.php?referrer=is_blog_installed',
-				),
-				'One or more database tables are unavailable. The database may need to be <a href="maint/repair.php?referrer=is_blog_installed">repaired</a>.',
+		// src/wp-includes/functions.php:1844-1845 - Database repair link
+		yield 'functions.php:1844 - database repair link' => array(
+			<<<'HTML'
+			One or more database tables are unavailable. The database may need to be <a href="</%url>">repaired</a>.
+			HTML,
+			array(
+				'url' => 'maint/repair.php?referrer=is_blog_installed',
 			),
+			<<<'HTML'
+			One or more database tables are unavailable. The database may need to be <a href="maint/repair.php?referrer=is_blog_installed">repaired</a>.
+			HTML,
+		);
 
-			// src/wp-admin/edit-form-advanced.php:185 - Scheduled post date
-			'edit-form-advanced.php:185 - scheduled post date' => array(
-				'Post scheduled for: <strong></%date></strong>.',
-				array(
-					'date' => 'March 15, 2025 at 10:30 am',
-				),
-				'Post scheduled for: <strong>March 15, 2025 at 10:30 am</strong>.',
+		// src/wp-admin/edit-form-advanced.php:185 - Scheduled post date
+		yield 'edit-form-advanced.php:185 - scheduled post date' => array(
+			'Post scheduled for: <strong></%date></strong>.',
+			array(
+				'date' => 'March 15, 2025 at 10:30 am',
 			),
+			'Post scheduled for: <strong>March 15, 2025 at 10:30 am</strong>.',
+		);
 
-			// src/wp-includes/blocks/latest-posts.php:164-166 - Read more link with nested elements
-			'blocks/latest-posts.php:164 - read more link with screen reader text' => array(
-				'… <a class="wp-block-latest-posts__read-more" href="</%url>" rel="noopener noreferrer">Read more<span class="screen-reader-text">: </%title></span></a>',
-				array(
-					'url'   => 'https://example.com/my-post/',
-					'title' => 'My Amazing Post',
-				),
-				'… <a class="wp-block-latest-posts__read-more" href="https://example.com/my-post/" rel="noopener noreferrer">Read more<span class="screen-reader-text">: My Amazing Post</span></a>',
+		// src/wp-includes/blocks/latest-posts.php:164-166 - Read more link with nested elements
+		yield 'blocks/latest-posts.php:164 - read more link with screen reader text' => array(
+			<<<'HTML'
+			… <a class="wp-block-latest-posts__read-more" href="</%url>" rel="noopener noreferrer">Read more<span class="screen-reader-text">: </%title></span></a>
+			HTML,
+			array(
+				'url'   => 'https://example.com/my-post/',
+				'title' => 'My Amazing Post',
 			),
+			<<<'HTML'
+			… <a class="wp-block-latest-posts__read-more" href="https://example.com/my-post/" rel="noopener noreferrer">Read more<span class="screen-reader-text">: My Amazing Post</span></a>
+			HTML,
+		);
 
-			// Same pattern with escaping needed
-			'blocks/latest-posts.php:164 - read more with XSS attempt' => array(
-				'… <a class="wp-block-latest-posts__read-more" href="</%url>" rel="noopener noreferrer">Read more<span class="screen-reader-text">: </%title></span></a>',
-				array(
-					'url'   => 'javascript:alert("xss")',
-					'title' => '<script>alert("xss")</script>',
-				),
-				'… <a class="wp-block-latest-posts__read-more" href="javascript:alert(&quot;xss&quot;)" rel="noopener noreferrer">Read more<span class="screen-reader-text">: &lt;script&gt;alert("xss")&lt;/script&gt;</span></a>',
+		// Same pattern with escaping needed
+		yield 'blocks/latest-posts.php:164 - read more with XSS attempt' => array(
+			<<<'HTML'
+			… <a class="wp-block-latest-posts__read-more" href="</%url>" rel="noopener noreferrer">Read more<span class="screen-reader-text">: </%title></span></a>
+			HTML,
+			array(
+				'url'   => 'javascript:alert("xss")',
+				'title' => '<script>alert("xss")</script>',
 			),
+			<<<'HTML'
+			… <a class="wp-block-latest-posts__read-more" href="javascript:alert(&quot;xss&quot;)" rel="noopener noreferrer">Read more<span class="screen-reader-text">: &lt;script&gt;alert("xss")&lt;/script&gt;</span></a>
+			HTML,
+		);
 
-			// src/wp-includes/theme.php:978-979 - Theme error with name
-			'theme.php:978 - theme error message' => array(
-				'<strong>Error:</strong> Current WordPress and PHP versions do not meet minimum requirements for </%theme_name>.',
-				array(
-					'theme_name' => 'Twenty Twenty-Five',
-				),
-				'<strong>Error:</strong> Current WordPress and PHP versions do not meet minimum requirements for Twenty Twenty-Five.',
+		// src/wp-includes/theme.php:978-979 - Theme error with name
+		yield 'theme.php:978 - theme error message' => array(
+			<<<'HTML'
+			<strong>Error:</strong> Current WordPress and PHP versions do not meet minimum requirements for </%theme_name>.
+			HTML,
+			array(
+				'theme_name' => 'Twenty Twenty-Five',
 			),
+			<<<'HTML'
+			<strong>Error:</strong> Current WordPress and PHP versions do not meet minimum requirements for Twenty Twenty-Five.
+			HTML,
+		);
 
-			// src/wp-admin/includes/privacy-tools.php:404 - Code tag in error
-			'privacy-tools.php:404 - code in error message' => array(
-				'The <code></%meta_key></code> post meta must be an array.',
-				array(
-					'meta_key' => '_export_data_grouped',
-				),
-				'The <code>_export_data_grouped</code> post meta must be an array.',
+		// src/wp-admin/includes/privacy-tools.php:404 - Code tag in error
+		yield 'privacy-tools.php:404 - code in error message' => array(
+			'The <code></%meta_key></code> post meta must be an array.',
+			array(
+				'meta_key' => '_export_data_grouped',
 			),
+			'The <code>_export_data_grouped</code> post meta must be an array.',
+		);
 
-			/*
-			 * Group 3: Edge cases.
-			 */
+		/*
+		 * Group 3: Edge cases.
+		 */
 
-			// Placeholder reuse (same placeholder multiple times)
-			'placeholder reuse' => array(
-				'<label for="</%id>">Name:</label> <input id="</%id>" name="</%id>" type="text" />',
-				array(
-					'id' => 'user_name',
-				),
-				'<label for="user_name">Name:</label> <input id="user_name" name="user_name" type="text" />',
+		// Placeholder reuse (same placeholder multiple times)
+		yield 'placeholder reuse' => array(
+			'<label for="</%id>">Name:</label> <input id="</%id>" name="</%id>" type="text" />',
+			array(
+				'id' => 'user_name',
 			),
+			'<label for="user_name">Name:</label> <input id="user_name" name="user_name" type="text" />',
+		);
 
-			// Numeric placeholders like sprintf
-			'numeric placeholders' => array(
-				'<a href="</%0>"></%1></a> by <a href="</%2>"></%3></a>',
-				array(
-					'https://example.com/post/',
-					'Post Title',
-					'https://example.com/author/',
-					'Author Name',
-				),
-				'<a href="https://example.com/post/">Post Title</a> by <a href="https://example.com/author/">Author Name</a>',
+		// Numeric placeholders like sprintf
+		yield 'numeric placeholders' => array(
+			'<a href="</%0>"></%1></a> by <a href="</%2>"></%3></a>',
+			array(
+				'https://example.com/post/',
+				'Post Title',
+				'https://example.com/author/',
+				'Author Name',
 			),
+			'<a href="https://example.com/post/">Post Title</a> by <a href="https://example.com/author/">Author Name</a>',
+		);
 
-			// Nested template (pre-escaped HTML)
-			'nested template for complex structure' => array(
-				'<div class="error"></%icon> </%message></div>',
-				array(
-					'icon'    => WP_HTML_Template::from( '<span class="dashicons dashicons-warning"></span>' ),
-					'message' => 'Something went wrong.',
-				),
-				'<div class="error"><span class="dashicons dashicons-warning"></span> Something went wrong.</div>',
+		// Nested template (pre-escaped HTML)
+		yield 'nested template for complex structure' => array(
+			'<div class="error"></%icon> </%message></div>',
+			array(
+				'icon'    => WP_HTML_Template::from( '<span class="dashicons dashicons-warning"></span>' ),
+				'message' => 'Something went wrong.',
 			),
+			'<div class="error"><span class="dashicons dashicons-warning"></span> Something went wrong.</div>',
+		);
 
-			// Empty replacement
-			'empty replacement value' => array(
-				'<p>Hello</%suffix></p>',
-				array(
-					'suffix' => '',
-				),
-				'<p>Hello</p>',
+		// Empty replacement
+		yield 'empty replacement value' => array(
+			'<p>Hello</%suffix></p>',
+			array(
+				'suffix' => '',
 			),
+			'<p>Hello</p>',
+		);
 
-			// HTML entities in template (should be preserved)
-			'HTML entities in template' => array(
-				'<p>&#8220;</%quote>&#8221;</p>',
-				array(
-					'quote' => 'Hello World',
-				),
-				'<p>&#8220;Hello World&#8221;</p>',
+		// HTML entities in template (should be preserved)
+		yield 'HTML entities in template' => array(
+			'<p>&#8220;</%quote>&#8221;</p>',
+			array(
+				'quote' => 'Hello World',
 			),
+			'<p>&#8220;Hello World&#8221;</p>',
+		);
 
-			// Multiple attributes on same element
-			'multiple attributes on element' => array(
-				'<input type="</%type>" name="</%name>" value="</%value>" placeholder="</%placeholder>" />',
-				array(
-					'type'        => 'text',
-					'name'        => 'user_email',
-					'value'       => 'test@example.com',
-					'placeholder' => 'Enter your email',
-				),
-				'<input type="text" name="user_email" value="test@example.com" placeholder="Enter your email" />',
+		// Multiple attributes on same element
+		yield 'multiple attributes on element' => array(
+			'<input type="</%type>" name="</%name>" value="</%value>" placeholder="</%placeholder>" />',
+			array(
+				'type'        => 'text',
+				'name'        => 'user_email',
+				'value'       => 'test@example.com',
+				'placeholder' => 'Enter your email',
 			),
+			'<input type="text" name="user_email" value="test@example.com" placeholder="Enter your email" />',
+		);
 
-			// Attribute value with quotes and special characters
-			'attribute with quotes and ampersands' => array(
-				'<a href="</%url>" title="</%title>">Link</a>',
-				array(
-					'url'   => 'https://example.com/?a=1&b=2',
-					'title' => 'Click "here" for Tom & Jerry',
-				),
-				'<a href="https://example.com/?a=1&amp;b=2" title="Click &quot;here&quot; for Tom &amp; Jerry">Link</a>',
+		// Attribute value with quotes and special characters
+		yield 'attribute with quotes and ampersands' => array(
+			'<a href="</%url>" title="</%title>">Link</a>',
+			array(
+				'url'   => 'https://example.com/?a=1&b=2',
+				'title' => <<<'TEXT'
+				Click "here" for Tom & Jerry
+				TEXT,
 			),
+			<<<'HTML'
+			<a href="https://example.com/?a=1&amp;b=2" title="Click &quot;here&quot; for Tom &amp; Jerry">Link</a>
+			HTML,
+		);
 
-			// Self-closing void element
-			'self-closing meta tag' => array(
-				'<meta name="</%name>" content="</%content>">',
-				array(
-					'name'    => 'description',
-					'content' => 'A page about "cats" & dogs',
-				),
-				'<meta name="description" content="A page about &quot;cats&quot; &amp; dogs">',
+		// Self-closing void element
+		yield 'self-closing meta tag' => array(
+			'<meta name="</%name>" content="</%content>">',
+			array(
+				'name'    => 'description',
+				'content' => <<<'TEXT'
+				A page about "cats" & dogs
+				TEXT,
 			),
+			<<<'HTML'
+			<meta name="description" content="A page about &quot;cats&quot; &amp; dogs">
+			HTML,
+		);
 
-			// src/wp-includes/blocks/avatar.php:68 - Complex link with aria-label
-			'blocks/avatar.php:68 - avatar link' => array(
-				'<a href="</%url>" target="</%target>" aria-label="</%aria_label>" class="wp-block-avatar__link"></%inner></a>',
-				array(
-					'url'        => 'https://example.com/author/johndoe/',
-					'target'     => '_blank',
-					'aria_label' => '(John Doe author archive, opens in a new tab)',
-					'inner'      => WP_HTML_Template::from( '<img src="https://example.com/avatar.jpg" alt="John Doe" />' ),
-				),
-				'<a href="https://example.com/author/johndoe/" target="_blank" aria-label="(John Doe author archive, opens in a new tab)" class="wp-block-avatar__link"><img src="https://example.com/avatar.jpg" alt="John Doe" /></a>',
+		// src/wp-includes/blocks/avatar.php:68 - Complex link with aria-label
+		yield 'blocks/avatar.php:68 - avatar link' => array(
+			<<<'HTML'
+			<a href="</%url>" target="</%target>" aria-label="</%aria_label>" class="wp-block-avatar__link"></%inner></a>
+			HTML,
+			array(
+				'url'        => 'https://example.com/author/johndoe/',
+				'target'     => '_blank',
+				'aria_label' => '(John Doe author archive, opens in a new tab)',
+				'inner'      => WP_HTML_Template::from( '<img src="https://example.com/avatar.jpg" alt="John Doe" />' ),
 			),
+			<<<'HTML'
+			<a href="https://example.com/author/johndoe/" target="_blank" aria-label="(John Doe author archive, opens in a new tab)" class="wp-block-avatar__link"><img src="https://example.com/avatar.jpg" alt="John Doe" /></a>
+			HTML,
 		);
 	}
 }

From 07a42d5d1bbaba72a0887573441f9f178ebf9b9d Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 2 Feb 2026 17:58:42 +0100
Subject: [PATCH 05/66] lints

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 91eb966bf2512..67fb2dc3ba419 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -17,7 +17,7 @@
 
 class Tests_HtmlApi_WpHtmlTemplate extends WP_UnitTestCase {
 	public function test_1() {
-		$t = T::from( '<p>Hello, </%name>!</p>' );
+		$t      = T::from( '<p>Hello, </%name>!</p>' );
 		$result = $t->render( array( 'name' => 'World' ) );
 		$this->assertSame( $result, T::sprintf( '<p>Hello, </%name>!</p>', array( 'name' => 'World' ) ) );
 
@@ -30,9 +30,9 @@ public function test_1() {
 
 	public function test_2() {
 		$template_string = '<p>Hello, </%placeholder>!</p>';
-		$replacements = array( 'placeholder' => 'Alice & Bob' );
+		$replacements    = array( 'placeholder' => 'Alice & Bob' );
 
-		$t = T::from( $template_string );
+		$t      = T::from( $template_string );
 		$result = $t->render( $replacements );
 		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
 
@@ -45,9 +45,9 @@ public function test_2() {
 
 	public function test_3() {
 		$template_string = '<p>Hello, </%1>, </%1>, </%2>, & </%2>!</p>';
-		$replacements = array( 'Alice', 'Bob' );
+		$replacements    = array( 'Alice', 'Bob' );
 
-		$t = T::from( $template_string );
+		$t      = T::from( $template_string );
 		$result = $t->render( $replacements );
 		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
 
@@ -60,9 +60,9 @@ public function test_3() {
 
 	public function test_4() {
 		$template_string = '<p>Hello, </%html>';
-		$replacements = array( 'html' => T::from( '<i>Alice</i> & <i>Bob</i>' ) );
+		$replacements    = array( 'html' => T::from( '<i>Alice</i> & <i>Bob</i>' ) );
 
-		$t = T::from( $template_string );
+		$t      = T::from( $template_string );
 		$result = $t->render( $replacements );
 		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
 
@@ -75,12 +75,12 @@ public function test_4() {
 
 	public function test_attr() {
 		$template_string = '<meta name="</%n>" content="</%c>">';
-		$replacements = array(
+		$replacements    = array(
 			'n' => 'the name',
 			'c' => 'the "content" & whatever else',
 		);
 
-		$t = T::from( $template_string );
+		$t      = T::from( $template_string );
 		$result = $t->render( $replacements );
 		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
 
@@ -96,8 +96,8 @@ public function test_attr() {
 	 */
 	public function test_attr_rejects_html() {
 		$template_string = '<meta name="not-allowed" description="</%html>">';
-		$replacements = array(
-			'html' => T::from( '<strong>This is not allowed!</strong>') ,
+		$replacements    = array(
+			'html' => T::from( '<strong>This is not allowed!</strong>' ),
 		);
 		$this->assertFalse( T::sprintf( $template_string, $replacements ) );
 	}
@@ -116,13 +116,13 @@ public function xtest_template( string $template_string, array $replacements, st
 
 	public static function data_template() {
 		return array(
-			'Basic template' => array(
+			'Basic template'                  => array(
 				'<p>Hi!</p>',
 				array(),
 				'<p>Hi!</p>',
 			),
 
-			'HTML text replacement (basic)' => array(
+			'HTML text replacement (basic)'   => array(
 				'<p>Hello, </%name>!</p>',
 				array( 'name' => 'World!' ),
 				'<p>Hello, World!</p>',
@@ -134,10 +134,10 @@ public static function data_template() {
 				'<p>Hello, &lt;little-bobby-tags&gt;</p>',
 			),
 
-			'HTML replacement with template' => array(
+			'HTML replacement with template'  => array(
 				'<p>Hello, </%name>!</p>',
 				array(
-					'name' => WP_HTML_Template::from( '<i>World</i>' )
+					'name' => WP_HTML_Template::from( '<i>World</i>' ),
 				),
 				'<p>Hello, <i>World</i>!</p>',
 			),

From 336524f8b69c4598873364d5eb3180d67416423d Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 2 Feb 2026 18:50:50 +0100
Subject: [PATCH 06/66] test tweaks

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 67fb2dc3ba419..93454db93ae1c 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -86,7 +86,25 @@ public function test_attr() {
 
 		$expected =
 			<<<'HTML'
-			<meta name="name" content="the &quot;content&quot; &amp; whatever else">
+			<meta name="the name" content="the &quot;content&quot; &amp; whatever else">
+			HTML;
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	public function test_attribute_with_spaces() {
+		$template_string = "<meta name='</%\tn\n>' content='</% c\r\f>'>";
+		$replacements    = array(
+			'n' => 'the name',
+			'c' => 'the "content" & whatever else',
+		);
+
+		$t      = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+
+		$expected =
+			<<<'HTML'
+			<meta name="the name" content="the &quot;content&quot; &amp; whatever else">
 			HTML;
 		$this->assertEqualHTML( $expected, $result );
 	}

From c1a90502a925194a998bafdb5e0e735f4bea0b64 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 3 Feb 2026 16:10:15 +0100
Subject: [PATCH 07/66] Fix numeric array indexes

---
 tests/phpunit/tests/html-api/wpHtmlTemplate.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 93454db93ae1c..27855dec0dc48 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -44,7 +44,7 @@ public function test_2() {
 	}
 
 	public function test_3() {
-		$template_string = '<p>Hello, </%1>, </%1>, </%2>, & </%2>!</p>';
+		$template_string = '<p>Hello, </%0>, </% 0 >, </%1>, & </%1>!</p>';
 		$replacements    = array( 'Alice', 'Bob' );
 
 		$t      = T::from( $template_string );

From 978d83594397630aa7dbdb60011200be2e6c390a Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 3 Feb 2026 16:12:06 +0100
Subject: [PATCH 08/66] Add test for HTML that could produce a tag after
 modification

---
 tests/phpunit/tests/html-api/wpHtmlTemplate.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 27855dec0dc48..74e9e80226eae 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -73,6 +73,16 @@ public function test_4() {
 		$this->assertEqualHTML( $expected, $result );
 	}
 
+	public function test_prevent_sneaky_tag_in_html() {
+		$template_string = 'a<</%tag-name>>s';
+		$replacements    = array( 'tag-name' => 'i' );
+		$t      = T::from( $template_string );
+		$result = $t->render( $replacements );
+
+		$expected = 'a&lt;i&gt;s';
+		$this->assertEqualHTML( $expected, $result );
+	}
+
 	public function test_attr() {
 		$template_string = '<meta name="</%n>" content="</%c>">';
 		$replacements    = array(

From 81f731e7ea241c1367ef07b8e7db08dc0694286a Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 3 Feb 2026 16:15:57 +0100
Subject: [PATCH 09/66] Add test to prevent attribute mis-interpretation after
 replacement

---
 tests/phpunit/tests/html-api/wpHtmlTemplate.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 74e9e80226eae..f93c8062427b7 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -119,6 +119,20 @@ public function test_attribute_with_spaces() {
 		$this->assertEqualHTML( $expected, $result );
 	}
 
+	public function test_attr_no_produce_character_reference() {
+		$template_string = '<meta name="&</% placeholder >;">';
+		$replacements    = array( 'placeholder' => 'not' );
+		$t      = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+
+		$expected =
+			<<<'HTML'
+			<meta name="&amp;not;">
+			HTML;
+		$this->assertEqualHTML( $expected, $result );
+	}
+
 	/**
 	 * @expectedIncorrectUsage WP_HTML_Template::render
 	 */

From cdedfb790cb59c3dc3711160b33c431e6e32f639 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 3 Feb 2026 16:17:31 +0100
Subject: [PATCH 10/66] Move serialize_token to tag processor class (for
 normalization of text nodes)

---
 .../html-api/class-wp-html-processor.php      | 126 -----------------
 .../html-api/class-wp-html-tag-processor.php  | 127 ++++++++++++++++++
 2 files changed, 127 insertions(+), 126 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php
index 55f955f2c1a9a..d363e8d27484e 100644
--- a/src/wp-includes/html-api/class-wp-html-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-processor.php
@@ -1311,132 +1311,6 @@ public function serialize(): ?string {
 		return $html;
 	}
 
-	/**
-	 * Serializes the currently-matched token.
-	 *
-	 * This method produces a fully-normative HTML string for the currently-matched token,
-	 * if able. If not matched at any token or if the token doesn't correspond to any HTML
-	 * it will return an empty string (for example, presumptuous end tags are ignored).
-	 *
-	 * @see static::serialize()
-	 *
-	 * @since 6.7.0
-	 * @since 6.9.0 Converted from protected to public method.
-	 *
-	 * @return string Serialization of token, or empty string if no serialization exists.
-	 */
-	public function serialize_token(): string {
-		$html       = '';
-		$token_type = $this->get_token_type();
-
-		switch ( $token_type ) {
-			case '#doctype':
-				$doctype = $this->get_doctype_info();
-				if ( null === $doctype ) {
-					break;
-				}
-
-				$html .= '<!DOCTYPE';
-
-				if ( $doctype->name ) {
-					$html .= " {$doctype->name}";
-				}
-
-				if ( null !== $doctype->public_identifier ) {
-					$quote = str_contains( $doctype->public_identifier, '"' ) ? "'" : '"';
-					$html .= " PUBLIC {$quote}{$doctype->public_identifier}{$quote}";
-				}
-				if ( null !== $doctype->system_identifier ) {
-					if ( null === $doctype->public_identifier ) {
-						$html .= ' SYSTEM';
-					}
-					$quote = str_contains( $doctype->system_identifier, '"' ) ? "'" : '"';
-					$html .= " {$quote}{$doctype->system_identifier}{$quote}";
-				}
-
-				$html .= '>';
-				break;
-
-			case '#text':
-				$html .= htmlspecialchars( $this->get_modifiable_text(), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8' );
-				break;
-
-			// Unlike the `<>` which is interpreted as plaintext, this is ignored entirely.
-			case '#presumptuous-tag':
-				break;
-
-			case '#funky-comment':
-			case '#comment':
-				$html .= "<!--{$this->get_full_comment_text()}-->";
-				break;
-
-			case '#cdata-section':
-				$html .= "<![CDATA[{$this->get_modifiable_text()}]]>";
-				break;
-		}
-
-		if ( '#tag' !== $token_type ) {
-			return $html;
-		}
-
-		$tag_name       = str_replace( "\x00", "\u{FFFD}", $this->get_tag() );
-		$in_html        = 'html' === $this->get_namespace();
-		$qualified_name = $in_html ? strtolower( $tag_name ) : $this->get_qualified_tag_name();
-
-		if ( $this->is_tag_closer() ) {
-			$html .= "</{$qualified_name}>";
-			return $html;
-		}
-
-		$attribute_names = $this->get_attribute_names_with_prefix( '' );
-		if ( ! isset( $attribute_names ) ) {
-			$html .= "<{$qualified_name}>";
-			return $html;
-		}
-
-		$html .= "<{$qualified_name}";
-		foreach ( $attribute_names as $attribute_name ) {
-			$html .= " {$this->get_qualified_attribute_name( $attribute_name )}";
-			$value = $this->get_attribute( $attribute_name );
-
-			if ( is_string( $value ) ) {
-				$html .= '="' . htmlspecialchars( $value, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5 ) . '"';
-			}
-
-			$html = str_replace( "\x00", "\u{FFFD}", $html );
-		}
-
-		if ( ! $in_html && $this->has_self_closing_flag() ) {
-			$html .= ' /';
-		}
-
-		$html .= '>';
-
-		// Flush out self-contained elements.
-		if ( $in_html && in_array( $tag_name, array( 'IFRAME', 'NOEMBED', 'NOFRAMES', 'SCRIPT', 'STYLE', 'TEXTAREA', 'TITLE', 'XMP' ), true ) ) {
-			$text = $this->get_modifiable_text();
-
-			switch ( $tag_name ) {
-				case 'IFRAME':
-				case 'NOEMBED':
-				case 'NOFRAMES':
-					$text = '';
-					break;
-
-				case 'SCRIPT':
-				case 'STYLE':
-					break;
-
-				default:
-					$text = htmlspecialchars( $text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8' );
-			}
-
-			$html .= "{$text}</{$qualified_name}>";
-		}
-
-		return $html;
-	}
-
 	/**
 	 * Parses next element in the 'initial' insertion mode.
 	 *
diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 69e3e5d2c7557..7c7d986ac1d5c 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -4766,6 +4766,133 @@ public function get_doctype_info(): ?WP_HTML_Doctype_Info {
 		return WP_HTML_Doctype_Info::from_doctype_token( substr( $this->html, $this->token_starts_at, $this->token_length ) );
 	}
 
+	/**
+	 * Serializes the currently-matched token.
+	 *
+	 * This method produces a fully-normative HTML string for the currently-matched token,
+	 * if able. If not matched at any token or if the token doesn't correspond to any HTML
+	 * it will return an empty string (for example, presumptuous end tags are ignored).
+	 *
+	 * @see static::serialize()
+	 *
+	 * @since 6.7.0
+	 * @since 6.9.0 Converted from protected to public method.
+	 *
+	 * @return string Serialization of token, or empty string if no serialization exists.
+	 */
+	public function serialize_token(): string {
+		$html       = '';
+		$token_type = $this->get_token_type();
+
+		switch ( $token_type ) {
+			case '#doctype':
+				$doctype = $this->get_doctype_info();
+				if ( null === $doctype ) {
+					break;
+				}
+
+				$html .= '<!DOCTYPE';
+
+				if ( $doctype->name ) {
+					$html .= " {$doctype->name}";
+				}
+
+				if ( null !== $doctype->public_identifier ) {
+					$quote = str_contains( $doctype->public_identifier, '"' ) ? "'" : '"';
+					$html .= " PUBLIC {$quote}{$doctype->public_identifier}{$quote}";
+				}
+				if ( null !== $doctype->system_identifier ) {
+					if ( null === $doctype->public_identifier ) {
+						$html .= ' SYSTEM';
+					}
+					$quote = str_contains( $doctype->system_identifier, '"' ) ? "'" : '"';
+					$html .= " {$quote}{$doctype->system_identifier}{$quote}";
+				}
+
+				$html .= '>';
+				break;
+
+			case '#text':
+				$html .= htmlspecialchars( $this->get_modifiable_text(), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8' );
+				break;
+
+			// Unlike the `<>` which is interpreted as plaintext, this is ignored entirely.
+			case '#presumptuous-tag':
+				break;
+
+			case '#funky-comment':
+			case '#comment':
+				$html .= "<!--{$this->get_full_comment_text()}-->";
+				break;
+
+			case '#cdata-section':
+				$html .= "<![CDATA[{$this->get_modifiable_text()}]]>";
+				break;
+		}
+
+		if ( '#tag' !== $token_type ) {
+			return $html;
+		}
+
+		$tag_name       = str_replace( "\x00", "\u{FFFD}", $this->get_tag() );
+		$in_html        = 'html' === $this->get_namespace();
+		$qualified_name = $in_html ? strtolower( $tag_name ) : $this->get_qualified_tag_name();
+
+		if ( $this->is_tag_closer() ) {
+			$html .= "</{$qualified_name}>";
+			return $html;
+		}
+
+		$attribute_names = $this->get_attribute_names_with_prefix( '' );
+		if ( ! isset( $attribute_names ) ) {
+			$html .= "<{$qualified_name}>";
+			return $html;
+		}
+
+		$html .= "<{$qualified_name}";
+		foreach ( $attribute_names as $attribute_name ) {
+			$html .= " {$this->get_qualified_attribute_name( $attribute_name )}";
+			$value = $this->get_attribute( $attribute_name );
+
+			if ( is_string( $value ) ) {
+				$html .= '="' . htmlspecialchars( $value, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5 ) . '"';
+			}
+
+			$html = str_replace( "\x00", "\u{FFFD}", $html );
+		}
+
+		if ( ! $in_html && $this->has_self_closing_flag() ) {
+			$html .= ' /';
+		}
+
+		$html .= '>';
+
+		// Flush out self-contained elements.
+		if ( $in_html && in_array( $tag_name, array( 'IFRAME', 'NOEMBED', 'NOFRAMES', 'SCRIPT', 'STYLE', 'TEXTAREA', 'TITLE', 'XMP' ), true ) ) {
+			$text = $this->get_modifiable_text();
+
+			switch ( $tag_name ) {
+				case 'IFRAME':
+				case 'NOEMBED':
+				case 'NOFRAMES':
+					$text = '';
+					break;
+
+				case 'SCRIPT':
+				case 'STYLE':
+					break;
+
+				default:
+					$text = htmlspecialchars( $text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8' );
+			}
+
+			$html .= "{$text}</{$qualified_name}>";
+		}
+
+		return $html;
+	}
+
+
 	/**
 	 * Parser Ready State.
 	 *

From e8f420c1c6d99a9ae7ed9a2a423763b488065caa Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 3 Feb 2026 17:50:42 +0100
Subject: [PATCH 11/66] Add attribute behavior testing

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index f93c8062427b7..75e853e95b9ff 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -83,6 +83,36 @@ public function test_prevent_sneaky_tag_in_html() {
 		$this->assertEqualHTML( $expected, $result );
 	}
 
+	public function test_attr_repeat() {
+		$template_string = '<meta a="</%replace></%replace-2>" a="</% no-replace >">';
+		$replacements    = array(
+			'replace' => 'O',
+			'replace-2' => 'K',
+			'no-replace' => 'FAIL',
+		);
+
+		$t      = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+
+		$expected = '<meta a="OK">';
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	public function test_attr_no_recursive_replacement() {
+		$template_string = '<meta a="</%replace>">';
+		$replacements    = array(
+			'replace' => '<%/replace>',
+		);
+
+		$t      = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+
+		$expected = '<meta a="&lt;%/replace&gt;">';
+		$this->assertEqualHTML( $expected, $result );
+	}
+
 	public function test_attr() {
 		$template_string = '<meta name="</%n>" content="</%c>">';
 		$replacements    = array(

From 75cf45802cff58e8bfa306deaa2a92c7b6274e85 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 3 Feb 2026 18:14:54 +0100
Subject: [PATCH 12/66] working proof-of-concept

---
 .../html-api/class-wp-html-tag-processor.php  |   2 +-
 .../html-api/class-wp-html-template.php       | 246 ++++++++++++++++--
 .../phpunit/tests/html-api/wpHtmlTemplate.php |  16 +-
 3 files changed, 243 insertions(+), 21 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 7c7d986ac1d5c..4a675acdf8d3f 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -708,7 +708,7 @@ class WP_HTML_Tag_Processor {
 	 * @since 6.2.0
 	 * @var WP_HTML_Attribute_Token[]
 	 */
-	private $attributes = array();
+	protected $attributes = array();
 
 	/**
 	 * Tracks spans of duplicate attributes on a given tag, used for removing
diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 5cd17a19d4a20..4c286d2b7244c 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -7,7 +7,7 @@
  * @since 7.0.0
  */
 
-class WP_HTML_Template {
+class WP_HTML_Template extends WP_HTML_Tag_Processor {
 	/**
 	 * The template string.
 	 *
@@ -17,22 +17,31 @@ class WP_HTML_Template {
 	 */
 	private string $template_string;
 
-	private function __construct( string $template_string ) {
+	private array $replacements = array();
+
+	private function __construct( string $template_string, array $replacements ) {
 		$this->template_string = $template_string;
+		$this->replacements = $replacements;
 	}
 
 	/**
-	 * @todo remove type hint from argument.
-	 * @todo obviously bad name…
+	 * Render a template string with the given replacements.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param string $template_string The template string with placeholders.
+	 * @param array  $replacements    The replacement values.
+	 * @return string|false The rendered HTML, or false on error.
 	 */
-	public static function sprintf( string $template_string, array $replacements = array() ): string {
-		return self::from( $template_string )->render( $replacements );
+	public static function sprintf( string $template_string, array $replacements = array() ) {
+		return self::from( $template_string, $replacements  )->render();
 	}
 
 	/**
-	 * @todo remove type hint from argument.
+	 * @param string $template_string The template string with placeholders.
+	 * @param array  $replacements    The replacement values.
 	 */
-	public static function from( string $template_string ): static {
+	public static function from( string $template_string, array $replacements = array() ): static {
 		if ( ! is_string( $template_string ) ) {
 			_doing_it_wrong(
 				__METHOD__,
@@ -41,23 +50,230 @@ public static function from( string $template_string ): static {
 			);
 			$template_string = '';
 		}
-
-		return new static( $template_string );
+		return new static( $template_string, $replacements );
 	}
 
 	/**
-	 * @todo remove type hint from argument.
+	 * Render the template with the given replacements.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param array $replacements Optional. The replacement values. They may be provided at template creation time.
+	 * @return string|false The rendered HTML, or false on error.
 	 */
-	public function render( array $replacements ): string {
-		if ( ! is_array( $replacements ) ) {
+	public function render( ?array $replacements = null ) {
+		if ( \is_array( $replacements ) ) {
+			$this->replacements = $replacements;
+		} elseif ( null !== $replacements ) {
 			_doing_it_wrong(
 				__METHOD__,
 				__( 'The replacements must be an array.' ),
 				'7.0.0'
 			);
-			$replacements = array();
 		}
 
-		return WP_HTML_Processor::normalize( $this->template_string );
+		if ( empty( $this->replacements ) ) {
+			return WP_HTML_Processor::normalize( $this->template_string ) ?? $this->template_string;
+		}
+
+
+		$processor      = new WP_HTML_Tag_Processor( $this->template_string );
+		$error_occurred = false;
+
+		while ( $processor->next_token() ) {
+			switch ( $processor->get_token_type() ) {
+				/*
+				 * It's important that #text be normalized to prevent something like
+				 * `i<</%tag-name>u` from becoming `i<a>u` after replacement and altering HTML.
+				 */
+				case '#text':
+					$processor->set_bookmark( 'text' );
+					$mark = $processor->bookmarks['text'] ?? null;
+					assert( null !== $mark );
+					$normalized = $processor->serialize_token();
+					if ( 0 !== substr_compare( $processor->html, $normalized, $mark->start, min( $mark->length, strlen( $normalized ) ) ) ) {
+						$processor->lexical_updates[] = new WP_HTML_Text_Replacement(
+							$mark->start,
+							$mark->length,
+							$normalized
+						);
+					}
+					break;
+
+				case '#funky-comment':
+					// Does it look like a placeholder?
+					$processor->set_bookmark( 'placeholder' );
+					$mark = $processor->bookmarks['placeholder'] ?? null;
+					assert( null !== $mark );
+					// A funky comment looks at least like </%…>
+					$start  = $mark->start;
+					$length = $mark->length;
+					// This is not the funky comment we're looking for.
+					if ( $length < 5 || ! $processor->html[ $start + 2 ] === '%' ) {
+						break;
+					}
+					$placeholder = trim( \substr( $processor->html, $start + 3, $length - 4 ), " \t\n\r\f" );
+					// var_dump( substr( $processor->html, $start, $length ), $start, $length, $placeholder );
+
+					// Valid placeholders match `/a-z0-9_-/i`.
+					if ( \strlen( $placeholder ) !== \strspn( $placeholder, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-') ) {
+						break;
+					}
+
+					$replacement = $this->get_replacement( $placeholder );
+					if ( is_string( $replacement ) ) {
+						$processor->lexical_updates[] = new WP_HTML_Text_Replacement(
+							$start,
+							$length,
+							strtr(
+								$replacement,
+								array(
+									'<' => '&lt;',
+									'>' => '&gt;',
+									"'" => '&apos;',
+									'"' => '&quot;',
+									'&' => '&amp;',
+								)
+							)
+						);
+					}
+					if ( $replacement instanceof WP_HTML_Template ) {
+						$processor->lexical_updates[] = new WP_HTML_Text_Replacement(
+							$start,
+							$length,
+							$replacement->render()
+						);
+					}
+					break;
+
+				case '#tag':
+					if ( $processor->is_tag_closer() ) {
+						break;
+					}
+
+					foreach ( $processor->attributes as $attribute ) {
+						// Boolean attributes cannot contain placeholders.
+						if ( $attribute->is_true ) {
+							continue;
+						}
+						// At least `</%x>` to contain a placeholder.
+						if ( $attribute->value_length < 5 ) {
+							continue;
+						}
+
+						$last_offset = $attribute->value_starts_at;
+						$offset = $attribute->value_starts_at;
+						$end = $offset + $attribute->value_length;
+						/**
+						 * @todo preg_match does not accept length, so this will happily search
+						 * beyond the attribute value.
+						 */
+						while(
+							1 === preg_match(
+								'#</%[ \\t\\r\\f\\n]*([a-z0-9_-]+)[ \\t\\r\\f\\n]*>#i',
+								$processor->html,
+								$matches,
+								PREG_OFFSET_CAPTURE,
+								$offset
+							)
+							&& $matches[0][1] < $end
+						) {
+							$replacement = $this->get_replacement( $matches[1][0] );
+							if ( is_string( $replacement ) ) {
+								$match_at     = $matches[0][1];
+								$match_length = strlen( $matches[0][0] );
+
+								// Capture and clean the preceding attribute text.
+								$processor->lexical_updates[] = new WP_HTML_Text_Replacement(
+									$last_offset,
+									$match_at - $last_offset,
+									strtr(
+										substr( $processor->html, $last_offset, $match_at - $last_offset ),
+										array(
+											'<' => '&lt;',
+											'>' => '&gt;',
+											"'" => '&apos;',
+											'"' => '&quot;',
+											'&' => '&amp;',
+										)
+									)
+								);
+
+								$processor->lexical_updates[] = new WP_HTML_Text_Replacement(
+									$match_at,
+									strlen( $matches[0][0] ),
+									strtr(
+										$replacement,
+										array(
+											'<' => '&lt;',
+											'>' => '&gt;',
+											"'" => '&apos;',
+											'"' => '&quot;',
+											'&' => '&amp;',
+										)
+									)
+								);
+								$last_offset = $match_at + $match_length;
+							} elseif ( $replacement instanceof self ) {
+								_doing_it_wrong(
+									__METHOD__,
+									// @todo improve this message, include the placeholder in the string.
+									__( 'Attribute values cannot contain HTML. Use a plain string.' ),
+									'7.0.0'
+								);
+								return false;
+							}
+
+							$offset = $matches[0][1] + strlen( $matches[0][0] );
+						}
+					}
+			}
+		}
+
+		$html = $processor->get_updated_html();
+
+		return WP_HTML_Processor::normalize( $html ) ?? $html;
+	}
+
+	private function preg_attribute_replace_callback( $matches ) {
+		$key = $matches[1];
+
+		$replacement = $this->get_replacement( $key );
+
+		// Keep placeholder if no replacement found.
+		if ( null === $replacement ) {
+			return $matches[0];
+		}
+
+		// HTML cannot be embedded in attribute values.
+		if ( $replacement instanceof self ) {
+			_doing_it_wrong(
+				__METHOD__,
+				// @todo improve this message, include the placeholder in the string.
+				__( 'Attribute values cannot contain HTML. Use a plain string.' ),
+				'7.0.0'
+			);
+			return '';
+		}
+
+		return $replacement;
+	}
+
+	/**
+	 * Get the replacement value for a placeholder key.
+	 *
+	 * Handles both named keys (like 'name') and numeric keys (like 0).
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param string $key          The placeholder key.
+	 * @return mixed|null The replacement value, or null if not found.
+	 */
+	private function get_replacement( string $key ): self|string|null {
+		$replacement = $this->replacements[ $key ] ?? null;
+		if ( \is_string( $replacement ) || ( $replacement instanceof WP_HTML_Template ) ) {
+			return $replacement;
+		}
+		return null;
 	}
 }
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 75e853e95b9ff..9ec70f5703d0a 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -272,16 +272,22 @@ public static function data_real_world_examples() {
 
 		// Same pattern with escaping needed
 		yield 'blocks/post-title.php:41 - post title link with special chars' => array(
-			'<a href="</%url>" target="</%target>"></%title></a>',
+			"<a href='</%url>' target='</%target>'>\n</%title>\n</a>",
 			array(
 				'url'    => 'https://example.com/hello-world/?foo=1&bar=2',
 				'target' => '_blank',
-				'title'  => <<<'TEXT'
-				Hello <World> & "Friends"
-				TEXT,
+				'title'  => WP_HTML_Template::from(
+					'\'<i></%italic></i>\' & <b>"</%bold>"</b>',
+					array(
+						'italic' => 'This',
+						'bold'   => 'That',
+					)
+				),
 			),
 			<<<'HTML'
-			<a href="https://example.com/hello-world/?foo=1&amp;bar=2" target="_blank">Hello &lt;World&gt; &amp; "Friends"</a>
+			<a href="https://example.com/hello-world/?foo=1&amp;bar=2" target="_blank">
+			&apos;<i>This</i>' &amp; <b>&quot;That"</b>
+			</a>
 			HTML,
 		);
 

From bf7f0383944991ee4f6f061087dbcd1161c269ab Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 13:16:56 +0100
Subject: [PATCH 13/66] class cleanup and lints

---
 .../html-api/class-wp-html-template.php        | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 4c286d2b7244c..d2d5f701b868d 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -21,7 +21,7 @@ class WP_HTML_Template extends WP_HTML_Tag_Processor {
 
 	private function __construct( string $template_string, array $replacements ) {
 		$this->template_string = $template_string;
-		$this->replacements = $replacements;
+		$this->replacements    = $replacements;
 	}
 
 	/**
@@ -34,7 +34,7 @@ private function __construct( string $template_string, array $replacements ) {
 	 * @return string|false The rendered HTML, or false on error.
 	 */
 	public static function sprintf( string $template_string, array $replacements = array() ) {
-		return self::from( $template_string, $replacements  )->render();
+		return self::from( $template_string, $replacements )->render();
 	}
 
 	/**
@@ -76,7 +76,6 @@ public function render( ?array $replacements = null ) {
 			return WP_HTML_Processor::normalize( $this->template_string ) ?? $this->template_string;
 		}
 
-
 		$processor      = new WP_HTML_Tag_Processor( $this->template_string );
 		$error_occurred = false;
 
@@ -113,15 +112,14 @@ public function render( ?array $replacements = null ) {
 						break;
 					}
 					$placeholder = trim( \substr( $processor->html, $start + 3, $length - 4 ), " \t\n\r\f" );
-					// var_dump( substr( $processor->html, $start, $length ), $start, $length, $placeholder );
 
 					// Valid placeholders match `/a-z0-9_-/i`.
-					if ( \strlen( $placeholder ) !== \strspn( $placeholder, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-') ) {
+					if ( \strlen( $placeholder ) !== \strspn( $placeholder, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-' ) ) {
 						break;
 					}
 
 					$replacement = $this->get_replacement( $placeholder );
-					if ( is_string( $replacement ) ) {
+					if ( \is_string( $replacement ) ) {
 						$processor->lexical_updates[] = new WP_HTML_Text_Replacement(
 							$start,
 							$length,
@@ -162,13 +160,13 @@ public function render( ?array $replacements = null ) {
 						}
 
 						$last_offset = $attribute->value_starts_at;
-						$offset = $attribute->value_starts_at;
-						$end = $offset + $attribute->value_length;
+						$offset      = $attribute->value_starts_at;
+						$end         = $offset + $attribute->value_length;
 						/**
 						 * @todo preg_match does not accept length, so this will happily search
 						 * beyond the attribute value.
 						 */
-						while(
+						while (
 							1 === preg_match(
 								'#</%[ \\t\\r\\f\\n]*([a-z0-9_-]+)[ \\t\\r\\f\\n]*>#i',
 								$processor->html,
@@ -213,7 +211,7 @@ public function render( ?array $replacements = null ) {
 										)
 									)
 								);
-								$last_offset = $match_at + $match_length;
+								$last_offset                  = $match_at + $match_length;
 							} elseif ( $replacement instanceof self ) {
 								_doing_it_wrong(
 									__METHOD__,

From df9deabcdf31ece616ecdeca870e0fb460e1fe0e Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 13:17:14 +0100
Subject: [PATCH 14/66] Add message on disallowed type

---
 .../html-api/class-wp-html-template.php            | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index d2d5f701b868d..08ce503043b4f 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -134,8 +134,7 @@ public function render( ?array $replacements = null ) {
 								)
 							)
 						);
-					}
-					if ( $replacement instanceof WP_HTML_Template ) {
+					} elseif ( $replacement instanceof WP_HTML_Template ) {
 						$processor->lexical_updates[] = new WP_HTML_Text_Replacement(
 							$start,
 							$length,
@@ -272,6 +271,17 @@ private function get_replacement( string $key ): self|string|null {
 		if ( \is_string( $replacement ) || ( $replacement instanceof WP_HTML_Template ) ) {
 			return $replacement;
 		}
+
+		_doing_it_wrong(
+			__METHOD__,
+			sprintf(
+				__( 'Invalid replacement for %1$s of type `%2$s`. Must be a string or template.' ),
+				esc_html( $key ),
+				esc_html( gettype( $replacement ) )
+			),
+			'7.0.0'
+		);
+
 		return null;
 	}
 }

From 5a9cb43a0d19993005da00d4652f2ef436b968ea Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 13:24:41 +0100
Subject: [PATCH 15/66] Cleanup test + lints

---
 tests/phpunit/tests/html-api/wpHtmlTemplate.php | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 9ec70f5703d0a..a1bc49b1732df 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -73,11 +73,12 @@ public function test_4() {
 		$this->assertEqualHTML( $expected, $result );
 	}
 
+
 	public function test_prevent_sneaky_tag_in_html() {
 		$template_string = 'a<</%tag-name>>s';
 		$replacements    = array( 'tag-name' => 'i' );
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
+		$t               = T::from( $template_string );
+		$result          = $t->render( $replacements );
 
 		$expected = 'a&lt;i&gt;s';
 		$this->assertEqualHTML( $expected, $result );
@@ -86,8 +87,8 @@ public function test_prevent_sneaky_tag_in_html() {
 	public function test_attr_repeat() {
 		$template_string = '<meta a="</%replace></%replace-2>" a="</% no-replace >">';
 		$replacements    = array(
-			'replace' => 'O',
-			'replace-2' => 'K',
+			'replace'    => 'O',
+			'replace-2'  => 'K',
 			'no-replace' => 'FAIL',
 		);
 
@@ -152,8 +153,8 @@ public function test_attribute_with_spaces() {
 	public function test_attr_no_produce_character_reference() {
 		$template_string = '<meta name="&</% placeholder >;">';
 		$replacements    = array( 'placeholder' => 'not' );
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
+		$t               = T::from( $template_string );
+		$result          = $t->render( $replacements );
 		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
 
 		$expected =

From f30d721255883e5a70e63795610bb206773bec34 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 13:24:56 +0100
Subject: [PATCH 16/66] Add multiple template tests

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 99 +++++++++++++++++++
 1 file changed, 99 insertions(+)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index a1bc49b1732df..6e4d2a9430552 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -486,4 +486,103 @@ public static function data_real_world_examples() {
 			HTML,
 		);
 	}
+
+	public function test_multi_replace() {
+		$row_template_string = "<dt></%term></dt>\n<dd></%definition></dd>";
+
+		// @todo It should be possible to produce templates from an original.
+		$row_replacements = array();
+		for ( $i = 0; $i <= 3; $i++ ) {
+			$row_replacements[ "row-{$i}" ] = WP_HTML_Template::from(
+				$row_template_string,
+				array(
+					'term'       => "Term \"{$i}\"",
+					'definition' => WP_HTML_Template::from(
+						'<abbr title="</%expansion>">IYKYK</abbr>: </%i>',
+						array(
+							'i'         => (string) $i,
+							'expansion' => '"If You Know You Know"',
+						)
+					),
+				)
+			);
+		}
+
+		$result = WP_HTML_Template::sprintf(
+			<<<'HTML'
+			<dl>
+			</%row-1>
+			</%row-2>
+			</%row-3>
+			</dl>
+			HTML,
+			$row_replacements
+		);
+
+		$expected =
+			<<<'HTML'
+			<dl>
+			<dt>Term &quot;1&quot;</dt>
+			<dd><abbr title="&quot;If You Know You Know&quot;">IYKYK</abbr>: 1</dd>
+			<dt>Term &quot;2&quot;</dt>
+			<dd><abbr title="&quot;If You Know You Know&quot;">IYKYK</abbr>: 2</dd>
+			<dt>Term &quot;3&quot;</dt>
+			<dd><abbr title="&quot;If You Know You Know&quot;">IYKYK</abbr>: 3</dd>
+			</dl>
+			HTML;
+
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	public function test_multi_replace_table() {
+		$this->markTestSkipped( 'IN TABLE templates are not supported yet.' );
+		$header_tpl = WP_HTML_Template::from(
+			'<tr><th></% ID ><th></% name ><th></% value ><th></% link >',
+			array(
+				'ID'    => 'ID',
+				'name'  => 'Name',
+				'value' => 'Value',
+				'link'  => 'Link',
+			)
+		);
+		$row_tpl    = WP_HTML_Template::from( '<tr><td></% ID ><td></% name ><td></% value ><td></% link >' );
+
+		$row_gen = ( function () {
+			static $i = 1;
+			yield array(
+				'ID'    => $i,
+				'name'  => 'Name {$i}',
+				'value' => WP_HTML_Template::from( 'Value <b>{$i}</b>', array( 'i' => $i ) ),
+				'link'  => WP_HTML_Template::from(
+					'<a href="</%url>"></%link-name></a>',
+					array(
+						'url'       => '/example/1',
+						'link-name' => 'Click here',
+					),
+				),
+			);
+		} )();
+
+		$result = WP_HTML_Template::sprintf(
+			<<<'HTML'
+			<table>
+			<thead></%header>
+			<tbody>
+			</%row-1>
+			</%row-2>
+			</%row-3>
+			HTML,
+			array(
+				'header' => $header_tpl,
+				'row-1'  => $row_tpl->render( $row_gen->next() ),
+				'row-2'  => $row_tpl->render( $row_gen->next() ),
+				'row-3'  => $row_tpl->render( $row_gen->next() ),
+			)
+		);
+
+		$expected =
+			<<<'HTML'
+			HTML;
+		$this->assertEqualHTML( $expected, $result );
+	}
 }

From 63fa33201d65cc76c3c5f394a377c9b26cfa47cf Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 14:05:04 +0100
Subject: [PATCH 17/66] Improve test names and specificity

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 51 ++++++++++++++-----
 1 file changed, 37 insertions(+), 14 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 6e4d2a9430552..fbf4282194330 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -16,7 +16,7 @@
 use WP_HTML_Template as T;
 
 class Tests_HtmlApi_WpHtmlTemplate extends WP_UnitTestCase {
-	public function test_1() {
+	public function test_basic_text_replacement() {
 		$t      = T::from( '<p>Hello, </%name>!</p>' );
 		$result = $t->render( array( 'name' => 'World' ) );
 		$this->assertSame( $result, T::sprintf( '<p>Hello, </%name>!</p>', array( 'name' => 'World' ) ) );
@@ -28,7 +28,7 @@ public function test_1() {
 		$this->assertEqualHTML( $expected, $result );
 	}
 
-	public function test_2() {
+	public function test_escapes_special_characters() {
 		$template_string = '<p>Hello, </%placeholder>!</p>';
 		$replacements    = array( 'placeholder' => 'Alice & Bob' );
 
@@ -43,22 +43,34 @@ public function test_2() {
 		$this->assertEqualHTML( $expected, $result );
 	}
 
-	public function test_3() {
-		$template_string = '<p>Hello, </%0>, </% 0 >, </%1>, & </%1>!</p>';
+	public function test_numeric_placeholders() {
+		$template_string = '<p>Hello, </%0> and </%1>!</p>';
 		$replacements    = array( 'Alice', 'Bob' );
 
 		$t      = T::from( $template_string );
 		$result = $t->render( $replacements );
 		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
 
-		$expected =
-			<<<'HTML'
-			<p>Hello, Alice, Alice, Bob, &amp; Bob!</p>
-			HTML;
+		$expected = '<p>Hello, Alice and Bob!</p>';
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	public function test_repeated_placeholders() {
+		$template_string = '<p></%0>, </% 0 >, </%name>, & </%name>!</p>';
+		$replacements    = array(
+			'Alice',
+			'name' => 'Bob',
+		);
+
+		$t      = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+
+		$expected = '<p>Alice, Alice, Bob, &amp; Bob!</p>';
 		$this->assertEqualHTML( $expected, $result );
 	}
 
-	public function test_4() {
+	public function test_nested_template_replacement() {
 		$template_string = '<p>Hello, </%html>';
 		$replacements    = array( 'html' => T::from( '<i>Alice</i> & <i>Bob</i>' ) );
 
@@ -114,10 +126,24 @@ public function test_attr_no_recursive_replacement() {
 		$this->assertEqualHTML( $expected, $result );
 	}
 
-	public function test_attr() {
+	public function test_replaces_attribute_values() {
 		$template_string = '<meta name="</%n>" content="</%c>">';
 		$replacements    = array(
 			'n' => 'the name',
+			'c' => 'the content',
+		);
+
+		$t      = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+
+		$expected = '<meta name="the name" content="the content">';
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	public function test_escapes_attribute_values() {
+		$template_string = '<meta content="</%c>">';
+		$replacements    = array(
 			'c' => 'the "content" & whatever else',
 		);
 
@@ -125,10 +151,7 @@ public function test_attr() {
 		$result = $t->render( $replacements );
 		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
 
-		$expected =
-			<<<'HTML'
-			<meta name="the name" content="the &quot;content&quot; &amp; whatever else">
-			HTML;
+		$expected = '<meta content="the &quot;content&quot; &amp; whatever else">';
 		$this->assertEqualHTML( $expected, $result );
 	}
 

From a451ed4482ecd906a09498ed448c76611bbfd7d0 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 15:35:34 +0100
Subject: [PATCH 18/66] Improve test structure and names

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 246 +++++++++---------
 1 file changed, 128 insertions(+), 118 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index fbf4282194330..ab01e33b64cce 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -16,77 +16,15 @@
 use WP_HTML_Template as T;
 
 class Tests_HtmlApi_WpHtmlTemplate extends WP_UnitTestCase {
-	public function test_basic_text_replacement() {
-		$t      = T::from( '<p>Hello, </%name>!</p>' );
-		$result = $t->render( array( 'name' => 'World' ) );
-		$this->assertSame( $result, T::sprintf( '<p>Hello, </%name>!</p>', array( 'name' => 'World' ) ) );
-
-		$expected =
-			<<<'HTML'
-			<p>Hello, World!</p>
-			HTML;
-		$this->assertEqualHTML( $expected, $result );
-	}
-
-	public function test_escapes_special_characters() {
-		$template_string = '<p>Hello, </%placeholder>!</p>';
-		$replacements    = array( 'placeholder' => 'Alice & Bob' );
-
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
-
-		$expected =
-			<<<'HTML'
-			<p>Hello, Alice &amp; Bob!</p>
-			HTML;
-		$this->assertEqualHTML( $expected, $result );
-	}
-
-	public function test_numeric_placeholders() {
-		$template_string = '<p>Hello, </%0> and </%1>!</p>';
-		$replacements    = array( 'Alice', 'Bob' );
-
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
-
-		$expected = '<p>Hello, Alice and Bob!</p>';
-		$this->assertEqualHTML( $expected, $result );
-	}
-
-	public function test_repeated_placeholders() {
-		$template_string = '<p></%0>, </% 0 >, </%name>, & </%name>!</p>';
-		$replacements    = array(
-			'Alice',
-			'name' => 'Bob',
-		);
-
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
-
-		$expected = '<p>Alice, Alice, Bob, &amp; Bob!</p>';
-		$this->assertEqualHTML( $expected, $result );
-	}
-
-	public function test_nested_template_replacement() {
-		$template_string = '<p>Hello, </%html>';
-		$replacements    = array( 'html' => T::from( '<i>Alice</i> & <i>Bob</i>' ) );
-
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
-
-		$expected =
-			<<<'HTML'
-			<p>Hello, <i>Alice</i> &amp; <i>Bob</i></p>
-			HTML;
-		$this->assertEqualHTML( $expected, $result );
-	}
-
-
-	public function test_prevent_sneaky_tag_in_html() {
+	/**
+	 * Verifies that replacement text adjacent to angle brackets is escaped.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::from
+	 * @covers ::render
+	 */
+	public function test_escapes_text_adjacent_to_angle_brackets() {
 		$template_string = 'a<</%tag-name>>s';
 		$replacements    = array( 'tag-name' => 'i' );
 		$t               = T::from( $template_string );
@@ -96,7 +34,16 @@ public function test_prevent_sneaky_tag_in_html() {
 		$this->assertEqualHTML( $expected, $result );
 	}
 
-	public function test_attr_repeat() {
+	/**
+	 * Verifies that only the first of duplicate attributes is replaced.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::from
+	 * @covers ::render
+	 * @covers ::sprintf
+	 */
+	public function test_replaces_only_in_first_duplicate_attribute() {
 		$template_string = '<meta a="</%replace></%replace-2>" a="</% no-replace >">';
 		$replacements    = array(
 			'replace'    => 'O',
@@ -112,7 +59,16 @@ public function test_attr_repeat() {
 		$this->assertEqualHTML( $expected, $result );
 	}
 
-	public function test_attr_no_recursive_replacement() {
+	/**
+	 * Verifies that attribute replacement is not recursive.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::from
+	 * @covers ::render
+	 * @covers ::sprintf
+	 */
+	public function test_attribute_replacement_is_not_recursive() {
 		$template_string = '<meta a="</%replace>">';
 		$replacements    = array(
 			'replace' => '<%/replace>',
@@ -126,36 +82,16 @@ public function test_attr_no_recursive_replacement() {
 		$this->assertEqualHTML( $expected, $result );
 	}
 
-	public function test_replaces_attribute_values() {
-		$template_string = '<meta name="</%n>" content="</%c>">';
-		$replacements    = array(
-			'n' => 'the name',
-			'c' => 'the content',
-		);
-
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
-
-		$expected = '<meta name="the name" content="the content">';
-		$this->assertEqualHTML( $expected, $result );
-	}
-
-	public function test_escapes_attribute_values() {
-		$template_string = '<meta content="</%c>">';
-		$replacements    = array(
-			'c' => 'the "content" & whatever else',
-		);
-
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
-
-		$expected = '<meta content="the &quot;content&quot; &amp; whatever else">';
-		$this->assertEqualHTML( $expected, $result );
-	}
-
-	public function test_attribute_with_spaces() {
+	/**
+	 * Verifies that placeholder names allow surrounding whitespace.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::from
+	 * @covers ::render
+	 * @covers ::sprintf
+	 */
+	public function test_placeholder_names_allow_surrounding_whitespace() {
 		$template_string = "<meta name='</%\tn\n>' content='</% c\r\f>'>";
 		$replacements    = array(
 			'n' => 'the name',
@@ -173,7 +109,16 @@ public function test_attribute_with_spaces() {
 		$this->assertEqualHTML( $expected, $result );
 	}
 
-	public function test_attr_no_produce_character_reference() {
+	/**
+	 * Verifies that ampersands are escaped to prevent character reference injection.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::from
+	 * @covers ::render
+	 * @covers ::sprintf
+	 */
+	public function test_escapes_ampersand_to_prevent_character_reference_injection() {
 		$template_string = '<meta name="&</% placeholder >;">';
 		$replacements    = array( 'placeholder' => 'not' );
 		$t               = T::from( $template_string );
@@ -188,9 +133,15 @@ public function test_attr_no_produce_character_reference() {
 	}
 
 	/**
+	 * Verifies that nested templates are rejected in attribute values.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::sprintf
+	 *
 	 * @expectedIncorrectUsage WP_HTML_Template::render
 	 */
-	public function test_attr_rejects_html() {
+	public function test_rejects_nested_template_in_attribute_value() {
 		$template_string = '<meta name="not-allowed" description="</%html>">';
 		$replacements    = array(
 			'html' => T::from( '<strong>This is not allowed!</strong>' ),
@@ -202,40 +153,80 @@ public function test_attr_rejects_html() {
 	 * @dataProvider data_template
 	 *
 	 * @ticket 60229
+	 *
 	 * @covers ::from
 	 * @covers ::render
+	 * @covers ::sprintf
 	 */
-	public function xtest_template( string $template_string, array $replacements, string $expected ) {
-		$result = WP_HTML_Template::sprintf( $template_string, $replacements );
+	public function test_template( string $template_string, array $replacements, string $expected ) {
+		$t      = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
 		$this->assertEqualHTML( $expected, $result );
 	}
 
 	public static function data_template() {
 		return array(
-			'Basic template'                  => array(
+			'basic template (no placeholders)'    => array(
 				'<p>Hi!</p>',
 				array(),
 				'<p>Hi!</p>',
 			),
 
-			'HTML text replacement (basic)'   => array(
+			'basic text replacement'              => array(
 				'<p>Hello, </%name>!</p>',
-				array( 'name' => 'World!' ),
+				array( 'name' => 'World' ),
 				'<p>Hello, World!</p>',
 			),
 
-			'HTML text replacement (escaped)' => array(
+			'escapes special characters in text'  => array(
+				'<p>Hello, </%placeholder>!</p>',
+				array( 'placeholder' => 'Alice & Bob' ),
+				'<p>Hello, Alice &amp; Bob!</p>',
+			),
+
+			'escapes angle brackets in text'      => array(
 				'<p>Hello, </%name>!</p>',
 				array( 'name' => '<little-bobby-tags>' ),
-				'<p>Hello, &lt;little-bobby-tags&gt;</p>',
+				'<p>Hello, &lt;little-bobby-tags&gt;!</p>',
 			),
 
-			'HTML replacement with template'  => array(
-				'<p>Hello, </%name>!</p>',
+			'numeric placeholders'                => array(
+				'<p>Hello, </%0> and </%1>!</p>',
+				array( 'Alice', 'Bob' ),
+				'<p>Hello, Alice and Bob!</p>',
+			),
+
+			'repeated placeholders'               => array(
+				'<p></%0>, </% 0 >, </%name>, & </%name>!</p>',
+				array(
+					'Alice',
+					'name' => 'Bob',
+				),
+				'<p>Alice, Alice, Bob, &amp; Bob!</p>',
+			),
+
+			'nested template replacement'         => array(
+				'<p>Hello, </%html>',
+				array( 'html' => WP_HTML_Template::from( '<i>Alice</i> & <i>Bob</i>' ) ),
+				'<p>Hello, <i>Alice</i> &amp; <i>Bob</i></p>',
+			),
+
+			'replaces attribute values'           => array(
+				'<meta name="</%n>" content="</%c>">',
+				array(
+					'n' => 'the name',
+					'c' => 'the content',
+				),
+				'<meta name="the name" content="the content">',
+			),
+
+			'escapes attribute values'            => array(
+				'<meta content="</%c>">',
 				array(
-					'name' => WP_HTML_Template::from( '<i>World</i>' ),
+					'c' => 'the "content" & whatever else',
 				),
-				'<p>Hello, <i>World</i>!</p>',
+				'<meta content="the &quot;content&quot; &amp; whatever else">',
 			),
 		);
 	}
@@ -246,6 +237,7 @@ public static function data_template() {
 	 * @dataProvider data_real_world_examples
 	 *
 	 * @ticket 60229
+	 *
 	 * @covers ::sprintf
 	 */
 	public function test_real_world_examples( string $template_string, array $replacements, string $expected ) {
@@ -510,7 +502,16 @@ public static function data_real_world_examples() {
 		);
 	}
 
-	public function test_multi_replace() {
+	/**
+	 * Verifies nested templates work correctly in a definition list.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::from
+	 * @covers ::render
+	 * @covers ::sprintf
+	 */
+	public function test_nested_templates_in_definition_list() {
 		$row_template_string = "<dt></%term></dt>\n<dd></%definition></dd>";
 
 		// @todo It should be possible to produce templates from an original.
@@ -557,7 +558,16 @@ public function test_multi_replace() {
 		$this->assertEqualHTML( $expected, $result );
 	}
 
-	public function test_multi_replace_table() {
+	/**
+	 * Verifies table templates are not yet supported.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::from
+	 * @covers ::render
+	 * @covers ::sprintf
+	 */
+	public function test_table_templates_not_yet_supported() {
 		$this->markTestSkipped( 'IN TABLE templates are not supported yet.' );
 		$header_tpl = WP_HTML_Template::from(
 			'<tr><th></% ID ><th></% name ><th></% value ><th></% link >',

From 48ff31924ae16b99329e2f3ee6da1b45fea78ec4 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 15:39:44 +0100
Subject: [PATCH 19/66] Refactor WP_HTML_Template to use composition over
 inheritance

Replace `extends WP_HTML_Tag_Processor` with an internal anonymous class
that provides accessor methods for the protected properties needed during
template rendering. This improves encapsulation by not exposing the tag
processor's public API on the template class.
---
 .../html-api/class-wp-html-template.php       | 149 ++++++++++++------
 1 file changed, 99 insertions(+), 50 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 08ce503043b4f..99ef3c6fcaeb4 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -7,7 +7,7 @@
  * @since 7.0.0
  */
 
-class WP_HTML_Template extends WP_HTML_Tag_Processor {
+class WP_HTML_Template {
 	/**
 	 * The template string.
 	 *
@@ -76,7 +76,44 @@ public function render( ?array $replacements = null ) {
 			return WP_HTML_Processor::normalize( $this->template_string ) ?? $this->template_string;
 		}
 
-		$processor      = new WP_HTML_Tag_Processor( $this->template_string );
+		$processor      = new class( $this->template_string ) extends WP_HTML_Tag_Processor {
+			/**
+			 * Returns the HTML string being processed.
+			 *
+			 * @return string The HTML string.
+			 */
+			public function get_html(): string {
+				return $this->html;
+			}
+
+			/**
+			 * Returns a bookmark by name.
+			 *
+			 * @param string $name The bookmark name.
+			 * @return WP_HTML_Span|null The bookmark span, or null if not found.
+			 */
+			public function get_bookmark( string $name ) {
+				return $this->bookmarks[ $name ] ?? null;
+			}
+
+			/**
+			 * Returns the tag attributes array.
+			 *
+			 * @return array The attributes array.
+			 */
+			public function get_tag_attributes(): array {
+				return $this->attributes;
+			}
+
+			/**
+			 * Adds a lexical update.
+			 *
+			 * @param WP_HTML_Text_Replacement $update The text replacement to add.
+			 */
+			public function add_lexical_update( WP_HTML_Text_Replacement $update ): void {
+				$this->lexical_updates[] = $update;
+			}
+		};
 		$error_occurred = false;
 
 		while ( $processor->next_token() ) {
@@ -87,14 +124,16 @@ public function render( ?array $replacements = null ) {
 				 */
 				case '#text':
 					$processor->set_bookmark( 'text' );
-					$mark = $processor->bookmarks['text'] ?? null;
+					$mark = $processor->get_bookmark( 'text' );
 					assert( null !== $mark );
 					$normalized = $processor->serialize_token();
-					if ( 0 !== substr_compare( $processor->html, $normalized, $mark->start, min( $mark->length, strlen( $normalized ) ) ) ) {
-						$processor->lexical_updates[] = new WP_HTML_Text_Replacement(
-							$mark->start,
-							$mark->length,
-							$normalized
+					if ( 0 !== substr_compare( $processor->get_html(), $normalized, $mark->start, min( $mark->length, strlen( $normalized ) ) ) ) {
+						$processor->add_lexical_update(
+							new WP_HTML_Text_Replacement(
+								$mark->start,
+								$mark->length,
+								$normalized
+							)
 						);
 					}
 					break;
@@ -102,16 +141,17 @@ public function render( ?array $replacements = null ) {
 				case '#funky-comment':
 					// Does it look like a placeholder?
 					$processor->set_bookmark( 'placeholder' );
-					$mark = $processor->bookmarks['placeholder'] ?? null;
+					$mark = $processor->get_bookmark( 'placeholder' );
 					assert( null !== $mark );
 					// A funky comment looks at least like </%…>
 					$start  = $mark->start;
 					$length = $mark->length;
+					$html   = $processor->get_html();
 					// This is not the funky comment we're looking for.
-					if ( $length < 5 || ! $processor->html[ $start + 2 ] === '%' ) {
+					if ( $length < 5 || ! $html[ $start + 2 ] === '%' ) {
 						break;
 					}
-					$placeholder = trim( \substr( $processor->html, $start + 3, $length - 4 ), " \t\n\r\f" );
+					$placeholder = trim( \substr( $html, $start + 3, $length - 4 ), " \t\n\r\f" );
 
 					// Valid placeholders match `/a-z0-9_-/i`.
 					if ( \strlen( $placeholder ) !== \strspn( $placeholder, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-' ) ) {
@@ -120,25 +160,29 @@ public function render( ?array $replacements = null ) {
 
 					$replacement = $this->get_replacement( $placeholder );
 					if ( \is_string( $replacement ) ) {
-						$processor->lexical_updates[] = new WP_HTML_Text_Replacement(
-							$start,
-							$length,
-							strtr(
-								$replacement,
-								array(
-									'<' => '&lt;',
-									'>' => '&gt;',
-									"'" => '&apos;',
-									'"' => '&quot;',
-									'&' => '&amp;',
+						$processor->add_lexical_update(
+							new WP_HTML_Text_Replacement(
+								$start,
+								$length,
+								strtr(
+									$replacement,
+									array(
+										'<' => '&lt;',
+										'>' => '&gt;',
+										"'" => '&apos;',
+										'"' => '&quot;',
+										'&' => '&amp;',
+									)
 								)
 							)
 						);
 					} elseif ( $replacement instanceof WP_HTML_Template ) {
-						$processor->lexical_updates[] = new WP_HTML_Text_Replacement(
-							$start,
-							$length,
-							$replacement->render()
+						$processor->add_lexical_update(
+							new WP_HTML_Text_Replacement(
+								$start,
+								$length,
+								$replacement->render()
+							)
 						);
 					}
 					break;
@@ -148,7 +192,8 @@ public function render( ?array $replacements = null ) {
 						break;
 					}
 
-					foreach ( $processor->attributes as $attribute ) {
+					$html = $processor->get_html();
+					foreach ( $processor->get_tag_attributes() as $attribute ) {
 						// Boolean attributes cannot contain placeholders.
 						if ( $attribute->is_true ) {
 							continue;
@@ -168,7 +213,7 @@ public function render( ?array $replacements = null ) {
 						while (
 							1 === preg_match(
 								'#</%[ \\t\\r\\f\\n]*([a-z0-9_-]+)[ \\t\\r\\f\\n]*>#i',
-								$processor->html,
+								$html,
 								$matches,
 								PREG_OFFSET_CAPTURE,
 								$offset
@@ -181,32 +226,36 @@ public function render( ?array $replacements = null ) {
 								$match_length = strlen( $matches[0][0] );
 
 								// Capture and clean the preceding attribute text.
-								$processor->lexical_updates[] = new WP_HTML_Text_Replacement(
-									$last_offset,
-									$match_at - $last_offset,
-									strtr(
-										substr( $processor->html, $last_offset, $match_at - $last_offset ),
-										array(
-											'<' => '&lt;',
-											'>' => '&gt;',
-											"'" => '&apos;',
-											'"' => '&quot;',
-											'&' => '&amp;',
+								$processor->add_lexical_update(
+									new WP_HTML_Text_Replacement(
+										$last_offset,
+										$match_at - $last_offset,
+										strtr(
+											substr( $html, $last_offset, $match_at - $last_offset ),
+											array(
+												'<' => '&lt;',
+												'>' => '&gt;',
+												"'" => '&apos;',
+												'"' => '&quot;',
+												'&' => '&amp;',
+											)
 										)
 									)
 								);
 
-								$processor->lexical_updates[] = new WP_HTML_Text_Replacement(
-									$match_at,
-									strlen( $matches[0][0] ),
-									strtr(
-										$replacement,
-										array(
-											'<' => '&lt;',
-											'>' => '&gt;',
-											"'" => '&apos;',
-											'"' => '&quot;',
-											'&' => '&amp;',
+								$processor->add_lexical_update(
+									new WP_HTML_Text_Replacement(
+										$match_at,
+										strlen( $matches[0][0] ),
+										strtr(
+											$replacement,
+											array(
+												'<' => '&lt;',
+												'>' => '&gt;',
+												"'" => '&apos;',
+												'"' => '&quot;',
+												'&' => '&amp;',
+											)
 										)
 									)
 								);

From e04d7c052bc1c703bd1e6339b11f20c9b070ac24 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 15:42:31 +0100
Subject: [PATCH 20/66] Remove unused preg_attribute_replace_callback method
 from WP_HTML_Template

---
 .../html-api/class-wp-html-template.php       | 24 -------------------
 1 file changed, 24 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 99ef3c6fcaeb4..0db4455e55a5d 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -281,30 +281,6 @@ public function add_lexical_update( WP_HTML_Text_Replacement $update ): void {
 		return WP_HTML_Processor::normalize( $html ) ?? $html;
 	}
 
-	private function preg_attribute_replace_callback( $matches ) {
-		$key = $matches[1];
-
-		$replacement = $this->get_replacement( $key );
-
-		// Keep placeholder if no replacement found.
-		if ( null === $replacement ) {
-			return $matches[0];
-		}
-
-		// HTML cannot be embedded in attribute values.
-		if ( $replacement instanceof self ) {
-			_doing_it_wrong(
-				__METHOD__,
-				// @todo improve this message, include the placeholder in the string.
-				__( 'Attribute values cannot contain HTML. Use a plain string.' ),
-				'7.0.0'
-			);
-			return '';
-		}
-
-		return $replacement;
-	}
-
 	/**
 	 * Get the replacement value for a placeholder key.
 	 *

From 65f62a9addc2a250d5d7339e80ba5c7790cec457 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 16:26:27 +0100
Subject: [PATCH 21/66] Add more tests

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 151 ++++++++++++++++++
 1 file changed, 151 insertions(+)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index ab01e33b64cce..ef217c3d3e6e8 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -618,4 +618,155 @@ public function test_table_templates_not_yet_supported() {
 			HTML;
 		$this->assertEqualHTML( $expected, $result );
 	}
+
+	/**
+	 * Verifies that attributes are replaced in atomic elements (SCRIPT, STYLE, TITLE).
+	 *
+	 * These elements have special parsing rules that skip their content,
+	 * but attributes should still be processed normally.
+	 *
+	 * @ticket 60229
+	 *
+	 * @dataProvider data_atomic_element_attributes
+	 *
+	 * @covers ::from
+	 * @covers ::render
+	 * @covers ::sprintf
+	 */
+	public function test_atomic_element_attributes_are_replaced( string $template_string, array $replacements, string $expected ) {
+		$t      = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+		$this->assertSame( $expected, $result );
+	}
+
+	public static function data_atomic_element_attributes() {
+		return array(
+			'SCRIPT element attributes'   => array(
+				'<script src="</%src>">console.log("hi")</script>',
+				array( 'src' => '/js/app.js' ),
+				'<script src="/js/app.js">console.log("hi")</script>',
+			),
+
+			'STYLE element attributes'    => array(
+				'<style media="</%media>">.foo { color: red; }</style>',
+				array( 'media' => 'screen' ),
+				'<style media="screen">.foo { color: red; }</style>',
+			),
+
+			'TITLE element attributes'    => array(
+				'<title lang="</%lang>">Page Title</title>',
+				array( 'lang' => 'en' ),
+				'<title lang="en">Page Title</title>',
+			),
+
+			'TEXTAREA element attributes' => array(
+				'<textarea name="</%name>">Some content</textarea>',
+				array( 'name' => 'my-textarea' ),
+				'<textarea name="my-textarea">Some content</textarea>',
+			),
+		);
+	}
+
+	/**
+	 * Verifies content placeholder behavior in elements with special parsing.
+	 *
+	 * - RAWTEXT elements (SCRIPT, STYLE): Content is skipped, placeholders preserved literally.
+	 * - RCDATA elements (TITLE, TEXTAREA): Content is processed but placeholders are not
+	 *   recognized - they're treated as literal text and HTML-escaped.
+	 *
+	 * @ticket 60229
+	 *
+	 * @dataProvider data_atomic_element_content_placeholders
+	 *
+	 * @covers ::from
+	 * @covers ::render
+	 * @covers ::sprintf
+	 */
+	public function test_special_element_content_placeholder_behavior( string $template_string, array $replacements, string $expected ) {
+		$t      = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+		$this->assertSame( $expected, $result );
+	}
+
+	public static function data_atomic_element_content_placeholders() {
+		return array(
+			// RAWTEXT elements (SCRIPT, STYLE): Content is truly skipped, placeholders preserved literally.
+			'SCRIPT content placeholder ignored'          => array(
+				'<script>var x = "</%name>";</script>',
+				array( 'name' => 'SHOULD NOT APPEAR' ),
+				'<script>var x = "</%name>";</script>',
+			),
+
+			'STYLE content placeholder ignored'           => array(
+				'<style>.foo { content: "</%content>"; }</style>',
+				array( 'content' => 'SHOULD NOT APPEAR' ),
+				'<style>.foo { content: "</%content>"; }</style>',
+			),
+
+			// RCDATA elements (TITLE, TEXTAREA): Content is processed but placeholder
+			// patterns are not recognized - they're treated as literal text and escaped.
+			'TITLE content placeholder not recognized'    => array(
+				'<title>Hello </%name></title>',
+				array( 'name' => 'SHOULD NOT APPEAR' ),
+				'<title>Hello &lt;/%name&gt;</title>',
+			),
+
+			'TEXTAREA content placeholder not recognized' => array(
+				'<textarea></%placeholder></textarea>',
+				array( 'placeholder' => 'SHOULD NOT APPEAR' ),
+				'<textarea>&lt;/%placeholder&gt;</textarea>',
+			),
+		);
+	}
+
+	/**
+	 * Verifies leading newline behavior in PRE elements.
+	 *
+	 * HTML5 specifies that a single leading newline immediately after the
+	 * <pre> start tag is ignored. This test documents the template behavior.
+	 *
+	 * @ticket 60229
+	 *
+	 * @dataProvider data_pre_element_leading_newline
+	 *
+	 * @covers ::from
+	 * @covers ::render
+	 * @covers ::sprintf
+	 */
+	public function test_pre_element_leading_newline_behavior( string $template_string, array $replacements, string $expected ) {
+		$t      = T::from( $template_string );
+		$result = $t->render( $replacements );
+		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+		$this->assertSame( $expected, $result );
+	}
+
+	public static function data_pre_element_leading_newline() {
+		return array(
+			'PRE without newline'        => array(
+				"<pre></%code></pre>",
+				array( 'code' => "line1\nline2"),
+				"<pre>line1\nline2</pre>",
+			),
+
+			'PRE with newline' => array(
+				"<pre>\n</%code></pre>",
+				array( 'code' =>  "line1\nline2"),
+				"<pre>line1\nline2</pre>",
+			),
+
+			'PRE with newline in replacement' => array(
+				"<pre>\n</%code></pre>",
+				array( 'code' =>   "line1\nline2"),
+				"<pre>line1\nline2</pre>",
+			),
+
+			'PRE with newline and newline in replacement' => array(
+				"<pre>\n</%code></pre>",
+				array( 'code' =>    "\nline1\nline2"),
+				"<pre>\nline1\nline2</pre>",
+			),
+		);
+	}
 }

From 5d58abfb97056ccf5b7cab4e95552078464173a4 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 16:33:31 +0100
Subject: [PATCH 22/66] lints

---
 .../html-api/class-wp-html-template.php        |  2 +-
 .../phpunit/tests/html-api/wpHtmlTemplate.php  | 18 +++++++++---------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 0db4455e55a5d..3d873c65792f9 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -259,7 +259,7 @@ public function add_lexical_update( WP_HTML_Text_Replacement $update ): void {
 										)
 									)
 								);
-								$last_offset                  = $match_at + $match_length;
+								$last_offset = $match_at + $match_length;
 							} elseif ( $replacement instanceof self ) {
 								_doing_it_wrong(
 									__METHOD__,
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index ef217c3d3e6e8..05f95864afe12 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -167,37 +167,37 @@ public function test_template( string $template_string, array $replacements, str
 
 	public static function data_template() {
 		return array(
-			'basic template (no placeholders)'    => array(
+			'basic template (no placeholders)'   => array(
 				'<p>Hi!</p>',
 				array(),
 				'<p>Hi!</p>',
 			),
 
-			'basic text replacement'              => array(
+			'basic text replacement'             => array(
 				'<p>Hello, </%name>!</p>',
 				array( 'name' => 'World' ),
 				'<p>Hello, World!</p>',
 			),
 
-			'escapes special characters in text'  => array(
+			'escapes special characters in text' => array(
 				'<p>Hello, </%placeholder>!</p>',
 				array( 'placeholder' => 'Alice & Bob' ),
 				'<p>Hello, Alice &amp; Bob!</p>',
 			),
 
-			'escapes angle brackets in text'      => array(
+			'escapes angle brackets in text'     => array(
 				'<p>Hello, </%name>!</p>',
 				array( 'name' => '<little-bobby-tags>' ),
 				'<p>Hello, &lt;little-bobby-tags&gt;!</p>',
 			),
 
-			'numeric placeholders'                => array(
+			'numeric placeholders'               => array(
 				'<p>Hello, </%0> and </%1>!</p>',
 				array( 'Alice', 'Bob' ),
 				'<p>Hello, Alice and Bob!</p>',
 			),
 
-			'repeated placeholders'               => array(
+			'repeated placeholders'              => array(
 				'<p></%0>, </% 0 >, </%name>, & </%name>!</p>',
 				array(
 					'Alice',
@@ -206,13 +206,13 @@ public static function data_template() {
 				'<p>Alice, Alice, Bob, &amp; Bob!</p>',
 			),
 
-			'nested template replacement'         => array(
+			'nested template replacement'        => array(
 				'<p>Hello, </%html>',
 				array( 'html' => WP_HTML_Template::from( '<i>Alice</i> & <i>Bob</i>' ) ),
 				'<p>Hello, <i>Alice</i> &amp; <i>Bob</i></p>',
 			),
 
-			'replaces attribute values'           => array(
+			'replaces attribute values'          => array(
 				'<meta name="</%n>" content="</%c>">',
 				array(
 					'n' => 'the name',
@@ -221,7 +221,7 @@ public static function data_template() {
 				'<meta name="the name" content="the content">',
 			),
 
-			'escapes attribute values'            => array(
+			'escapes attribute values'           => array(
 				'<meta content="</%c>">',
 				array(
 					'c' => 'the "content" & whatever else',

From d57d0c4db30e3ed32ac21d165ced9ccada675f24 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 21:54:31 +0100
Subject: [PATCH 23/66] Rework interface

---
 .../html-api/class-wp-html-template.php       | 120 ++++++++++--------
 1 file changed, 66 insertions(+), 54 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 3d873c65792f9..ce471ff57ebfd 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -25,57 +25,48 @@ private function __construct( string $template_string, array $replacements ) {
 	}
 
 	/**
-	 * Render a template string with the given replacements.
+	 * Creates a template from a string.
 	 *
 	 * @since 7.0.0
 	 *
-	 * @param string $template_string The template string with placeholders.
-	 * @param array  $replacements    The replacement values.
-	 * @return string|false The rendered HTML, or false on error.
+	 * @param string $template The template string with placeholders.
+	 * @return static The template instance.
 	 */
-	public static function sprintf( string $template_string, array $replacements = array() ) {
-		return self::from( $template_string, $replacements )->render();
+	public static function from( string $template ): static {
+		return new static( $template, array() );
 	}
 
 	/**
-	 * @param string $template_string The template string with placeholders.
-	 * @param array  $replacements    The replacement values.
+	 * Returns a new immutable instance with replacements bound.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param array $replacements The replacement values.
+	 * @return static A new template instance with the replacements bound.
 	 */
-	public static function from( string $template_string, array $replacements = array() ): static {
-		if ( ! is_string( $template_string ) ) {
-			_doing_it_wrong(
-				__METHOD__,
-				__( 'The template string must be a string.' ),
-				'7.0.0'
-			);
-			$template_string = '';
-		}
-		return new static( $template_string, $replacements );
+	public function bind( array $replacements ): static {
+		return new static( $this->template_string, $replacements );
 	}
 
 	/**
-	 * Render the template with the given replacements.
+	 * Renders the template to an HTML string.
+	 *
+	 * Returns false on any error:
+	 * - Missing replacement key (placeholder without corresponding replacement)
+	 * - Unused replacement key (replacement without corresponding placeholder)
+	 * - Template in attribute context
+	 * - HTML processing/normalization failure
 	 *
 	 * @since 7.0.0
 	 *
-	 * @param array $replacements Optional. The replacement values. They may be provided at template creation time.
 	 * @return string|false The rendered HTML, or false on error.
 	 */
-	public function render( ?array $replacements = null ) {
-		if ( \is_array( $replacements ) ) {
-			$this->replacements = $replacements;
-		} elseif ( null !== $replacements ) {
-			_doing_it_wrong(
-				__METHOD__,
-				__( 'The replacements must be an array.' ),
-				'7.0.0'
-			);
-		}
-
+	public function render(): string|false {
 		if ( empty( $this->replacements ) ) {
 			return WP_HTML_Processor::normalize( $this->template_string ) ?? $this->template_string;
 		}
 
+		$used_keys      = array();
 		$processor      = new class( $this->template_string ) extends WP_HTML_Tag_Processor {
 			/**
 			 * Returns the HTML string being processed.
@@ -158,7 +149,11 @@ public function add_lexical_update( WP_HTML_Text_Replacement $update ): void {
 						break;
 					}
 
-					$replacement = $this->get_replacement( $placeholder );
+					$replacement = $this->get_replacement( $placeholder, $used_keys );
+					if ( null === $replacement ) {
+						$error_occurred = true;
+						break;
+					}
 					if ( \is_string( $replacement ) ) {
 						$processor->add_lexical_update(
 							new WP_HTML_Text_Replacement(
@@ -177,11 +172,16 @@ public function add_lexical_update( WP_HTML_Text_Replacement $update ): void {
 							)
 						);
 					} elseif ( $replacement instanceof WP_HTML_Template ) {
+						$rendered = $replacement->render();
+						if ( false === $rendered ) {
+							$error_occurred = true;
+							break;
+						}
 						$processor->add_lexical_update(
 							new WP_HTML_Text_Replacement(
 								$start,
 								$length,
-								$replacement->render()
+								$rendered
 							)
 						);
 					}
@@ -220,7 +220,11 @@ public function add_lexical_update( WP_HTML_Text_Replacement $update ): void {
 							)
 							&& $matches[0][1] < $end
 						) {
-							$replacement = $this->get_replacement( $matches[1][0] );
+							$replacement = $this->get_replacement( $matches[1][0], $used_keys );
+							if ( null === $replacement ) {
+								$error_occurred = true;
+								break 2; // Break out of while and foreach.
+							}
 							if ( is_string( $replacement ) ) {
 								$match_at     = $matches[0][1];
 								$match_length = strlen( $matches[0][0] );
@@ -261,12 +265,7 @@ public function add_lexical_update( WP_HTML_Text_Replacement $update ): void {
 								);
 								$last_offset = $match_at + $match_length;
 							} elseif ( $replacement instanceof self ) {
-								_doing_it_wrong(
-									__METHOD__,
-									// @todo improve this message, include the placeholder in the string.
-									__( 'Attribute values cannot contain HTML. Use a plain string.' ),
-									'7.0.0'
-								);
+								// Template in attribute context is an error.
 								return false;
 							}
 
@@ -276,6 +275,16 @@ public function add_lexical_update( WP_HTML_Text_Replacement $update ): void {
 			}
 		}
 
+		// Return false if any placeholder was missing a replacement.
+		if ( $error_occurred ) {
+			return false;
+		}
+
+		// Return false if any replacement key was not used.
+		if ( count( $used_keys ) !== count( $this->replacements ) ) {
+			return false;
+		}
+
 		$html = $processor->get_updated_html();
 
 		return WP_HTML_Processor::normalize( $html ) ?? $html;
@@ -285,28 +294,31 @@ public function add_lexical_update( WP_HTML_Text_Replacement $update ): void {
 	 * Get the replacement value for a placeholder key.
 	 *
 	 * Handles both named keys (like 'name') and numeric keys (like 0).
+	 * Tracks which keys are used for validation.
 	 *
 	 * @since 7.0.0
 	 *
-	 * @param string $key          The placeholder key.
-	 * @return mixed|null The replacement value, or null if not found.
+	 * @param string $key       The placeholder key.
+	 * @param array  $used_keys Reference to array tracking used keys.
+	 * @return self|string|null The replacement value, or null if not found.
 	 */
-	private function get_replacement( string $key ): self|string|null {
-		$replacement = $this->replacements[ $key ] ?? null;
+	private function get_replacement( string $key, array &$used_keys ): self|string|null {
+		// Try string key first, then numeric if the key looks numeric.
+		if ( array_key_exists( $key, $this->replacements ) ) {
+			$replacement = $this->replacements[ $key ];
+		} elseif ( ctype_digit( $key ) && array_key_exists( (int) $key, $this->replacements ) ) {
+			$key         = (int) $key;
+			$replacement = $this->replacements[ $key ];
+		} else {
+			return null;
+		}
+
+		$used_keys[ $key ] = true;
+
 		if ( \is_string( $replacement ) || ( $replacement instanceof WP_HTML_Template ) ) {
 			return $replacement;
 		}
 
-		_doing_it_wrong(
-			__METHOD__,
-			sprintf(
-				__( 'Invalid replacement for %1$s of type `%2$s`. Must be a string or template.' ),
-				esc_html( $key ),
-				esc_html( gettype( $replacement ) )
-			),
-			'7.0.0'
-		);
-
 		return null;
 	}
 }

From bd8740e8b1bdb22779d4d6eb46ec8913068d981a Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 21:59:10 +0100
Subject: [PATCH 24/66] Update tests for new API

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 183 ++++++++----------
 1 file changed, 84 insertions(+), 99 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 05f95864afe12..a9e9f1f060445 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -22,13 +22,13 @@ class Tests_HtmlApi_WpHtmlTemplate extends WP_UnitTestCase {
 	 * @ticket 60229
 	 *
 	 * @covers ::from
+	 * @covers ::bind
 	 * @covers ::render
 	 */
 	public function test_escapes_text_adjacent_to_angle_brackets() {
 		$template_string = 'a<</%tag-name>>s';
 		$replacements    = array( 'tag-name' => 'i' );
-		$t               = T::from( $template_string );
-		$result          = $t->render( $replacements );
+		$result          = T::from( $template_string )->bind( $replacements )->render();
 
 		$expected = 'a&lt;i&gt;s';
 		$this->assertEqualHTML( $expected, $result );
@@ -37,23 +37,24 @@ public function test_escapes_text_adjacent_to_angle_brackets() {
 	/**
 	 * Verifies that only the first of duplicate attributes is replaced.
 	 *
+	 * Note: Duplicate attributes are stripped per HTML spec, so placeholders
+	 * in duplicate attributes are ignored. Providing a replacement for such
+	 * placeholders would be an unused key error.
+	 *
 	 * @ticket 60229
 	 *
 	 * @covers ::from
+	 * @covers ::bind
 	 * @covers ::render
-	 * @covers ::sprintf
 	 */
 	public function test_replaces_only_in_first_duplicate_attribute() {
 		$template_string = '<meta a="</%replace></%replace-2>" a="</% no-replace >">';
 		$replacements    = array(
-			'replace'    => 'O',
-			'replace-2'  => 'K',
-			'no-replace' => 'FAIL',
+			'replace'   => 'O',
+			'replace-2' => 'K',
 		);
 
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+		$result = T::from( $template_string )->bind( $replacements )->render();
 
 		$expected = '<meta a="OK">';
 		$this->assertEqualHTML( $expected, $result );
@@ -65,8 +66,8 @@ public function test_replaces_only_in_first_duplicate_attribute() {
 	 * @ticket 60229
 	 *
 	 * @covers ::from
+	 * @covers ::bind
 	 * @covers ::render
-	 * @covers ::sprintf
 	 */
 	public function test_attribute_replacement_is_not_recursive() {
 		$template_string = '<meta a="</%replace>">';
@@ -74,9 +75,7 @@ public function test_attribute_replacement_is_not_recursive() {
 			'replace' => '<%/replace>',
 		);
 
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+		$result = T::from( $template_string )->bind( $replacements )->render();
 
 		$expected = '<meta a="&lt;%/replace&gt;">';
 		$this->assertEqualHTML( $expected, $result );
@@ -88,8 +87,8 @@ public function test_attribute_replacement_is_not_recursive() {
 	 * @ticket 60229
 	 *
 	 * @covers ::from
+	 * @covers ::bind
 	 * @covers ::render
-	 * @covers ::sprintf
 	 */
 	public function test_placeholder_names_allow_surrounding_whitespace() {
 		$template_string = "<meta name='</%\tn\n>' content='</% c\r\f>'>";
@@ -98,9 +97,7 @@ public function test_placeholder_names_allow_surrounding_whitespace() {
 			'c' => 'the "content" & whatever else',
 		);
 
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+		$result = T::from( $template_string )->bind( $replacements )->render();
 
 		$expected =
 			<<<'HTML'
@@ -115,15 +112,13 @@ public function test_placeholder_names_allow_surrounding_whitespace() {
 	 * @ticket 60229
 	 *
 	 * @covers ::from
+	 * @covers ::bind
 	 * @covers ::render
-	 * @covers ::sprintf
 	 */
 	public function test_escapes_ampersand_to_prevent_character_reference_injection() {
 		$template_string = '<meta name="&</% placeholder >;">';
 		$replacements    = array( 'placeholder' => 'not' );
-		$t               = T::from( $template_string );
-		$result          = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+		$result          = T::from( $template_string )->bind( $replacements )->render();
 
 		$expected =
 			<<<'HTML'
@@ -137,16 +132,16 @@ public function test_escapes_ampersand_to_prevent_character_reference_injection(
 	 *
 	 * @ticket 60229
 	 *
-	 * @covers ::sprintf
-	 *
-	 * @expectedIncorrectUsage WP_HTML_Template::render
+	 * @covers ::from
+	 * @covers ::bind
+	 * @covers ::render
 	 */
 	public function test_rejects_nested_template_in_attribute_value() {
 		$template_string = '<meta name="not-allowed" description="</%html>">';
 		$replacements    = array(
 			'html' => T::from( '<strong>This is not allowed!</strong>' ),
 		);
-		$this->assertFalse( T::sprintf( $template_string, $replacements ) );
+		$this->assertFalse( T::from( $template_string )->bind( $replacements )->render() );
 	}
 
 	/**
@@ -155,13 +150,11 @@ public function test_rejects_nested_template_in_attribute_value() {
 	 * @ticket 60229
 	 *
 	 * @covers ::from
+	 * @covers ::bind
 	 * @covers ::render
-	 * @covers ::sprintf
 	 */
 	public function test_template( string $template_string, array $replacements, string $expected ) {
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+		$result = T::from( $template_string )->bind( $replacements )->render();
 		$this->assertEqualHTML( $expected, $result );
 	}
 
@@ -238,10 +231,12 @@ public static function data_template() {
 	 *
 	 * @ticket 60229
 	 *
-	 * @covers ::sprintf
+	 * @covers ::from
+	 * @covers ::bind
+	 * @covers ::render
 	 */
 	public function test_real_world_examples( string $template_string, array $replacements, string $expected ) {
-		$result = WP_HTML_Template::sprintf( $template_string, $replacements );
+		$result = WP_HTML_Template::from( $template_string )->bind( $replacements )->render();
 		$this->assertEqualHTML( $expected, $result );
 	}
 
@@ -292,13 +287,13 @@ public static function data_real_world_examples() {
 			array(
 				'url'    => 'https://example.com/hello-world/?foo=1&bar=2',
 				'target' => '_blank',
-				'title'  => WP_HTML_Template::from(
-					'\'<i></%italic></i>\' & <b>"</%bold>"</b>',
-					array(
-						'italic' => 'This',
-						'bold'   => 'That',
-					)
-				),
+				'title'  => WP_HTML_Template::from( '\'<i></%italic></i>\' & <b>"</%bold>"</b>' )
+					->bind(
+						array(
+							'italic' => 'This',
+							'bold'   => 'That',
+						)
+					),
 			),
 			<<<'HTML'
 			<a href="https://example.com/hello-world/?foo=1&amp;bar=2" target="_blank">
@@ -508,40 +503,37 @@ public static function data_real_world_examples() {
 	 * @ticket 60229
 	 *
 	 * @covers ::from
+	 * @covers ::bind
 	 * @covers ::render
-	 * @covers ::sprintf
 	 */
 	public function test_nested_templates_in_definition_list() {
-		$row_template_string = "<dt></%term></dt>\n<dd></%definition></dd>";
+		$row_template = WP_HTML_Template::from( "<dt></%term></dt>\n<dd></%definition></dd>" );
 
-		// @todo It should be possible to produce templates from an original.
 		$row_replacements = array();
-		for ( $i = 0; $i <= 3; $i++ ) {
-			$row_replacements[ "row-{$i}" ] = WP_HTML_Template::from(
-				$row_template_string,
+		for ( $i = 1; $i <= 3; $i++ ) {
+			$row_replacements[ "row-{$i}" ] = $row_template->bind(
 				array(
 					'term'       => "Term \"{$i}\"",
-					'definition' => WP_HTML_Template::from(
-						'<abbr title="</%expansion>">IYKYK</abbr>: </%i>',
-						array(
-							'i'         => (string) $i,
-							'expansion' => '"If You Know You Know"',
-						)
-					),
+					'definition' => WP_HTML_Template::from( '<abbr title="</%expansion>">IYKYK</abbr>: </%i>' )
+						->bind(
+							array(
+								'i'         => (string) $i,
+								'expansion' => '"If You Know You Know"',
+							)
+						),
 				)
 			);
 		}
 
-		$result = WP_HTML_Template::sprintf(
+		$result = WP_HTML_Template::from(
 			<<<'HTML'
 			<dl>
 			</%row-1>
 			</%row-2>
 			</%row-3>
 			</dl>
-			HTML,
-			$row_replacements
-		);
+			HTML
+		)->bind( $row_replacements )->render();
 
 		$expected =
 			<<<'HTML'
@@ -564,20 +556,20 @@ public function test_nested_templates_in_definition_list() {
 	 * @ticket 60229
 	 *
 	 * @covers ::from
+	 * @covers ::bind
 	 * @covers ::render
-	 * @covers ::sprintf
 	 */
 	public function test_table_templates_not_yet_supported() {
 		$this->markTestSkipped( 'IN TABLE templates are not supported yet.' );
-		$header_tpl = WP_HTML_Template::from(
-			'<tr><th></% ID ><th></% name ><th></% value ><th></% link >',
-			array(
-				'ID'    => 'ID',
-				'name'  => 'Name',
-				'value' => 'Value',
-				'link'  => 'Link',
-			)
-		);
+		$header_tpl = WP_HTML_Template::from( '<tr><th></% ID ><th></% name ><th></% value ><th></% link >' )
+			->bind(
+				array(
+					'ID'    => 'ID',
+					'name'  => 'Name',
+					'value' => 'Value',
+					'link'  => 'Link',
+				)
+			);
 		$row_tpl    = WP_HTML_Template::from( '<tr><td></% ID ><td></% name ><td></% value ><td></% link >' );
 
 		$row_gen = ( function () {
@@ -585,18 +577,18 @@ public function test_table_templates_not_yet_supported() {
 			yield array(
 				'ID'    => $i,
 				'name'  => 'Name {$i}',
-				'value' => WP_HTML_Template::from( 'Value <b>{$i}</b>', array( 'i' => $i ) ),
-				'link'  => WP_HTML_Template::from(
-					'<a href="</%url>"></%link-name></a>',
-					array(
-						'url'       => '/example/1',
-						'link-name' => 'Click here',
+				'value' => WP_HTML_Template::from( 'Value <b>{$i}</b>' )->bind( array( 'i' => $i ) ),
+				'link'  => WP_HTML_Template::from( '<a href="</%url>"></%link-name></a>' )
+					->bind(
+						array(
+							'url'       => '/example/1',
+							'link-name' => 'Click here',
+						)
 					),
-				),
 			);
 		} )();
 
-		$result = WP_HTML_Template::sprintf(
+		$result = WP_HTML_Template::from(
 			<<<'HTML'
 			<table>
 			<thead></%header>
@@ -604,14 +596,15 @@ public function test_table_templates_not_yet_supported() {
 			</%row-1>
 			</%row-2>
 			</%row-3>
-			HTML,
+			HTML
+		)->bind(
 			array(
 				'header' => $header_tpl,
-				'row-1'  => $row_tpl->render( $row_gen->next() ),
-				'row-2'  => $row_tpl->render( $row_gen->next() ),
-				'row-3'  => $row_tpl->render( $row_gen->next() ),
+				'row-1'  => $row_tpl->bind( $row_gen->next() ),
+				'row-2'  => $row_tpl->bind( $row_gen->next() ),
+				'row-3'  => $row_tpl->bind( $row_gen->next() ),
 			)
-		);
+		)->render();
 
 		$expected =
 			<<<'HTML'
@@ -630,13 +623,11 @@ public function test_table_templates_not_yet_supported() {
 	 * @dataProvider data_atomic_element_attributes
 	 *
 	 * @covers ::from
+	 * @covers ::bind
 	 * @covers ::render
-	 * @covers ::sprintf
 	 */
 	public function test_atomic_element_attributes_are_replaced( string $template_string, array $replacements, string $expected ) {
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+		$result = T::from( $template_string )->bind( $replacements )->render();
 		$this->assertSame( $expected, $result );
 	}
 
@@ -675,47 +666,43 @@ public static function data_atomic_element_attributes() {
 	 * - RCDATA elements (TITLE, TEXTAREA): Content is processed but placeholders are not
 	 *   recognized - they're treated as literal text and HTML-escaped.
 	 *
+	 * With strict validation, providing a replacement for a placeholder that won't be
+	 * processed (inside SCRIPT/STYLE/TITLE/TEXTAREA) is an unused key error.
+	 *
 	 * @ticket 60229
 	 *
 	 * @dataProvider data_atomic_element_content_placeholders
 	 *
 	 * @covers ::from
 	 * @covers ::render
-	 * @covers ::sprintf
 	 */
-	public function test_special_element_content_placeholder_behavior( string $template_string, array $replacements, string $expected ) {
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+	public function test_special_element_content_placeholder_behavior( string $template_string, string $expected ) {
+		$result = T::from( $template_string )->render();
 		$this->assertSame( $expected, $result );
 	}
 
 	public static function data_atomic_element_content_placeholders() {
 		return array(
 			// RAWTEXT elements (SCRIPT, STYLE): Content is truly skipped, placeholders preserved literally.
-			'SCRIPT content placeholder ignored'          => array(
+			'SCRIPT content placeholder preserved'        => array(
 				'<script>var x = "</%name>";</script>',
-				array( 'name' => 'SHOULD NOT APPEAR' ),
 				'<script>var x = "</%name>";</script>',
 			),
 
-			'STYLE content placeholder ignored'           => array(
+			'STYLE content placeholder preserved'         => array(
 				'<style>.foo { content: "</%content>"; }</style>',
-				array( 'content' => 'SHOULD NOT APPEAR' ),
 				'<style>.foo { content: "</%content>"; }</style>',
 			),
 
 			// RCDATA elements (TITLE, TEXTAREA): Content is processed but placeholder
 			// patterns are not recognized - they're treated as literal text and escaped.
-			'TITLE content placeholder not recognized'    => array(
+			'TITLE content placeholder escaped'           => array(
 				'<title>Hello </%name></title>',
-				array( 'name' => 'SHOULD NOT APPEAR' ),
 				'<title>Hello &lt;/%name&gt;</title>',
 			),
 
-			'TEXTAREA content placeholder not recognized' => array(
+			'TEXTAREA content placeholder escaped'        => array(
 				'<textarea></%placeholder></textarea>',
-				array( 'placeholder' => 'SHOULD NOT APPEAR' ),
 				'<textarea>&lt;/%placeholder&gt;</textarea>',
 			),
 		);
@@ -732,13 +719,11 @@ public static function data_atomic_element_content_placeholders() {
 	 * @dataProvider data_pre_element_leading_newline
 	 *
 	 * @covers ::from
+	 * @covers ::bind
 	 * @covers ::render
-	 * @covers ::sprintf
 	 */
 	public function test_pre_element_leading_newline_behavior( string $template_string, array $replacements, string $expected ) {
-		$t      = T::from( $template_string );
-		$result = $t->render( $replacements );
-		$this->assertSame( $result, T::sprintf( $template_string, $replacements ) );
+		$result = T::from( $template_string )->bind( $replacements )->render();
 		$this->assertSame( $expected, $result );
 	}
 

From 4eaf11dff79e51b8e12cd67d52484b67e02457f1 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 22:10:26 +0100
Subject: [PATCH 25/66] Add placeholder compilation skeleton to
 WP_HTML_Template

Add $compiled property and get_placeholders() accessor. The compile()
method is stubbed and will be implemented to extract placeholder
positions, lengths, and contexts from the template.
---
 .../html-api/class-wp-html-template.php       | 38 +++++++++++++++++++
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 18 +++++++++
 2 files changed, 56 insertions(+)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index ce471ff57ebfd..100779c590b2d 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -19,6 +19,44 @@ class WP_HTML_Template {
 
 	private array $replacements = array();
 
+	/**
+	 * Compiled placeholder metadata.
+	 *
+	 * Array of placeholder_name => array with keys:
+	 * - 'offsets': array of [start, length] pairs for each occurrence
+	 * - 'context': 'text' or 'attribute' (attribute takes precedence)
+	 *
+	 * @since 7.0.0
+	 * @var array|null
+	 */
+	private ?array $compiled = null;
+
+	/**
+	 * Returns the compiled placeholder metadata.
+	 *
+	 * Triggers compilation if not already done.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @return array Associative array of placeholder_name => metadata.
+	 */
+	public function get_placeholders(): array {
+		$this->compile();
+		return $this->compiled;
+	}
+
+	/**
+	 * Compiles the template to extract placeholder metadata.
+	 *
+	 * @since 7.0.0
+	 */
+	private function compile(): void {
+		if ( null !== $this->compiled ) {
+			return;
+		}
+		$this->compiled = array();
+	}
+
 	private function __construct( string $template_string, array $replacements ) {
 		$this->template_string = $template_string;
 		$this->replacements    = $replacements;
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index a9e9f1f060445..ba5971bde45c3 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -754,4 +754,22 @@ public static function data_pre_element_leading_newline() {
 			),
 		);
 	}
+
+	/**
+	 * Verifies that get_placeholders returns placeholder metadata.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::get_placeholders
+	 */
+	public function test_get_placeholders_returns_metadata() {
+		$template = T::from( '<p class="</%class>"></%content></p>' );
+
+		$placeholders = $template->get_placeholders();
+
+		$this->assertArrayHasKey( 'class', $placeholders );
+		$this->assertArrayHasKey( 'content', $placeholders );
+		$this->assertSame( 'attribute', $placeholders['class']['context'] );
+		$this->assertSame( 'text', $placeholders['content']['context'] );
+	}
 }

From 8229efa1b640049f0ab68b9f21f1bcebb0ae6640 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 22:14:44 +0100
Subject: [PATCH 26/66] Implement text placeholder extraction in compile()

Parse funky comments (</%name>) to extract text placeholders. Store
each placeholder's offsets (start position and length) and context.
Repeated placeholders are captured as multiple offset entries.
---
 .../html-api/class-wp-html-template.php       | 56 +++++++++++++++++++
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 37 ++++++++++++
 2 files changed, 93 insertions(+)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 100779c590b2d..394d8d5c446be 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -48,13 +48,69 @@ public function get_placeholders(): array {
 	/**
 	 * Compiles the template to extract placeholder metadata.
 	 *
+	 * Parses the template once and caches placeholder positions, lengths,
+	 * and contexts. If a placeholder appears in both text and attribute
+	 * contexts, the attribute context takes precedence (more restrictive).
+	 *
 	 * @since 7.0.0
 	 */
 	private function compile(): void {
 		if ( null !== $this->compiled ) {
 			return;
 		}
+
 		$this->compiled = array();
+
+		$processor = new class( $this->template_string ) extends WP_HTML_Tag_Processor {
+			public function get_html(): string {
+				return $this->html;
+			}
+
+			public function get_bookmark( string $name ) {
+				return $this->bookmarks[ $name ] ?? null;
+			}
+
+			public function get_tag_attributes(): array {
+				return $this->attributes;
+			}
+		};
+
+		while ( $processor->next_token() ) {
+			switch ( $processor->get_token_type() ) {
+				case '#funky-comment':
+					$processor->set_bookmark( 'placeholder' );
+					$mark = $processor->get_bookmark( 'placeholder' );
+					if ( null === $mark ) {
+						break;
+					}
+
+					$start  = $mark->start;
+					$length = $mark->length;
+					$html   = $processor->get_html();
+
+					// Must be at least `</%x>` (5 chars) and start with `</%`
+					if ( $length < 5 || '%' !== $html[ $start + 2 ] ) {
+						break;
+					}
+
+					$placeholder = trim( substr( $html, $start + 3, $length - 4 ), " \t\n\r\f" );
+
+					// Valid placeholders match `/[a-z0-9_-]+/i`
+					if ( strlen( $placeholder ) !== strspn( $placeholder, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-' ) ) {
+						break;
+					}
+
+					if ( ! isset( $this->compiled[ $placeholder ] ) ) {
+						$this->compiled[ $placeholder ] = array(
+							'offsets' => array(),
+							'context' => 'text',
+						);
+					}
+
+					$this->compiled[ $placeholder ]['offsets'][] = array( $start, $length );
+					break;
+			}
+		}
 	}
 
 	private function __construct( string $template_string, array $replacements ) {
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index ba5971bde45c3..811f47debe97b 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -772,4 +772,41 @@ public function test_get_placeholders_returns_metadata() {
 		$this->assertSame( 'attribute', $placeholders['class']['context'] );
 		$this->assertSame( 'text', $placeholders['content']['context'] );
 	}
+
+	/**
+	 * Verifies text placeholders are extracted with correct offsets.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::get_placeholders
+	 */
+	public function test_extracts_text_placeholders_with_offsets() {
+		$template = T::from( '<p></%name></p>' );
+
+		$placeholders = $template->get_placeholders();
+
+		$this->assertArrayHasKey( 'name', $placeholders );
+		$this->assertSame( 'text', $placeholders['name']['context'] );
+		$this->assertCount( 1, $placeholders['name']['offsets'] );
+		// <p> is 3 chars, so </%name> starts at offset 3
+		$this->assertSame( 3, $placeholders['name']['offsets'][0][0] );
+		// </%name> is 8 chars
+		$this->assertSame( 8, $placeholders['name']['offsets'][0][1] );
+	}
+
+	/**
+	 * Verifies repeated text placeholders are captured.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::get_placeholders
+	 */
+	public function test_extracts_repeated_text_placeholders() {
+		$template = T::from( '<p></%name> and </%name></p>' );
+
+		$placeholders = $template->get_placeholders();
+
+		$this->assertArrayHasKey( 'name', $placeholders );
+		$this->assertCount( 2, $placeholders['name']['offsets'] );
+	}
 }

From ca24391eda32ae4da0c8b75b3f26072abba0a157 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 22:16:15 +0100
Subject: [PATCH 27/66] Add attribute placeholder extraction with context
 promotion

Extract placeholders from attribute values using regex. When a
placeholder appears in both text and attribute contexts, promote
to attribute context (more restrictive escaping applies everywhere).
---
 .../html-api/class-wp-html-template.php       | 50 +++++++++++++++++++
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 39 +++++++++++++++
 2 files changed, 89 insertions(+)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 394d8d5c446be..0a0aed9c8eef2 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -109,6 +109,56 @@ public function get_tag_attributes(): array {
 
 					$this->compiled[ $placeholder ]['offsets'][] = array( $start, $length );
 					break;
+
+				case '#tag':
+					if ( $processor->is_tag_closer() ) {
+						break;
+					}
+
+					$html = $processor->get_html();
+					foreach ( $processor->get_tag_attributes() as $attribute ) {
+						// Boolean attributes cannot contain placeholders.
+						if ( $attribute->is_true ) {
+							continue;
+						}
+						// At least `</%x>` to contain a placeholder.
+						if ( $attribute->value_length < 5 ) {
+							continue;
+						}
+
+						$offset = $attribute->value_starts_at;
+						$end    = $offset + $attribute->value_length;
+
+						while (
+							1 === preg_match(
+								'#</%[ \\t\\r\\f\\n]*([a-z0-9_-]+)[ \\t\\r\\f\\n]*>#i',
+								$html,
+								$matches,
+								PREG_OFFSET_CAPTURE,
+								$offset
+							)
+							&& $matches[0][1] < $end
+						) {
+							$placeholder  = $matches[1][0];
+							$match_start  = $matches[0][1];
+							$match_length = strlen( $matches[0][0] );
+
+							if ( ! isset( $this->compiled[ $placeholder ] ) ) {
+								$this->compiled[ $placeholder ] = array(
+									'offsets' => array(),
+									'context' => 'attribute',
+								);
+							} else {
+								// Promote text context to attribute context.
+								$this->compiled[ $placeholder ]['context'] = 'attribute';
+							}
+
+							$this->compiled[ $placeholder ]['offsets'][] = array( $match_start, $match_length );
+
+							$offset = $match_start + $match_length;
+						}
+					}
+					break;
 			}
 		}
 	}
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 811f47debe97b..3706d390dd087 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -809,4 +809,43 @@ public function test_extracts_repeated_text_placeholders() {
 		$this->assertArrayHasKey( 'name', $placeholders );
 		$this->assertCount( 2, $placeholders['name']['offsets'] );
 	}
+
+	/**
+	 * Verifies attribute placeholders are extracted.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::get_placeholders
+	 */
+	public function test_extracts_attribute_placeholders() {
+		$template = T::from( '<meta name="</%n>" content="</%c>">' );
+
+		$placeholders = $template->get_placeholders();
+
+		$this->assertArrayHasKey( 'n', $placeholders );
+		$this->assertArrayHasKey( 'c', $placeholders );
+		$this->assertSame( 'attribute', $placeholders['n']['context'] );
+		$this->assertSame( 'attribute', $placeholders['c']['context'] );
+	}
+
+	/**
+	 * Verifies context promotion from text to attribute.
+	 *
+	 * When a placeholder appears in both text and attribute contexts,
+	 * the attribute context takes precedence (more restrictive escaping).
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::get_placeholders
+	 */
+	public function test_context_promotion_text_to_attribute() {
+		$template = T::from( '<a href="</%url>"></%url></a>' );
+
+		$placeholders = $template->get_placeholders();
+
+		$this->assertArrayHasKey( 'url', $placeholders );
+		// Both occurrences should use attribute context
+		$this->assertSame( 'attribute', $placeholders['url']['context'] );
+		$this->assertCount( 2, $placeholders['url']['offsets'] );
+	}
 }

From 49978d443d15ff87176a1ce05989e5e845b113bd Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 22:20:23 +0100
Subject: [PATCH 28/66] Add validation warnings to bind()

Trigger _doing_it_wrong() for:
- Missing replacement keys (placeholder without value)
- Unused replacement keys (value without placeholder)
- Template values in attribute context

Share compiled data between original and bound template instances
for efficiency.
---
 .../html-api/class-wp-html-template.php       | 87 ++++++++++++++++++-
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 44 ++++++++++
 2 files changed, 130 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 0a0aed9c8eef2..7c9884904f48d 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -183,13 +183,98 @@ public static function from( string $template ): static {
 	/**
 	 * Returns a new immutable instance with replacements bound.
 	 *
+	 * Triggers compilation if not already done. Validates replacements:
+	 * - Warns if a placeholder has no corresponding replacement
+	 * - Warns if a replacement key has no corresponding placeholder
+	 * - Warns if a template is used in attribute context
+	 *
 	 * @since 7.0.0
 	 *
 	 * @param array $replacements The replacement values.
 	 * @return static A new template instance with the replacements bound.
 	 */
 	public function bind( array $replacements ): static {
-		return new static( $this->template_string, $replacements );
+		$this->compile();
+
+		// Build a lookup of placeholder keys from compiled data.
+		$placeholder_keys = array();
+		foreach ( $this->compiled as $placeholder => $info ) {
+			$placeholder = (string) $placeholder;
+			$placeholder_keys[ $placeholder ] = true;
+			if ( ctype_digit( $placeholder ) ) {
+				$placeholder_keys[ (int) $placeholder ] = true;
+			}
+		}
+
+		// Build a lookup of replacement keys.
+		$replacement_keys = array();
+		foreach ( $replacements as $key => $value ) {
+			$replacement_keys[ (string) $key ] = true;
+			if ( is_int( $key ) ) {
+				$replacement_keys[ $key ] = true;
+			}
+		}
+
+		// Check for missing keys (placeholder without replacement).
+		foreach ( $this->compiled as $placeholder => $info ) {
+			$placeholder = (string) $placeholder;
+			$found       = isset( $replacement_keys[ $placeholder ] );
+			if ( ! $found && ctype_digit( $placeholder ) ) {
+				$found = isset( $replacement_keys[ (int) $placeholder ] ) || array_key_exists( (int) $placeholder, $replacements );
+			}
+			if ( ! $found ) {
+				_doing_it_wrong(
+					__METHOD__,
+					sprintf(
+						'Missing replacement for placeholder: %s',
+						$placeholder
+					),
+					'7.0.0'
+				);
+			}
+		}
+
+		// Check for unused keys (replacement without placeholder).
+		foreach ( $replacements as $key => $value ) {
+			$str_key = (string) $key;
+			$found   = isset( $placeholder_keys[ $key ] ) || isset( $placeholder_keys[ $str_key ] );
+			if ( ! $found ) {
+				_doing_it_wrong(
+					__METHOD__,
+					sprintf(
+						'Unused replacement key: %s',
+						$key
+					),
+					'7.0.0'
+				);
+			}
+		}
+
+		// Check for templates in attribute context.
+		foreach ( $this->compiled as $placeholder => $info ) {
+			$placeholder = (string) $placeholder;
+			if ( 'attribute' !== $info['context'] ) {
+				continue;
+			}
+
+			$key   = ctype_digit( $placeholder ) ? (int) $placeholder : $placeholder;
+			$value = $replacements[ $key ] ?? $replacements[ $placeholder ] ?? null;
+
+			if ( $value instanceof self ) {
+				_doing_it_wrong(
+					__METHOD__,
+					sprintf(
+						'Template cannot be used in attribute context: %s',
+						$placeholder
+					),
+					'7.0.0'
+				);
+			}
+		}
+
+		$new = new static( $this->template_string, $replacements );
+		$new->compiled = $this->compiled;
+		return $new;
 	}
 
 	/**
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 3706d390dd087..c71e8284c2133 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -135,6 +135,8 @@ public function test_escapes_ampersand_to_prevent_character_reference_injection(
 	 * @covers ::from
 	 * @covers ::bind
 	 * @covers ::render
+	 *
+	 * @expectedIncorrectUsage WP_HTML_Template::bind
 	 */
 	public function test_rejects_nested_template_in_attribute_value() {
 		$template_string = '<meta name="not-allowed" description="</%html>">';
@@ -755,6 +757,48 @@ public static function data_pre_element_leading_newline() {
 		);
 	}
 
+	/**
+	 * Verifies bind() warns on missing replacement key.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::bind
+	 *
+	 * @expectedIncorrectUsage WP_HTML_Template::bind
+	 */
+	public function test_bind_warns_on_missing_key() {
+		$template = T::from( '<p></%name> </%age></p>' );
+		$template->bind( array( 'name' => 'Alice' ) );
+	}
+
+	/**
+	 * Verifies bind() warns on unused replacement key.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::bind
+	 *
+	 * @expectedIncorrectUsage WP_HTML_Template::bind
+	 */
+	public function test_bind_warns_on_unused_key() {
+		$template = T::from( '<p></%name></p>' );
+		$template->bind( array( 'name' => 'Alice', 'extra' => 'ignored' ) );
+	}
+
+	/**
+	 * Verifies bind() warns when template used in attribute context.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::bind
+	 *
+	 * @expectedIncorrectUsage WP_HTML_Template::bind
+	 */
+	public function test_bind_warns_on_template_in_attribute_context() {
+		$template = T::from( '<meta content="</%html>">' );
+		$template->bind( array( 'html' => T::from( '<b>nested</b>' ) ) );
+	}
+
 	/**
 	 * Verifies that get_placeholders returns placeholder metadata.
 	 *

From d56435e56708345ebd6efe2fda6be0b04e89c6bd Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 23:07:20 +0100
Subject: [PATCH 29/66] Refactor render() to use compiled placeholder data

Replace inline parsing with a render loop that uses pre-compiled
placeholder metadata. Track text normalizations and attribute text
segments during compilation. Apply all updates from end to start
using substr_replace() to preserve positions.

This completes the lazy compilation refactor: compile once on first
use, then reuse cached metadata for subsequent bind/render calls.
---
 .../html-api/class-wp-html-template.php       | 371 +++++++-----------
 1 file changed, 132 insertions(+), 239 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 7c9884904f48d..04d0841ce5722 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -31,6 +31,28 @@ class WP_HTML_Template {
 	 */
 	private ?array $compiled = null;
 
+	/**
+	 * Text normalizations discovered during compilation.
+	 *
+	 * Array of [start, length, normalized_text] tuples for #text tokens
+	 * whose serialized form differs from the original HTML.
+	 *
+	 * @since 7.0.0
+	 * @var array
+	 */
+	private array $text_normalizations = array();
+
+	/**
+	 * Attribute text segments needing escaping.
+	 *
+	 * Array of [start, length] pairs for text between/before placeholders
+	 * within attribute values.
+	 *
+	 * @since 7.0.0
+	 * @var array
+	 */
+	private array $attr_escapes = array();
+
 	/**
 	 * Returns the compiled placeholder metadata.
 	 *
@@ -59,7 +81,9 @@ private function compile(): void {
 			return;
 		}
 
-		$this->compiled = array();
+		$this->compiled            = array();
+		$this->text_normalizations = array();
+		$this->attr_escapes        = array();
 
 		$processor = new class( $this->template_string ) extends WP_HTML_Tag_Processor {
 			public function get_html(): string {
@@ -77,6 +101,29 @@ public function get_tag_attributes(): array {
 
 		while ( $processor->next_token() ) {
 			switch ( $processor->get_token_type() ) {
+				/*
+				 * Track text normalizations to prevent something like
+				 * `a<</%tag-name>u` from becoming `a<i>u` after replacement.
+				 */
+				case '#text':
+					$processor->set_bookmark( 'text' );
+					$mark = $processor->get_bookmark( 'text' );
+					if ( null === $mark ) {
+						break;
+					}
+					$normalized = $processor->serialize_token();
+					/*
+					 * Compare using substr_compare with min length to match
+					 * the original behavior: when serialize_token() returns
+					 * empty (e.g. leading newline after <pre>), the comparison
+					 * length is 0, which always matches. This leaves the text
+					 * unchanged for normalize() to handle at the end.
+					 */
+					if ( 0 !== substr_compare( $processor->get_html(), $normalized, $mark->start, min( $mark->length, strlen( $normalized ) ) ) ) {
+						$this->text_normalizations[] = array( $mark->start, $mark->length, $normalized );
+					}
+					break;
+
 				case '#funky-comment':
 					$processor->set_bookmark( 'placeholder' );
 					$mark = $processor->get_bookmark( 'placeholder' );
@@ -126,8 +173,9 @@ public function get_tag_attributes(): array {
 							continue;
 						}
 
-						$offset = $attribute->value_starts_at;
-						$end    = $offset + $attribute->value_length;
+						$last_offset = $attribute->value_starts_at;
+						$offset      = $attribute->value_starts_at;
+						$end         = $offset + $attribute->value_length;
 
 						while (
 							1 === preg_match(
@@ -143,6 +191,11 @@ public function get_tag_attributes(): array {
 							$match_start  = $matches[0][1];
 							$match_length = strlen( $matches[0][0] );
 
+							// Track text segment before this placeholder for escaping.
+							if ( $match_start > $last_offset ) {
+								$this->attr_escapes[] = array( $last_offset, $match_start - $last_offset );
+							}
+
 							if ( ! isset( $this->compiled[ $placeholder ] ) ) {
 								$this->compiled[ $placeholder ] = array(
 									'offsets' => array(),
@@ -155,7 +208,8 @@ public function get_tag_attributes(): array {
 
 							$this->compiled[ $placeholder ]['offsets'][] = array( $match_start, $match_length );
 
-							$offset = $match_start + $match_length;
+							$last_offset = $match_start + $match_length;
+							$offset      = $last_offset;
 						}
 					}
 					break;
@@ -273,13 +327,20 @@ public function bind( array $replacements ): static {
 		}
 
 		$new = new static( $this->template_string, $replacements );
-		$new->compiled = $this->compiled;
+		$new->compiled            = $this->compiled;
+		$new->text_normalizations = $this->text_normalizations;
+		$new->attr_escapes        = $this->attr_escapes;
 		return $new;
 	}
 
 	/**
 	 * Renders the template to an HTML string.
 	 *
+	 * Uses pre-compiled placeholder metadata to perform replacements
+	 * without re-parsing. Collects all updates (placeholder replacements,
+	 * text normalizations, attribute text escaping) and applies them
+	 * from end to start using substr_replace() to preserve positions.
+	 *
 	 * Returns false on any error:
 	 * - Missing replacement key (placeholder without corresponding replacement)
 	 * - Unused replacement key (replacement without corresponding placeholder)
@@ -291,263 +352,95 @@ public function bind( array $replacements ): static {
 	 * @return string|false The rendered HTML, or false on error.
 	 */
 	public function render(): string|false {
+		$this->compile();
+
 		if ( empty( $this->replacements ) ) {
 			return WP_HTML_Processor::normalize( $this->template_string ) ?? $this->template_string;
 		}
 
-		$used_keys      = array();
-		$processor      = new class( $this->template_string ) extends WP_HTML_Tag_Processor {
-			/**
-			 * Returns the HTML string being processed.
-			 *
-			 * @return string The HTML string.
-			 */
-			public function get_html(): string {
-				return $this->html;
-			}
+		$escape_map = array(
+			'&' => '&amp;',
+			'<' => '&lt;',
+			'>' => '&gt;',
+			"'" => '&apos;',
+			'"' => '&quot;',
+		);
 
-			/**
-			 * Returns a bookmark by name.
-			 *
-			 * @param string $name The bookmark name.
-			 * @return WP_HTML_Span|null The bookmark span, or null if not found.
-			 */
-			public function get_bookmark( string $name ) {
-				return $this->bookmarks[ $name ] ?? null;
-			}
+		$html      = $this->template_string;
+		$used_keys = array();
 
-			/**
-			 * Returns the tag attributes array.
-			 *
-			 * @return array The attributes array.
-			 */
-			public function get_tag_attributes(): array {
-				return $this->attributes;
-			}
+		/*
+		 * Collect all updates as [start, length, replacement_text] tuples.
+		 */
+		$updates = array();
 
-			/**
-			 * Adds a lexical update.
-			 *
-			 * @param WP_HTML_Text_Replacement $update The text replacement to add.
-			 */
-			public function add_lexical_update( WP_HTML_Text_Replacement $update ): void {
-				$this->lexical_updates[] = $update;
-			}
-		};
-		$error_occurred = false;
-
-		while ( $processor->next_token() ) {
-			switch ( $processor->get_token_type() ) {
-				/*
-				 * It's important that #text be normalized to prevent something like
-				 * `i<</%tag-name>u` from becoming `i<a>u` after replacement and altering HTML.
-				 */
-				case '#text':
-					$processor->set_bookmark( 'text' );
-					$mark = $processor->get_bookmark( 'text' );
-					assert( null !== $mark );
-					$normalized = $processor->serialize_token();
-					if ( 0 !== substr_compare( $processor->get_html(), $normalized, $mark->start, min( $mark->length, strlen( $normalized ) ) ) ) {
-						$processor->add_lexical_update(
-							new WP_HTML_Text_Replacement(
-								$mark->start,
-								$mark->length,
-								$normalized
-							)
-						);
-					}
-					break;
-
-				case '#funky-comment':
-					// Does it look like a placeholder?
-					$processor->set_bookmark( 'placeholder' );
-					$mark = $processor->get_bookmark( 'placeholder' );
-					assert( null !== $mark );
-					// A funky comment looks at least like </%…>
-					$start  = $mark->start;
-					$length = $mark->length;
-					$html   = $processor->get_html();
-					// This is not the funky comment we're looking for.
-					if ( $length < 5 || ! $html[ $start + 2 ] === '%' ) {
-						break;
-					}
-					$placeholder = trim( \substr( $html, $start + 3, $length - 4 ), " \t\n\r\f" );
-
-					// Valid placeholders match `/a-z0-9_-/i`.
-					if ( \strlen( $placeholder ) !== \strspn( $placeholder, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-' ) ) {
-						break;
-					}
-
-					$replacement = $this->get_replacement( $placeholder, $used_keys );
-					if ( null === $replacement ) {
-						$error_occurred = true;
-						break;
-					}
-					if ( \is_string( $replacement ) ) {
-						$processor->add_lexical_update(
-							new WP_HTML_Text_Replacement(
-								$start,
-								$length,
-								strtr(
-									$replacement,
-									array(
-										'<' => '&lt;',
-										'>' => '&gt;',
-										"'" => '&apos;',
-										'"' => '&quot;',
-										'&' => '&amp;',
-									)
-								)
-							)
-						);
-					} elseif ( $replacement instanceof WP_HTML_Template ) {
-						$rendered = $replacement->render();
-						if ( false === $rendered ) {
-							$error_occurred = true;
-							break;
-						}
-						$processor->add_lexical_update(
-							new WP_HTML_Text_Replacement(
-								$start,
-								$length,
-								$rendered
-							)
-						);
-					}
-					break;
-
-				case '#tag':
-					if ( $processor->is_tag_closer() ) {
-						break;
-					}
-
-					$html = $processor->get_html();
-					foreach ( $processor->get_tag_attributes() as $attribute ) {
-						// Boolean attributes cannot contain placeholders.
-						if ( $attribute->is_true ) {
-							continue;
-						}
-						// At least `</%x>` to contain a placeholder.
-						if ( $attribute->value_length < 5 ) {
-							continue;
-						}
+		// 1. Placeholder replacements.
+		foreach ( $this->compiled as $placeholder => $info ) {
+			$placeholder = (string) $placeholder;
 
-						$last_offset = $attribute->value_starts_at;
-						$offset      = $attribute->value_starts_at;
-						$end         = $offset + $attribute->value_length;
-						/**
-						 * @todo preg_match does not accept length, so this will happily search
-						 * beyond the attribute value.
-						 */
-						while (
-							1 === preg_match(
-								'#</%[ \\t\\r\\f\\n]*([a-z0-9_-]+)[ \\t\\r\\f\\n]*>#i',
-								$html,
-								$matches,
-								PREG_OFFSET_CAPTURE,
-								$offset
-							)
-							&& $matches[0][1] < $end
-						) {
-							$replacement = $this->get_replacement( $matches[1][0], $used_keys );
-							if ( null === $replacement ) {
-								$error_occurred = true;
-								break 2; // Break out of while and foreach.
-							}
-							if ( is_string( $replacement ) ) {
-								$match_at     = $matches[0][1];
-								$match_length = strlen( $matches[0][0] );
-
-								// Capture and clean the preceding attribute text.
-								$processor->add_lexical_update(
-									new WP_HTML_Text_Replacement(
-										$last_offset,
-										$match_at - $last_offset,
-										strtr(
-											substr( $html, $last_offset, $match_at - $last_offset ),
-											array(
-												'<' => '&lt;',
-												'>' => '&gt;',
-												"'" => '&apos;',
-												'"' => '&quot;',
-												'&' => '&amp;',
-											)
-										)
-									)
-								);
+			// Look up the replacement value.
+			if ( array_key_exists( $placeholder, $this->replacements ) ) {
+				$key = $placeholder;
+			} elseif ( ctype_digit( $placeholder ) && array_key_exists( (int) $placeholder, $this->replacements ) ) {
+				$key = (int) $placeholder;
+			} else {
+				return false;
+			}
 
-								$processor->add_lexical_update(
-									new WP_HTML_Text_Replacement(
-										$match_at,
-										strlen( $matches[0][0] ),
-										strtr(
-											$replacement,
-											array(
-												'<' => '&lt;',
-												'>' => '&gt;',
-												"'" => '&apos;',
-												'"' => '&quot;',
-												'&' => '&amp;',
-											)
-										)
-									)
-								);
-								$last_offset = $match_at + $match_length;
-							} elseif ( $replacement instanceof self ) {
-								// Template in attribute context is an error.
-								return false;
-							}
+			$used_keys[ $key ] = true;
+			$value             = $this->replacements[ $key ];
 
-							$offset = $matches[0][1] + strlen( $matches[0][0] );
-						}
-					}
+			if ( $value instanceof self ) {
+				// Templates in attribute context are an error.
+				if ( 'attribute' === $info['context'] ) {
+					return false;
+				}
+
+				$rendered = $value->render();
+				if ( false === $rendered ) {
+					return false;
+				}
+
+				foreach ( $info['offsets'] as list( $start, $length ) ) {
+					$updates[] = array( $start, $length, $rendered );
+				}
+			} elseif ( is_string( $value ) ) {
+				$escaped = strtr( $value, $escape_map );
+
+				foreach ( $info['offsets'] as list( $start, $length ) ) {
+					$updates[] = array( $start, $length, $escaped );
+				}
+			} else {
+				return false;
 			}
 		}
 
-		// Return false if any placeholder was missing a replacement.
-		if ( $error_occurred ) {
-			return false;
-		}
-
 		// Return false if any replacement key was not used.
 		if ( count( $used_keys ) !== count( $this->replacements ) ) {
 			return false;
 		}
 
-		$html = $processor->get_updated_html();
-
-		return WP_HTML_Processor::normalize( $html ) ?? $html;
-	}
+		// 2. Text normalizations.
+		foreach ( $this->text_normalizations as list( $start, $length, $normalized ) ) {
+			$updates[] = array( $start, $length, $normalized );
+		}
 
-	/**
-	 * Get the replacement value for a placeholder key.
-	 *
-	 * Handles both named keys (like 'name') and numeric keys (like 0).
-	 * Tracks which keys are used for validation.
-	 *
-	 * @since 7.0.0
-	 *
-	 * @param string $key       The placeholder key.
-	 * @param array  $used_keys Reference to array tracking used keys.
-	 * @return self|string|null The replacement value, or null if not found.
-	 */
-	private function get_replacement( string $key, array &$used_keys ): self|string|null {
-		// Try string key first, then numeric if the key looks numeric.
-		if ( array_key_exists( $key, $this->replacements ) ) {
-			$replacement = $this->replacements[ $key ];
-		} elseif ( ctype_digit( $key ) && array_key_exists( (int) $key, $this->replacements ) ) {
-			$key         = (int) $key;
-			$replacement = $this->replacements[ $key ];
-		} else {
-			return null;
+		// 3. Attribute text escaping.
+		foreach ( $this->attr_escapes as list( $start, $length ) ) {
+			$original  = substr( $html, $start, $length );
+			$updates[] = array( $start, $length, strtr( $original, $escape_map ) );
 		}
 
-		$used_keys[ $key ] = true;
+		// Sort by start position descending so replacements don't shift positions.
+		usort( $updates, static function ( $a, $b ) {
+			return $b[0] <=> $a[0];
+		} );
 
-		if ( \is_string( $replacement ) || ( $replacement instanceof WP_HTML_Template ) ) {
-			return $replacement;
+		// Apply all replacements from end to start.
+		foreach ( $updates as list( $start, $length, $replacement ) ) {
+			$html = substr_replace( $html, $replacement, $start, $length );
 		}
 
-		return null;
+		return WP_HTML_Processor::normalize( $html ) ?? $html;
 	}
 }

From 2b4bf1ae08034ad28ef57fa83015b98f4e59e0f7 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 4 Feb 2026 23:22:07 +0100
Subject: [PATCH 30/66] Fix attribute text escaping and add trailing segment
 handling

Use WP_HTML_Decoder::decode_attribute to decode static attribute text
before re-encoding, preventing double-escaping of existing character
references (e.g. &amp; staying &amp; instead of becoming &amp;amp;).

Also track trailing text segments after the last placeholder within
attribute values, not just leading/inter-placeholder segments.
---
 .../html-api/class-wp-html-template.php       | 14 ++++++-
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 41 +++++++++++++++++++
 2 files changed, 53 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 04d0841ce5722..6d676c92fdad0 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -211,6 +211,11 @@ public function get_tag_attributes(): array {
 							$last_offset = $match_start + $match_length;
 							$offset      = $last_offset;
 						}
+
+						// Track trailing text segment after last placeholder.
+						if ( $last_offset < $end ) {
+							$this->attr_escapes[] = array( $last_offset, $end - $last_offset );
+						}
 					}
 					break;
 			}
@@ -426,9 +431,14 @@ public function render(): string|false {
 		}
 
 		// 3. Attribute text escaping.
+		// Static text in attribute values needs escaping to prevent character
+		// reference injection (e.g. "&" + "not" = "&not;" = "¬"). Decode
+		// existing character references first, then re-encode to avoid
+		// double-escaping (e.g. "&amp;" should stay "&amp;", not become "&amp;amp;").
 		foreach ( $this->attr_escapes as list( $start, $length ) ) {
-			$original  = substr( $html, $start, $length );
-			$updates[] = array( $start, $length, strtr( $original, $escape_map ) );
+			$original = substr( $html, $start, $length );
+			$decoded  = WP_HTML_Decoder::decode_attribute( $original );
+			$updates[] = array( $start, $length, strtr( $decoded, $escape_map ) );
 		}
 
 		// Sort by start position descending so replacements don't shift positions.
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index c71e8284c2133..5e1be8acb20b3 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -882,6 +882,47 @@ public function test_extracts_attribute_placeholders() {
 	 *
 	 * @covers ::get_placeholders
 	 */
+	/**
+	 * Verifies that static text around placeholders in attributes is escaped.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::from
+	 * @covers ::bind
+	 * @covers ::render
+	 */
+	public function test_escapes_static_text_around_placeholder_in_attribute() {
+		// Leading static text (prefix before placeholder)
+		$result = T::from( '<a href="/path/</%slug>">Link</a>' )
+			->bind( array( 'slug' => 'hello' ) )
+			->render();
+		$this->assertEqualHTML( '<a href="/path/hello">Link</a>', $result );
+
+		// Trailing static text (suffix after placeholder)
+		$result = T::from( '<a href="</%slug>/page">Link</a>' )
+			->bind( array( 'slug' => 'hello' ) )
+			->render();
+		$this->assertEqualHTML( '<a href="hello/page">Link</a>', $result );
+
+		// Ampersand in trailing static text must be escaped
+		$result = T::from( '<a href="</%base>&amp;extra=1">Link</a>' )
+			->bind( array( 'base' => '/search?q=test' ) )
+			->render();
+		$this->assertEqualHTML( '<a href="/search?q=test&amp;extra=1">Link</a>', $result );
+
+		// Ampersand entity in leading static text must not be double-escaped
+		$result = T::from( '<a href="/search?a=1&amp;b=</%val>">Link</a>' )
+			->bind( array( 'val' => '2' ) )
+			->render();
+		$this->assertEqualHTML( '<a href="/search?a=1&amp;b=2">Link</a>', $result );
+
+		// Character reference in trailing static text is preserved (not double-escaped)
+		$result = T::from( '<meta name="</%placeholder>&not;">' )
+			->bind( array( 'placeholder' => '' ) )
+			->render();
+		$this->assertEqualHTML( '<meta name="¬">', $result );
+	}
+
 	public function test_context_promotion_text_to_attribute() {
 		$template = T::from( '<a href="</%url>"></%url></a>' );
 

From f5f272db3bc04971da25d7388cffc7d56affa8f4 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Thu, 5 Feb 2026 11:39:09 +0100
Subject: [PATCH 31/66] Revert "Move serialize_token to tag processor class
 (for normalization of text nodes)"

This reverts commit 3fdf1887aa5836986ca1cb56791d7c3745ed5768.
---
 .../html-api/class-wp-html-processor.php      | 126 +++++++++++++++++
 .../html-api/class-wp-html-tag-processor.php  | 127 ------------------
 2 files changed, 126 insertions(+), 127 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php
index d363e8d27484e..55f955f2c1a9a 100644
--- a/src/wp-includes/html-api/class-wp-html-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-processor.php
@@ -1311,6 +1311,132 @@ public function serialize(): ?string {
 		return $html;
 	}
 
+	/**
+	 * Serializes the currently-matched token.
+	 *
+	 * This method produces a fully-normative HTML string for the currently-matched token,
+	 * if able. If not matched at any token or if the token doesn't correspond to any HTML
+	 * it will return an empty string (for example, presumptuous end tags are ignored).
+	 *
+	 * @see static::serialize()
+	 *
+	 * @since 6.7.0
+	 * @since 6.9.0 Converted from protected to public method.
+	 *
+	 * @return string Serialization of token, or empty string if no serialization exists.
+	 */
+	public function serialize_token(): string {
+		$html       = '';
+		$token_type = $this->get_token_type();
+
+		switch ( $token_type ) {
+			case '#doctype':
+				$doctype = $this->get_doctype_info();
+				if ( null === $doctype ) {
+					break;
+				}
+
+				$html .= '<!DOCTYPE';
+
+				if ( $doctype->name ) {
+					$html .= " {$doctype->name}";
+				}
+
+				if ( null !== $doctype->public_identifier ) {
+					$quote = str_contains( $doctype->public_identifier, '"' ) ? "'" : '"';
+					$html .= " PUBLIC {$quote}{$doctype->public_identifier}{$quote}";
+				}
+				if ( null !== $doctype->system_identifier ) {
+					if ( null === $doctype->public_identifier ) {
+						$html .= ' SYSTEM';
+					}
+					$quote = str_contains( $doctype->system_identifier, '"' ) ? "'" : '"';
+					$html .= " {$quote}{$doctype->system_identifier}{$quote}";
+				}
+
+				$html .= '>';
+				break;
+
+			case '#text':
+				$html .= htmlspecialchars( $this->get_modifiable_text(), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8' );
+				break;
+
+			// Unlike the `<>` which is interpreted as plaintext, this is ignored entirely.
+			case '#presumptuous-tag':
+				break;
+
+			case '#funky-comment':
+			case '#comment':
+				$html .= "<!--{$this->get_full_comment_text()}-->";
+				break;
+
+			case '#cdata-section':
+				$html .= "<![CDATA[{$this->get_modifiable_text()}]]>";
+				break;
+		}
+
+		if ( '#tag' !== $token_type ) {
+			return $html;
+		}
+
+		$tag_name       = str_replace( "\x00", "\u{FFFD}", $this->get_tag() );
+		$in_html        = 'html' === $this->get_namespace();
+		$qualified_name = $in_html ? strtolower( $tag_name ) : $this->get_qualified_tag_name();
+
+		if ( $this->is_tag_closer() ) {
+			$html .= "</{$qualified_name}>";
+			return $html;
+		}
+
+		$attribute_names = $this->get_attribute_names_with_prefix( '' );
+		if ( ! isset( $attribute_names ) ) {
+			$html .= "<{$qualified_name}>";
+			return $html;
+		}
+
+		$html .= "<{$qualified_name}";
+		foreach ( $attribute_names as $attribute_name ) {
+			$html .= " {$this->get_qualified_attribute_name( $attribute_name )}";
+			$value = $this->get_attribute( $attribute_name );
+
+			if ( is_string( $value ) ) {
+				$html .= '="' . htmlspecialchars( $value, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5 ) . '"';
+			}
+
+			$html = str_replace( "\x00", "\u{FFFD}", $html );
+		}
+
+		if ( ! $in_html && $this->has_self_closing_flag() ) {
+			$html .= ' /';
+		}
+
+		$html .= '>';
+
+		// Flush out self-contained elements.
+		if ( $in_html && in_array( $tag_name, array( 'IFRAME', 'NOEMBED', 'NOFRAMES', 'SCRIPT', 'STYLE', 'TEXTAREA', 'TITLE', 'XMP' ), true ) ) {
+			$text = $this->get_modifiable_text();
+
+			switch ( $tag_name ) {
+				case 'IFRAME':
+				case 'NOEMBED':
+				case 'NOFRAMES':
+					$text = '';
+					break;
+
+				case 'SCRIPT':
+				case 'STYLE':
+					break;
+
+				default:
+					$text = htmlspecialchars( $text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8' );
+			}
+
+			$html .= "{$text}</{$qualified_name}>";
+		}
+
+		return $html;
+	}
+
 	/**
 	 * Parses next element in the 'initial' insertion mode.
 	 *
diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
index 4a675acdf8d3f..214e06502260a 100644
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -4766,133 +4766,6 @@ public function get_doctype_info(): ?WP_HTML_Doctype_Info {
 		return WP_HTML_Doctype_Info::from_doctype_token( substr( $this->html, $this->token_starts_at, $this->token_length ) );
 	}
 
-	/**
-	 * Serializes the currently-matched token.
-	 *
-	 * This method produces a fully-normative HTML string for the currently-matched token,
-	 * if able. If not matched at any token or if the token doesn't correspond to any HTML
-	 * it will return an empty string (for example, presumptuous end tags are ignored).
-	 *
-	 * @see static::serialize()
-	 *
-	 * @since 6.7.0
-	 * @since 6.9.0 Converted from protected to public method.
-	 *
-	 * @return string Serialization of token, or empty string if no serialization exists.
-	 */
-	public function serialize_token(): string {
-		$html       = '';
-		$token_type = $this->get_token_type();
-
-		switch ( $token_type ) {
-			case '#doctype':
-				$doctype = $this->get_doctype_info();
-				if ( null === $doctype ) {
-					break;
-				}
-
-				$html .= '<!DOCTYPE';
-
-				if ( $doctype->name ) {
-					$html .= " {$doctype->name}";
-				}
-
-				if ( null !== $doctype->public_identifier ) {
-					$quote = str_contains( $doctype->public_identifier, '"' ) ? "'" : '"';
-					$html .= " PUBLIC {$quote}{$doctype->public_identifier}{$quote}";
-				}
-				if ( null !== $doctype->system_identifier ) {
-					if ( null === $doctype->public_identifier ) {
-						$html .= ' SYSTEM';
-					}
-					$quote = str_contains( $doctype->system_identifier, '"' ) ? "'" : '"';
-					$html .= " {$quote}{$doctype->system_identifier}{$quote}";
-				}
-
-				$html .= '>';
-				break;
-
-			case '#text':
-				$html .= htmlspecialchars( $this->get_modifiable_text(), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8' );
-				break;
-
-			// Unlike the `<>` which is interpreted as plaintext, this is ignored entirely.
-			case '#presumptuous-tag':
-				break;
-
-			case '#funky-comment':
-			case '#comment':
-				$html .= "<!--{$this->get_full_comment_text()}-->";
-				break;
-
-			case '#cdata-section':
-				$html .= "<![CDATA[{$this->get_modifiable_text()}]]>";
-				break;
-		}
-
-		if ( '#tag' !== $token_type ) {
-			return $html;
-		}
-
-		$tag_name       = str_replace( "\x00", "\u{FFFD}", $this->get_tag() );
-		$in_html        = 'html' === $this->get_namespace();
-		$qualified_name = $in_html ? strtolower( $tag_name ) : $this->get_qualified_tag_name();
-
-		if ( $this->is_tag_closer() ) {
-			$html .= "</{$qualified_name}>";
-			return $html;
-		}
-
-		$attribute_names = $this->get_attribute_names_with_prefix( '' );
-		if ( ! isset( $attribute_names ) ) {
-			$html .= "<{$qualified_name}>";
-			return $html;
-		}
-
-		$html .= "<{$qualified_name}";
-		foreach ( $attribute_names as $attribute_name ) {
-			$html .= " {$this->get_qualified_attribute_name( $attribute_name )}";
-			$value = $this->get_attribute( $attribute_name );
-
-			if ( is_string( $value ) ) {
-				$html .= '="' . htmlspecialchars( $value, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5 ) . '"';
-			}
-
-			$html = str_replace( "\x00", "\u{FFFD}", $html );
-		}
-
-		if ( ! $in_html && $this->has_self_closing_flag() ) {
-			$html .= ' /';
-		}
-
-		$html .= '>';
-
-		// Flush out self-contained elements.
-		if ( $in_html && in_array( $tag_name, array( 'IFRAME', 'NOEMBED', 'NOFRAMES', 'SCRIPT', 'STYLE', 'TEXTAREA', 'TITLE', 'XMP' ), true ) ) {
-			$text = $this->get_modifiable_text();
-
-			switch ( $tag_name ) {
-				case 'IFRAME':
-				case 'NOEMBED':
-				case 'NOFRAMES':
-					$text = '';
-					break;
-
-				case 'SCRIPT':
-				case 'STYLE':
-					break;
-
-				default:
-					$text = htmlspecialchars( $text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8' );
-			}
-
-			$html .= "{$text}</{$qualified_name}>";
-		}
-
-		return $html;
-	}
-
-
 	/**
 	 * Parser Ready State.
 	 *

From 11ab28162480e512059a7f674a9071e309be2e01 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Thu, 5 Feb 2026 11:39:41 +0100
Subject: [PATCH 32/66] Switch to use HTML Processor

---
 src/wp-includes/html-api/class-wp-html-template.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 6d676c92fdad0..4afe298740462 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -85,19 +85,23 @@ private function compile(): void {
 		$this->text_normalizations = array();
 		$this->attr_escapes        = array();
 
-		$processor = new class( $this->template_string ) extends WP_HTML_Tag_Processor {
+		$processor = ( new class( '', WP_HTML_Processor::CONSTRUCTOR_UNLOCK_CODE ) extends WP_HTML_Processor {
 			public function get_html(): string {
 				return $this->html;
 			}
 
 			public function get_bookmark( string $name ) {
-				return $this->bookmarks[ $name ] ?? null;
+				return $this->bookmarks[ "_{$name}" ] ?? null;
 			}
 
 			public function get_tag_attributes(): array {
 				return $this->attributes;
 			}
-		};
+		} )::create_fragment( $this->template_string );
+
+		if ( null === $processor ) {
+			return;
+		}
 
 		while ( $processor->next_token() ) {
 			switch ( $processor->get_token_type() ) {

From 06a28c6360ef3fd5e87b72447e478eecbfb9a1b1 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 16:42:30 +0100
Subject: [PATCH 33/66] Use assertEqualHTML in tests

---
 tests/phpunit/tests/html-api/wpHtmlTemplate.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 5e1be8acb20b3..22f4f17ed8c56 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -630,7 +630,7 @@ public function test_table_templates_not_yet_supported() {
 	 */
 	public function test_atomic_element_attributes_are_replaced( string $template_string, array $replacements, string $expected ) {
 		$result = T::from( $template_string )->bind( $replacements )->render();
-		$this->assertSame( $expected, $result );
+		$this->assertEqualHTML( $expected, $result );
 	}
 
 	public static function data_atomic_element_attributes() {
@@ -680,7 +680,7 @@ public static function data_atomic_element_attributes() {
 	 */
 	public function test_special_element_content_placeholder_behavior( string $template_string, string $expected ) {
 		$result = T::from( $template_string )->render();
-		$this->assertSame( $expected, $result );
+		$this->assertEqualHTML( $expected, $result );
 	}
 
 	public static function data_atomic_element_content_placeholders() {
@@ -726,7 +726,7 @@ public static function data_atomic_element_content_placeholders() {
 	 */
 	public function test_pre_element_leading_newline_behavior( string $template_string, array $replacements, string $expected ) {
 		$result = T::from( $template_string )->bind( $replacements )->render();
-		$this->assertSame( $expected, $result );
+		$this->assertEqualHTML( $expected, $result );
 	}
 
 	public static function data_pre_element_leading_newline() {

From 5862ee4831ae92452c64f7087ea1c05202e67cc6 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 16:44:16 +0100
Subject: [PATCH 34/66] Add newline in PRE tests

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 21 +++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 22f4f17ed8c56..af32b7efd6204 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -749,10 +749,27 @@ public static function data_pre_element_leading_newline() {
 				"<pre>line1\nline2</pre>",
 			),
 
+			/*
+			 * This may seem wrong, but the template is processed like HTML. The leading newline
+			 * is removed.
+			 * The newline inside the replacement is rendered as HTML and is also removed.
+			 *
+			 * The correct way to do this for a PRE tag is:
+			 * - Leading newline in template is irrelevant.
+			 * - Replacement must include an extra newline to lead with a newline in the output.
+			 *
+			 * See the next case.
+			 */
 			'PRE with newline and newline in replacement' => array(
 				"<pre>\n</%code></pre>",
-				array( 'code' =>    "\nline1\nline2"),
-				"<pre>\nline1\nline2</pre>",
+				array( 'code' => "\nline1\nline2" ),
+				"<pre>\n\nline1\nline2</pre>",
+			),
+
+			'PRE with newline and double-newline in replacement' => array(
+				"<pre>\n</%code></pre>",
+				array( 'code' => "\nline1\nline2" ),
+				"<pre>\n\nline1\nline2</pre>",
 			),
 		);
 	}

From 0bda31b0b9a8076f3f4e6f34305495b4dfd79c52 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 16:45:53 +0100
Subject: [PATCH 35/66] Update PRE leading newline test

---
 tests/phpunit/tests/html-api/wpHtmlTemplate.php | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index af32b7efd6204..38a39fb899019 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -749,28 +749,11 @@ public static function data_pre_element_leading_newline() {
 				"<pre>line1\nline2</pre>",
 			),
 
-			/*
-			 * This may seem wrong, but the template is processed like HTML. The leading newline
-			 * is removed.
-			 * The newline inside the replacement is rendered as HTML and is also removed.
-			 *
-			 * The correct way to do this for a PRE tag is:
-			 * - Leading newline in template is irrelevant.
-			 * - Replacement must include an extra newline to lead with a newline in the output.
-			 *
-			 * See the next case.
-			 */
 			'PRE with newline and newline in replacement' => array(
 				"<pre>\n</%code></pre>",
 				array( 'code' => "\nline1\nline2" ),
 				"<pre>\n\nline1\nline2</pre>",
 			),
-
-			'PRE with newline and double-newline in replacement' => array(
-				"<pre>\n</%code></pre>",
-				array( 'code' => "\nline1\nline2" ),
-				"<pre>\n\nline1\nline2</pre>",
-			),
 		);
 	}
 

From d99bb22572f4397c5bf2ecf0bc42020f5275a195 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 16:53:12 +0100
Subject: [PATCH 36/66] Add more test cases

---
 tests/phpunit/tests/html-api/wpHtmlTemplate.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 38a39fb899019..12459087f8644 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -70,14 +70,14 @@ public function test_replaces_only_in_first_duplicate_attribute() {
 	 * @covers ::render
 	 */
 	public function test_attribute_replacement_is_not_recursive() {
-		$template_string = '<meta a="</%replace>">';
+		$template_string = '<div a="<%/replace>"><%/replace></div>';
 		$replacements    = array(
 			'replace' => '<%/replace>',
 		);
 
 		$result = T::from( $template_string )->bind( $replacements )->render();
 
-		$expected = '<meta a="&lt;%/replace&gt;">';
+		$expected = '<div a="&lt;/%replace&gt;">&lt;/%replace&gt;</div>';
 		$this->assertEqualHTML( $expected, $result );
 	}
 
@@ -754,6 +754,12 @@ public static function data_pre_element_leading_newline() {
 				array( 'code' => "\nline1\nline2" ),
 				"<pre>\n\nline1\nline2</pre>",
 			),
+
+			'PRE with newline, newline replacement, and additional contents' => array(
+				"<pre>\n</%code><!--c--></pre>",
+				array( 'code' => "\nline1" ),
+				"<pre>\n\nline1<!--c--></pre>",
+			),
 		);
 	}
 

From b89a3ff545582a5e29aacad9c5dde2bae00e8a4c Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 17:10:18 +0100
Subject: [PATCH 37/66] Remove special handling for PRE, LISTING tags

---
 src/wp-includes/html-api/class-wp-html-template.php | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 4afe298740462..d1f492e866567 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -116,14 +116,8 @@ public function get_tag_attributes(): array {
 						break;
 					}
 					$normalized = $processor->serialize_token();
-					/*
-					 * Compare using substr_compare with min length to match
-					 * the original behavior: when serialize_token() returns
-					 * empty (e.g. leading newline after <pre>), the comparison
-					 * length is 0, which always matches. This leaves the text
-					 * unchanged for normalize() to handle at the end.
-					 */
-					if ( 0 !== substr_compare( $processor->get_html(), $normalized, $mark->start, min( $mark->length, strlen( $normalized ) ) ) ) {
+					if ( 0 !== substr_compare( $processor->get_html(), $normalized, $mark->start, $mark->length )
+						) {
 						$this->text_normalizations[] = array( $mark->start, $mark->length, $normalized );
 					}
 					break;

From 2fcc2112133caa16cc5f1c7dd93ae1d19b62fb99 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 17:11:55 +0100
Subject: [PATCH 38/66] Test tweaks and notes

---
 tests/phpunit/tests/html-api/wpHtmlTemplate.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 12459087f8644..8d70d6ebdd7ff 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -675,6 +675,8 @@ public static function data_atomic_element_attributes() {
 	 *
 	 * @dataProvider data_atomic_element_content_placeholders
 	 *
+	 * @todo Implement correct handling of atomic elements.
+	 *
 	 * @covers ::from
 	 * @covers ::render
 	 */
@@ -725,6 +727,8 @@ public static function data_atomic_element_content_placeholders() {
 	 * @covers ::render
 	 */
 	public function test_pre_element_leading_newline_behavior( string $template_string, array $replacements, string $expected ) {
+		$this->markTestSkipped( 'PRE newline handling is not yet correct.' );
+
 		$result = T::from( $template_string )->bind( $replacements )->render();
 		$this->assertEqualHTML( $expected, $result );
 	}

From 3e2757f92b7fbc94967633b264884dc12a92f572 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 18:35:45 +0100
Subject: [PATCH 39/66] HTML API: Add $edits and $placeholder_names properties
 to WP_HTML_Template

Preparation for unifying $compiled, $text_normalizations, and $attr_escapes
into a single edits array with a separate placeholder name index.

See docs/plans/2026-02-06-unified-edits-array-design.md
---
 .../html-api/class-wp-html-template.php       | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index d1f492e866567..8ef9ff1aefffd 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -53,6 +53,30 @@ class WP_HTML_Template {
 	 */
 	private array $attr_escapes = array();
 
+	/**
+	 * Unified edit operations list.
+	 *
+	 * Flat array in document order (ascending offsets). Each entry is one of:
+	 *
+	 * Pre-computed replacement (normalizations, escapes):
+	 *   ['start' => int, 'length' => int, 'replacement' => string]
+	 *
+	 * Placeholder reference (render-time lookup):
+	 *   ['start' => int, 'length' => int, 'placeholder' => string, 'context' => 'text'|'attribute']
+	 *
+	 * @since 7.0.0
+	 * @var array
+	 */
+	private array $edits = array();
+
+	/**
+	 * Placeholder names for O(1) validation.
+	 *
+	 * @since 7.0.0
+	 * @var array<string, true>
+	 */
+	private array $placeholder_names = array();
+
 	/**
 	 * Returns the compiled placeholder metadata.
 	 *

From 45c01dd95484f88f815351d63eb1704fddd06893 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 18:41:27 +0100
Subject: [PATCH 40/66] HTML API: Populate $edits with text normalizations
 during compile

Text normalizations are now appended to the unified edits array as
pre-computed replacements. The legacy $text_normalizations array is
retained temporarily for parallel validation during migration.
---
 src/wp-includes/html-api/class-wp-html-template.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 8ef9ff1aefffd..1749659035360 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -108,6 +108,8 @@ private function compile(): void {
 		$this->compiled            = array();
 		$this->text_normalizations = array();
 		$this->attr_escapes        = array();
+		$this->edits               = array();
+		$this->placeholder_names   = array();
 
 		$processor = ( new class( '', WP_HTML_Processor::CONSTRUCTOR_UNLOCK_CODE ) extends WP_HTML_Processor {
 			public function get_html(): string {
@@ -140,9 +142,15 @@ public function get_tag_attributes(): array {
 						break;
 					}
 					$normalized = $processor->serialize_token();
-					if ( 0 !== substr_compare( $processor->get_html(), $normalized, $mark->start, $mark->length )
-						) {
+					if ( 0 !== substr_compare( $processor->get_html(), $normalized, $mark->start, $mark->length ) ) {
+						// Legacy: keep text_normalizations for now (parallel arrays during migration).
 						$this->text_normalizations[] = array( $mark->start, $mark->length, $normalized );
+						// New: append pre-computed replacement to edits.
+						$this->edits[] = array(
+							'start'       => $mark->start,
+							'length'      => $mark->length,
+							'replacement' => $normalized,
+						);
 					}
 					break;
 

From b3162854a2ee57faf37d9a678a789d7d2565d5d4 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 18:54:48 +0100
Subject: [PATCH 41/66] HTML API: Populate $edits with text placeholders during
 compile

Text placeholders are now appended to the unified edits array with
context='text'. Placeholder names are also registered in $placeholder_names
for O(1) validation during bind().
---
 src/wp-includes/html-api/class-wp-html-template.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 1749659035360..e6518ce7dbb43 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -185,6 +185,15 @@ public function get_tag_attributes(): array {
 					}
 
 					$this->compiled[ $placeholder ]['offsets'][] = array( $start, $length );
+
+					// New: append placeholder edit and register name.
+					$this->edits[] = array(
+						'start'       => $start,
+						'length'      => $length,
+						'placeholder' => $placeholder,
+						'context'     => 'text',
+					);
+					$this->placeholder_names[ $placeholder ] = true;
 					break;
 
 				case '#tag':

From 9d15dfa4af92533a9a96158968af056a8cb8acc5 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 19:01:48 +0100
Subject: [PATCH 42/66] HTML API: Pre-compute attribute escapes at compile time

Static text segments in attribute values are now decoded and re-encoded
during compilation. Only segments that actually change are added to $edits.
This moves escape computation from render time to compile time.

Also fixes a typo in test_attribute_replacement_is_not_recursive where the
placeholder syntax used `<%/` instead of the correct `</%`.
---
 .../html-api/class-wp-html-template.php       | 46 +++++++++++++++++--
 .../phpunit/tests/html-api/wpHtmlTemplate.php |  4 +-
 2 files changed, 44 insertions(+), 6 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index e6518ce7dbb43..a2ad7ed8c472b 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -230,9 +230,28 @@ public function get_tag_attributes(): array {
 							$match_start  = $matches[0][1];
 							$match_length = strlen( $matches[0][0] );
 
-							// Track text segment before this placeholder for escaping.
+							// Pre-compute escape for text segment before this placeholder.
 							if ( $match_start > $last_offset ) {
-								$this->attr_escapes[] = array( $last_offset, $match_start - $last_offset );
+								$seg_length = $match_start - $last_offset;
+								$original   = substr( $html, $last_offset, $seg_length );
+								$decoded    = WP_HTML_Decoder::decode_attribute( $original );
+								$escaped    = strtr( $decoded, array(
+									'&' => '&amp;',
+									'<' => '&lt;',
+									'>' => '&gt;',
+									"'" => '&apos;',
+									'"' => '&quot;',
+								) );
+								// Only add edit if escaping actually changes the text.
+								if ( $escaped !== $original ) {
+									$this->edits[] = array(
+										'start'       => $last_offset,
+										'length'      => $seg_length,
+										'replacement' => $escaped,
+									);
+								}
+								// Legacy: keep attr_escapes for now.
+								$this->attr_escapes[] = array( $last_offset, $seg_length );
 							}
 
 							if ( ! isset( $this->compiled[ $placeholder ] ) ) {
@@ -251,9 +270,28 @@ public function get_tag_attributes(): array {
 							$offset      = $last_offset;
 						}
 
-						// Track trailing text segment after last placeholder.
+						// Pre-compute escape for trailing text segment after last placeholder.
 						if ( $last_offset < $end ) {
-							$this->attr_escapes[] = array( $last_offset, $end - $last_offset );
+							$seg_length = $end - $last_offset;
+							$original   = substr( $html, $last_offset, $seg_length );
+							$decoded    = WP_HTML_Decoder::decode_attribute( $original );
+							$escaped    = strtr( $decoded, array(
+								'&' => '&amp;',
+								'<' => '&lt;',
+								'>' => '&gt;',
+								"'" => '&apos;',
+								'"' => '&quot;',
+							) );
+							// Only add edit if escaping actually changes the text.
+							if ( $escaped !== $original ) {
+								$this->edits[] = array(
+									'start'       => $last_offset,
+									'length'      => $seg_length,
+									'replacement' => $escaped,
+								);
+							}
+							// Legacy: keep attr_escapes for now.
+							$this->attr_escapes[] = array( $last_offset, $seg_length );
 						}
 					}
 					break;
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 8d70d6ebdd7ff..dd730a5ba3ab1 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -70,9 +70,9 @@ public function test_replaces_only_in_first_duplicate_attribute() {
 	 * @covers ::render
 	 */
 	public function test_attribute_replacement_is_not_recursive() {
-		$template_string = '<div a="<%/replace>"><%/replace></div>';
+		$template_string = '<div a="</%replace>"></%replace></div>';
 		$replacements    = array(
-			'replace' => '<%/replace>',
+			'replace' => '</%replace>',
 		);
 
 		$result = T::from( $template_string )->bind( $replacements )->render();

From 75f0d9594fb47fdb9667940c9ba025949b75ab69 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 19:04:00 +0100
Subject: [PATCH 43/66] HTML API: Populate $edits with attribute placeholders
 during compile

Attribute placeholders are now appended to the unified edits array with
context='attribute'. Names are registered in $placeholder_names.
---
 src/wp-includes/html-api/class-wp-html-template.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index a2ad7ed8c472b..d83e22e75b1bc 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -266,6 +266,15 @@ public function get_tag_attributes(): array {
 
 							$this->compiled[ $placeholder ]['offsets'][] = array( $match_start, $match_length );
 
+							// New: append placeholder edit and register name.
+							$this->edits[] = array(
+								'start'       => $match_start,
+								'length'      => $match_length,
+								'placeholder' => $placeholder,
+								'context'     => 'attribute',
+							);
+							$this->placeholder_names[ $placeholder ] = true;
+
 							$last_offset = $match_start + $match_length;
 							$offset      = $last_offset;
 						}

From 18c925c1dac983249c0dce75cbe60e6492d02979 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 21:04:03 +0100
Subject: [PATCH 44/66] HTML API: Refactor render() to use unified $edits array

Render now iterates the edits array in reverse order instead of building
an intermediate $updates array from three separate sources. Pre-computed
replacements are applied directly; placeholders are looked up and escaped.

Removes usort() call - edits are naturally in document order from compile.

Also ensures bind() copies $edits and $placeholder_names to the new instance.
---
 .../html-api/class-wp-html-template.php       | 94 +++++++------------
 1 file changed, 32 insertions(+), 62 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index d83e22e75b1bc..f21bf9c961cfa 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -421,6 +421,8 @@ public function bind( array $replacements ): static {
 		$new->compiled            = $this->compiled;
 		$new->text_normalizations = $this->text_normalizations;
 		$new->attr_escapes        = $this->attr_escapes;
+		$new->edits               = $this->edits;
+		$new->placeholder_names   = $this->placeholder_names;
 		return $new;
 	}
 
@@ -460,49 +462,43 @@ public function render(): string|false {
 		$html      = $this->template_string;
 		$used_keys = array();
 
-		/*
-		 * Collect all updates as [start, length, replacement_text] tuples.
-		 */
-		$updates = array();
-
-		// 1. Placeholder replacements.
-		foreach ( $this->compiled as $placeholder => $info ) {
-			$placeholder = (string) $placeholder;
-
-			// Look up the replacement value.
-			if ( array_key_exists( $placeholder, $this->replacements ) ) {
-				$key = $placeholder;
-			} elseif ( ctype_digit( $placeholder ) && array_key_exists( (int) $placeholder, $this->replacements ) ) {
-				$key = (int) $placeholder;
-			} else {
-				return false;
-			}
-
-			$used_keys[ $key ] = true;
-			$value             = $this->replacements[ $key ];
-
-			if ( $value instanceof self ) {
-				// Templates in attribute context are an error.
-				if ( 'attribute' === $info['context'] ) {
+		// Process edits in reverse order (end to start) to preserve positions.
+		foreach ( array_reverse( $this->edits ) as $edit ) {
+			if ( isset( $edit['placeholder'] ) ) {
+				// Placeholder: look up replacement value.
+				$placeholder = $edit['placeholder'];
+
+				if ( array_key_exists( $placeholder, $this->replacements ) ) {
+					$key = $placeholder;
+				} elseif ( ctype_digit( $placeholder ) && array_key_exists( (int) $placeholder, $this->replacements ) ) {
+					$key = (int) $placeholder;
+				} else {
 					return false;
 				}
 
-				$rendered = $value->render();
-				if ( false === $rendered ) {
-					return false;
-				}
+				$used_keys[ $key ] = true;
+				$value             = $this->replacements[ $key ];
 
-				foreach ( $info['offsets'] as list( $start, $length ) ) {
-					$updates[] = array( $start, $length, $rendered );
-				}
-			} elseif ( is_string( $value ) ) {
-				$escaped = strtr( $value, $escape_map );
+				if ( $value instanceof self ) {
+					if ( 'attribute' === $edit['context'] ) {
+						return false;
+					}
+
+					$rendered = $value->render();
+					if ( false === $rendered ) {
+						return false;
+					}
 
-				foreach ( $info['offsets'] as list( $start, $length ) ) {
-					$updates[] = array( $start, $length, $escaped );
+					$html = substr_replace( $html, $rendered, $edit['start'], $edit['length'] );
+				} elseif ( is_string( $value ) ) {
+					$escaped = strtr( $value, $escape_map );
+					$html    = substr_replace( $html, $escaped, $edit['start'], $edit['length'] );
+				} else {
+					return false;
 				}
 			} else {
-				return false;
+				// Pre-computed replacement: apply directly.
+				$html = substr_replace( $html, $edit['replacement'], $edit['start'], $edit['length'] );
 			}
 		}
 
@@ -511,32 +507,6 @@ public function render(): string|false {
 			return false;
 		}
 
-		// 2. Text normalizations.
-		foreach ( $this->text_normalizations as list( $start, $length, $normalized ) ) {
-			$updates[] = array( $start, $length, $normalized );
-		}
-
-		// 3. Attribute text escaping.
-		// Static text in attribute values needs escaping to prevent character
-		// reference injection (e.g. "&" + "not" = "&not;" = "¬"). Decode
-		// existing character references first, then re-encode to avoid
-		// double-escaping (e.g. "&amp;" should stay "&amp;", not become "&amp;amp;").
-		foreach ( $this->attr_escapes as list( $start, $length ) ) {
-			$original = substr( $html, $start, $length );
-			$decoded  = WP_HTML_Decoder::decode_attribute( $original );
-			$updates[] = array( $start, $length, strtr( $decoded, $escape_map ) );
-		}
-
-		// Sort by start position descending so replacements don't shift positions.
-		usort( $updates, static function ( $a, $b ) {
-			return $b[0] <=> $a[0];
-		} );
-
-		// Apply all replacements from end to start.
-		foreach ( $updates as list( $start, $length, $replacement ) ) {
-			$html = substr_replace( $html, $replacement, $start, $length );
-		}
-
 		return WP_HTML_Processor::normalize( $html ) ?? $html;
 	}
 }

From 13323b341138c9dc6ddb07e56154efe043deb71d Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 21:08:46 +0100
Subject: [PATCH 45/66] HTML API: Refactor bind() to use $placeholder_names for
 validation

Validation now uses the pre-built $placeholder_names index for O(1) lookups
instead of iterating through $compiled to build a lookup on each bind() call.
---
 .../html-api/class-wp-html-template.php       | 38 +++++--------------
 1 file changed, 10 insertions(+), 28 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index f21bf9c961cfa..08b2dd297a95b 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -341,31 +341,12 @@ public static function from( string $template ): static {
 	public function bind( array $replacements ): static {
 		$this->compile();
 
-		// Build a lookup of placeholder keys from compiled data.
-		$placeholder_keys = array();
-		foreach ( $this->compiled as $placeholder => $info ) {
-			$placeholder = (string) $placeholder;
-			$placeholder_keys[ $placeholder ] = true;
-			if ( ctype_digit( $placeholder ) ) {
-				$placeholder_keys[ (int) $placeholder ] = true;
-			}
-		}
-
-		// Build a lookup of replacement keys.
-		$replacement_keys = array();
-		foreach ( $replacements as $key => $value ) {
-			$replacement_keys[ (string) $key ] = true;
-			if ( is_int( $key ) ) {
-				$replacement_keys[ $key ] = true;
-			}
-		}
-
 		// Check for missing keys (placeholder without replacement).
-		foreach ( $this->compiled as $placeholder => $info ) {
+		foreach ( $this->placeholder_names as $placeholder => $_ ) {
 			$placeholder = (string) $placeholder;
-			$found       = isset( $replacement_keys[ $placeholder ] );
+			$found       = array_key_exists( $placeholder, $replacements );
 			if ( ! $found && ctype_digit( $placeholder ) ) {
-				$found = isset( $replacement_keys[ (int) $placeholder ] ) || array_key_exists( (int) $placeholder, $replacements );
+				$found = array_key_exists( (int) $placeholder, $replacements );
 			}
 			if ( ! $found ) {
 				_doing_it_wrong(
@@ -382,7 +363,7 @@ public function bind( array $replacements ): static {
 		// Check for unused keys (replacement without placeholder).
 		foreach ( $replacements as $key => $value ) {
 			$str_key = (string) $key;
-			$found   = isset( $placeholder_keys[ $key ] ) || isset( $placeholder_keys[ $str_key ] );
+			$found   = isset( $this->placeholder_names[ $key ] ) || isset( $this->placeholder_names[ $str_key ] );
 			if ( ! $found ) {
 				_doing_it_wrong(
 					__METHOD__,
@@ -396,14 +377,14 @@ public function bind( array $replacements ): static {
 		}
 
 		// Check for templates in attribute context.
-		foreach ( $this->compiled as $placeholder => $info ) {
-			$placeholder = (string) $placeholder;
-			if ( 'attribute' !== $info['context'] ) {
+		foreach ( $this->edits as $edit ) {
+			if ( ! isset( $edit['placeholder'] ) || 'attribute' !== $edit['context'] ) {
 				continue;
 			}
 
-			$key   = ctype_digit( $placeholder ) ? (int) $placeholder : $placeholder;
-			$value = $replacements[ $key ] ?? $replacements[ $placeholder ] ?? null;
+			$placeholder = $edit['placeholder'];
+			$key         = ctype_digit( $placeholder ) ? (int) $placeholder : $placeholder;
+			$value       = $replacements[ $key ] ?? $replacements[ $placeholder ] ?? null;
 
 			if ( $value instanceof self ) {
 				_doing_it_wrong(
@@ -414,6 +395,7 @@ public function bind( array $replacements ): static {
 					),
 					'7.0.0'
 				);
+				break; // Only warn once per placeholder name.
 			}
 		}
 

From 7747f6d931cf912a06a6fa99ab77aeb1a1aa6bdf Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 21:13:40 +0100
Subject: [PATCH 46/66] HTML API: Remove legacy $text_normalizations and
 $attr_escapes arrays

These are now fully superseded by the unified $edits array.
Text normalizations and attribute escapes are stored as pre-computed
replacements in $edits during compile().
---
 .../html-api/class-wp-html-template.php       | 43 +++----------------
 1 file changed, 5 insertions(+), 38 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 08b2dd297a95b..d95e81dec43c9 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -31,28 +31,6 @@ class WP_HTML_Template {
 	 */
 	private ?array $compiled = null;
 
-	/**
-	 * Text normalizations discovered during compilation.
-	 *
-	 * Array of [start, length, normalized_text] tuples for #text tokens
-	 * whose serialized form differs from the original HTML.
-	 *
-	 * @since 7.0.0
-	 * @var array
-	 */
-	private array $text_normalizations = array();
-
-	/**
-	 * Attribute text segments needing escaping.
-	 *
-	 * Array of [start, length] pairs for text between/before placeholders
-	 * within attribute values.
-	 *
-	 * @since 7.0.0
-	 * @var array
-	 */
-	private array $attr_escapes = array();
-
 	/**
 	 * Unified edit operations list.
 	 *
@@ -105,10 +83,8 @@ private function compile(): void {
 			return;
 		}
 
-		$this->compiled            = array();
-		$this->text_normalizations = array();
-		$this->attr_escapes        = array();
-		$this->edits               = array();
+		$this->compiled          = array();
+		$this->edits             = array();
 		$this->placeholder_names   = array();
 
 		$processor = ( new class( '', WP_HTML_Processor::CONSTRUCTOR_UNLOCK_CODE ) extends WP_HTML_Processor {
@@ -143,9 +119,6 @@ public function get_tag_attributes(): array {
 					}
 					$normalized = $processor->serialize_token();
 					if ( 0 !== substr_compare( $processor->get_html(), $normalized, $mark->start, $mark->length ) ) {
-						// Legacy: keep text_normalizations for now (parallel arrays during migration).
-						$this->text_normalizations[] = array( $mark->start, $mark->length, $normalized );
-						// New: append pre-computed replacement to edits.
 						$this->edits[] = array(
 							'start'       => $mark->start,
 							'length'      => $mark->length,
@@ -250,8 +223,6 @@ public function get_tag_attributes(): array {
 										'replacement' => $escaped,
 									);
 								}
-								// Legacy: keep attr_escapes for now.
-								$this->attr_escapes[] = array( $last_offset, $seg_length );
 							}
 
 							if ( ! isset( $this->compiled[ $placeholder ] ) ) {
@@ -299,8 +270,6 @@ public function get_tag_attributes(): array {
 									'replacement' => $escaped,
 								);
 							}
-							// Legacy: keep attr_escapes for now.
-							$this->attr_escapes[] = array( $last_offset, $seg_length );
 						}
 					}
 					break;
@@ -400,11 +369,9 @@ public function bind( array $replacements ): static {
 		}
 
 		$new = new static( $this->template_string, $replacements );
-		$new->compiled            = $this->compiled;
-		$new->text_normalizations = $this->text_normalizations;
-		$new->attr_escapes        = $this->attr_escapes;
-		$new->edits               = $this->edits;
-		$new->placeholder_names   = $this->placeholder_names;
+		$new->compiled          = $this->compiled;
+		$new->edits             = $this->edits;
+		$new->placeholder_names = $this->placeholder_names;
 		return $new;
 	}
 

From fc7517412c843597dd3692fde06e0ddd12dae7c5 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 21:17:34 +0100
Subject: [PATCH 47/66] HTML API: Add TODO for future $compiled removal

Document that $compiled could be derived from $edits on-demand to eliminate
redundant storage, but keeping it for now to preserve get_placeholders() API.
---
 src/wp-includes/html-api/class-wp-html-template.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index d95e81dec43c9..2d67a3520fa0f 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -22,6 +22,10 @@ class WP_HTML_Template {
 	/**
 	 * Compiled placeholder metadata.
 	 *
+	 * @todo Consider deriving this from $edits on-demand in get_placeholders()
+	 *       to eliminate redundant storage. Would require building the grouped
+	 *       structure at call time instead of compile time.
+	 *
 	 * Array of placeholder_name => array with keys:
 	 * - 'offsets': array of [start, length] pairs for each occurrence
 	 * - 'context': 'text' or 'attribute' (attribute takes precedence)

From 12b1f630a8c93d69cc9188c733703213cadd72c6 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 21:21:08 +0100
Subject: [PATCH 48/66] HTML API: Fix code style issues in WP_HTML_Template

Apply WordPress Coding Standards formatting:
- Align equals signs in assignment blocks
- Format multi-line function calls (strtr) per PEAR standard
---
 .../html-api/class-wp-html-template.php       | 42 +++++++++++--------
 1 file changed, 24 insertions(+), 18 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 2d67a3520fa0f..32974c4a7b8cb 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -89,7 +89,7 @@ private function compile(): void {
 
 		$this->compiled          = array();
 		$this->edits             = array();
-		$this->placeholder_names   = array();
+		$this->placeholder_names = array();
 
 		$processor = ( new class( '', WP_HTML_Processor::CONSTRUCTOR_UNLOCK_CODE ) extends WP_HTML_Processor {
 			public function get_html(): string {
@@ -164,7 +164,7 @@ public function get_tag_attributes(): array {
 					$this->compiled[ $placeholder ]['offsets'][] = array( $start, $length );
 
 					// New: append placeholder edit and register name.
-					$this->edits[] = array(
+					$this->edits[]                           = array(
 						'start'       => $start,
 						'length'      => $length,
 						'placeholder' => $placeholder,
@@ -212,13 +212,16 @@ public function get_tag_attributes(): array {
 								$seg_length = $match_start - $last_offset;
 								$original   = substr( $html, $last_offset, $seg_length );
 								$decoded    = WP_HTML_Decoder::decode_attribute( $original );
-								$escaped    = strtr( $decoded, array(
-									'&' => '&amp;',
-									'<' => '&lt;',
-									'>' => '&gt;',
-									"'" => '&apos;',
-									'"' => '&quot;',
-								) );
+								$escaped    = strtr(
+									$decoded,
+									array(
+										'&' => '&amp;',
+										'<' => '&lt;',
+										'>' => '&gt;',
+										"'" => '&apos;',
+										'"' => '&quot;',
+									)
+								);
 								// Only add edit if escaping actually changes the text.
 								if ( $escaped !== $original ) {
 									$this->edits[] = array(
@@ -242,7 +245,7 @@ public function get_tag_attributes(): array {
 							$this->compiled[ $placeholder ]['offsets'][] = array( $match_start, $match_length );
 
 							// New: append placeholder edit and register name.
-							$this->edits[] = array(
+							$this->edits[]                           = array(
 								'start'       => $match_start,
 								'length'      => $match_length,
 								'placeholder' => $placeholder,
@@ -259,13 +262,16 @@ public function get_tag_attributes(): array {
 							$seg_length = $end - $last_offset;
 							$original   = substr( $html, $last_offset, $seg_length );
 							$decoded    = WP_HTML_Decoder::decode_attribute( $original );
-							$escaped    = strtr( $decoded, array(
-								'&' => '&amp;',
-								'<' => '&lt;',
-								'>' => '&gt;',
-								"'" => '&apos;',
-								'"' => '&quot;',
-							) );
+							$escaped    = strtr(
+								$decoded,
+								array(
+									'&' => '&amp;',
+									'<' => '&lt;',
+									'>' => '&gt;',
+									"'" => '&apos;',
+									'"' => '&quot;',
+								)
+							);
 							// Only add edit if escaping actually changes the text.
 							if ( $escaped !== $original ) {
 								$this->edits[] = array(
@@ -372,7 +378,7 @@ public function bind( array $replacements ): static {
 			}
 		}
 
-		$new = new static( $this->template_string, $replacements );
+		$new                    = new static( $this->template_string, $replacements );
 		$new->compiled          = $this->compiled;
 		$new->edits             = $this->edits;
 		$new->placeholder_names = $this->placeholder_names;

From 8160d60ea246488817836ae5182aea3d19014b53 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 6 Feb 2026 22:55:45 +0100
Subject: [PATCH 49/66] HTML API: Remove redundant $compiled variable from
 WP_HTML_Template

Replace the $compiled property with an $is_compiled boolean flag.
The grouped placeholder metadata is now derived on-demand in
get_placeholders() by iterating through the $edits array, eliminating
redundant storage while maintaining identical public API behavior.
---
 .../html-api/class-wp-html-template.php       | 73 +++++++++----------
 1 file changed, 36 insertions(+), 37 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 32974c4a7b8cb..033ea88e83a77 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -20,20 +20,12 @@ class WP_HTML_Template {
 	private array $replacements = array();
 
 	/**
-	 * Compiled placeholder metadata.
-	 *
-	 * @todo Consider deriving this from $edits on-demand in get_placeholders()
-	 *       to eliminate redundant storage. Would require building the grouped
-	 *       structure at call time instead of compile time.
-	 *
-	 * Array of placeholder_name => array with keys:
-	 * - 'offsets': array of [start, length] pairs for each occurrence
-	 * - 'context': 'text' or 'attribute' (attribute takes precedence)
+	 * Whether the template has been compiled.
 	 *
 	 * @since 7.0.0
-	 * @var array|null
+	 * @var bool
 	 */
-	private ?array $compiled = null;
+	private bool $is_compiled = false;
 
 	/**
 	 * Unified edit operations list.
@@ -62,7 +54,9 @@ class WP_HTML_Template {
 	/**
 	 * Returns the compiled placeholder metadata.
 	 *
-	 * Triggers compilation if not already done.
+	 * Derives the grouped structure from $edits on-demand.
+	 * If a placeholder appears in both text and attribute contexts,
+	 * the attribute context takes precedence (more restrictive).
 	 *
 	 * @since 7.0.0
 	 *
@@ -70,7 +64,33 @@ class WP_HTML_Template {
 	 */
 	public function get_placeholders(): array {
 		$this->compile();
-		return $this->compiled;
+
+		$result = array();
+
+		foreach ( $this->edits as $edit ) {
+			if ( ! isset( $edit['placeholder'] ) ) {
+				continue;
+			}
+
+			$placeholder = $edit['placeholder'];
+			$context     = $edit['context'];
+
+			if ( ! isset( $result[ $placeholder ] ) ) {
+				$result[ $placeholder ] = array(
+					'offsets' => array(),
+					'context' => $context,
+				);
+			} else {
+				// Promote text context to attribute context.
+				if ( 'attribute' === $context ) {
+					$result[ $placeholder ]['context'] = 'attribute';
+				}
+			}
+
+			$result[ $placeholder ]['offsets'][] = array( $edit['start'], $edit['length'] );
+		}
+
+		return $result;
 	}
 
 	/**
@@ -83,11 +103,11 @@ public function get_placeholders(): array {
 	 * @since 7.0.0
 	 */
 	private function compile(): void {
-		if ( null !== $this->compiled ) {
+		if ( $this->is_compiled ) {
 			return;
 		}
 
-		$this->compiled          = array();
+		$this->is_compiled       = true;
 		$this->edits             = array();
 		$this->placeholder_names = array();
 
@@ -154,15 +174,6 @@ public function get_tag_attributes(): array {
 						break;
 					}
 
-					if ( ! isset( $this->compiled[ $placeholder ] ) ) {
-						$this->compiled[ $placeholder ] = array(
-							'offsets' => array(),
-							'context' => 'text',
-						);
-					}
-
-					$this->compiled[ $placeholder ]['offsets'][] = array( $start, $length );
-
 					// New: append placeholder edit and register name.
 					$this->edits[]                           = array(
 						'start'       => $start,
@@ -232,18 +243,6 @@ public function get_tag_attributes(): array {
 								}
 							}
 
-							if ( ! isset( $this->compiled[ $placeholder ] ) ) {
-								$this->compiled[ $placeholder ] = array(
-									'offsets' => array(),
-									'context' => 'attribute',
-								);
-							} else {
-								// Promote text context to attribute context.
-								$this->compiled[ $placeholder ]['context'] = 'attribute';
-							}
-
-							$this->compiled[ $placeholder ]['offsets'][] = array( $match_start, $match_length );
-
 							// New: append placeholder edit and register name.
 							$this->edits[]                           = array(
 								'start'       => $match_start,
@@ -379,7 +378,7 @@ public function bind( array $replacements ): static {
 		}
 
 		$new                    = new static( $this->template_string, $replacements );
-		$new->compiled          = $this->compiled;
+		$new->is_compiled       = $this->is_compiled;
 		$new->edits             = $this->edits;
 		$new->placeholder_names = $this->placeholder_names;
 		return $new;

From 03e6104c2353839bc9bc90a2990b426774bb244b Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 9 Feb 2026 10:51:39 +0100
Subject: [PATCH 50/66] lints

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 29 +++++++++++--------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index dd730a5ba3ab1..fa590562916b9 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -688,24 +688,24 @@ public function test_special_element_content_placeholder_behavior( string $templ
 	public static function data_atomic_element_content_placeholders() {
 		return array(
 			// RAWTEXT elements (SCRIPT, STYLE): Content is truly skipped, placeholders preserved literally.
-			'SCRIPT content placeholder preserved'        => array(
+			'SCRIPT content placeholder preserved' => array(
 				'<script>var x = "</%name>";</script>',
 				'<script>var x = "</%name>";</script>',
 			),
 
-			'STYLE content placeholder preserved'         => array(
+			'STYLE content placeholder preserved'  => array(
 				'<style>.foo { content: "</%content>"; }</style>',
 				'<style>.foo { content: "</%content>"; }</style>',
 			),
 
 			// RCDATA elements (TITLE, TEXTAREA): Content is processed but placeholder
 			// patterns are not recognized - they're treated as literal text and escaped.
-			'TITLE content placeholder escaped'           => array(
+			'TITLE content placeholder escaped'    => array(
 				'<title>Hello </%name></title>',
 				'<title>Hello &lt;/%name&gt;</title>',
 			),
 
-			'TEXTAREA content placeholder escaped'        => array(
+			'TEXTAREA content placeholder escaped' => array(
 				'<textarea></%placeholder></textarea>',
 				'<textarea>&lt;/%placeholder&gt;</textarea>',
 			),
@@ -735,21 +735,21 @@ public function test_pre_element_leading_newline_behavior( string $template_stri
 
 	public static function data_pre_element_leading_newline() {
 		return array(
-			'PRE without newline'        => array(
-				"<pre></%code></pre>",
-				array( 'code' => "line1\nline2"),
+			'PRE without newline'                         => array(
+				'<pre></%code></pre>',
+				array( 'code' => "line1\nline2" ),
 				"<pre>line1\nline2</pre>",
 			),
 
-			'PRE with newline' => array(
+			'PRE with newline'                            => array(
 				"<pre>\n</%code></pre>",
-				array( 'code' =>  "line1\nline2"),
+				array( 'code' => "line1\nline2" ),
 				"<pre>line1\nline2</pre>",
 			),
 
-			'PRE with newline in replacement' => array(
+			'PRE with newline in replacement'             => array(
 				"<pre>\n</%code></pre>",
-				array( 'code' =>   "line1\nline2"),
+				array( 'code' => "line1\nline2" ),
 				"<pre>line1\nline2</pre>",
 			),
 
@@ -792,7 +792,12 @@ public function test_bind_warns_on_missing_key() {
 	 */
 	public function test_bind_warns_on_unused_key() {
 		$template = T::from( '<p></%name></p>' );
-		$template->bind( array( 'name' => 'Alice', 'extra' => 'ignored' ) );
+		$template->bind(
+			array(
+				'name'  => 'Alice',
+				'extra' => 'ignored',
+			)
+		);
 	}
 
 	/**

From c275c8626c6b924d1d2e31c7dfdc5891f240efcb Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 9 Feb 2026 13:33:21 +0100
Subject: [PATCH 51/66] Document $replacements

---
 src/wp-includes/html-api/class-wp-html-template.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 033ea88e83a77..5531d9fad6ce0 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -17,7 +17,14 @@ class WP_HTML_Template {
 	 */
 	private string $template_string;
 
-	private array $replacements = array();
+	/**
+	 * The replacement values for placeholders.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @var array<string, string|self>|null
+	 */
+	private ?array $replacements = null;
 
 	/**
 	 * Whether the template has been compiled.

From d6c1c24a7f8a83c351ddea390b74ef9b22f68d65 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 9 Feb 2026 13:46:50 +0100
Subject: [PATCH 52/66] Use WP_HTML_Text_Replacement class

---
 .../html-api/class-wp-html-template.php       | 42 +++++++++----------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 5531d9fad6ce0..fdd2824236b94 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -46,7 +46,7 @@ class WP_HTML_Template {
 	 *   ['start' => int, 'length' => int, 'placeholder' => string, 'context' => 'text'|'attribute']
 	 *
 	 * @since 7.0.0
-	 * @var array
+	 * @var (array{'start': int, 'length': int, 'placeholder': string, 'context': 'text'|'attribute'}|WP_HTML_Text_Replacement)[]
 	 */
 	private array $edits = array();
 
@@ -150,10 +150,10 @@ public function get_tag_attributes(): array {
 					}
 					$normalized = $processor->serialize_token();
 					if ( 0 !== substr_compare( $processor->get_html(), $normalized, $mark->start, $mark->length ) ) {
-						$this->edits[] = array(
-							'start'       => $mark->start,
-							'length'      => $mark->length,
-							'replacement' => $normalized,
+						$this->edits[] = new WP_HTML_Text_Replacement(
+							$mark->start,
+							$mark->length,
+							$normalized,
 						);
 					}
 					break;
@@ -242,10 +242,10 @@ public function get_tag_attributes(): array {
 								);
 								// Only add edit if escaping actually changes the text.
 								if ( $escaped !== $original ) {
-									$this->edits[] = array(
-										'start'       => $last_offset,
-										'length'      => $seg_length,
-										'replacement' => $escaped,
+									$this->edits[] = new WP_HTML_Text_Replacement(
+										$last_offset,
+										$seg_length,
+										$escaped,
 									);
 								}
 							}
@@ -280,10 +280,10 @@ public function get_tag_attributes(): array {
 							);
 							// Only add edit if escaping actually changes the text.
 							if ( $escaped !== $original ) {
-								$this->edits[] = array(
-									'start'       => $last_offset,
-									'length'      => $seg_length,
-									'replacement' => $escaped,
+								$this->edits[] = new WP_HTML_Text_Replacement(
+									$last_offset,
+									$seg_length,
+									$escaped,
 								);
 							}
 						}
@@ -293,7 +293,7 @@ public function get_tag_attributes(): array {
 		}
 	}
 
-	private function __construct( string $template_string, array $replacements ) {
+	private function __construct( string $template_string, ?array $replacements ) {
 		$this->template_string = $template_string;
 		$this->replacements    = $replacements;
 	}
@@ -306,8 +306,8 @@ private function __construct( string $template_string, array $replacements ) {
 	 * @param string $template The template string with placeholders.
 	 * @return static The template instance.
 	 */
-	public static function from( string $template ): static {
-		return new static( $template, array() );
+	public static function from( string $template, ?array $replacements = null ): static {
+		return new static( $template, $replacements );
 	}
 
 	/**
@@ -363,7 +363,7 @@ public function bind( array $replacements ): static {
 
 		// Check for templates in attribute context.
 		foreach ( $this->edits as $edit ) {
-			if ( ! isset( $edit['placeholder'] ) || 'attribute' !== $edit['context'] ) {
+			if ( $edit instanceof WP_HTML_Text_Replacement || 'attribute' !== $edit['context'] ) {
 				continue;
 			}
 
@@ -429,7 +429,10 @@ public function render(): string|false {
 
 		// Process edits in reverse order (end to start) to preserve positions.
 		foreach ( array_reverse( $this->edits ) as $edit ) {
-			if ( isset( $edit['placeholder'] ) ) {
+			if ( $edit instanceof WP_HTML_Text_Replacement ) {
+				// Pre-computed replacement: apply directly.
+				$html = substr_replace( $html, $edit->text, $edit->start, $edit->length );
+			} else {
 				// Placeholder: look up replacement value.
 				$placeholder = $edit['placeholder'];
 
@@ -461,9 +464,6 @@ public function render(): string|false {
 				} else {
 					return false;
 				}
-			} else {
-				// Pre-computed replacement: apply directly.
-				$html = substr_replace( $html, $edit['replacement'], $edit['start'], $edit['length'] );
 			}
 		}
 

From 14d5df99b8e9a77ea0edb396e3b71c3529bac16c Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 9 Feb 2026 14:02:19 +0100
Subject: [PATCH 53/66] Rely on HTML API text replacement

---
 .../html-api/class-wp-html-template.php       | 44 ++++++++++---------
 1 file changed, 24 insertions(+), 20 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index fdd2824236b94..c42c93ad7f4e1 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -413,6 +413,7 @@ public function render(): string|false {
 		$this->compile();
 
 		if ( empty( $this->replacements ) ) {
+			// @todo check for missing names.
 			return WP_HTML_Processor::normalize( $this->template_string ) ?? $this->template_string;
 		}
 
@@ -424,31 +425,24 @@ public function render(): string|false {
 			'"' => '&quot;',
 		);
 
-		$html      = $this->template_string;
-		$used_keys = array();
+		$processor = ( new class( $this->template_string ) extends WP_HTML_Tag_Processor {
+			public function push_update( WP_HTML_Text_Replacement $update ) {
+				$this->lexical_updates[] = $update;
+			}
+		} );
 
-		// Process edits in reverse order (end to start) to preserve positions.
-		foreach ( array_reverse( $this->edits ) as $edit ) {
+		$used_keys = array();
+		foreach ( $this->edits as $edit ) {
 			if ( $edit instanceof WP_HTML_Text_Replacement ) {
-				// Pre-computed replacement: apply directly.
-				$html = substr_replace( $html, $edit->text, $edit->start, $edit->length );
+				$processor->push_update( $edit );
 			} else {
 				// Placeholder: look up replacement value.
 				$placeholder = $edit['placeholder'];
-
-				if ( array_key_exists( $placeholder, $this->replacements ) ) {
-					$key = $placeholder;
-				} elseif ( ctype_digit( $placeholder ) && array_key_exists( (int) $placeholder, $this->replacements ) ) {
-					$key = (int) $placeholder;
-				} else {
-					return false;
-				}
-
-				$used_keys[ $key ] = true;
-				$value             = $this->replacements[ $key ];
+				$value       = $this->replacements[ $placeholder ] ?? null;
 
 				if ( $value instanceof self ) {
 					if ( 'attribute' === $edit['context'] ) {
+						// @todo doing it wrong.
 						return false;
 					}
 
@@ -457,13 +451,19 @@ public function render(): string|false {
 						return false;
 					}
 
-					$html = substr_replace( $html, $rendered, $edit['start'], $edit['length'] );
+					$processor->push_update(
+						new WP_HTML_Text_Replacement( $edit['start'], $edit['length'], $rendered ),
+					);
 				} elseif ( is_string( $value ) ) {
 					$escaped = strtr( $value, $escape_map );
-					$html    = substr_replace( $html, $escaped, $edit['start'], $edit['length'] );
+					$processor->push_update(
+						new WP_HTML_Text_Replacement( $edit['start'], $edit['length'], $escaped ),
+					);
 				} else {
+					// @todo doing it wrong.
 					return false;
 				}
+				$used_keys[ $placeholder ] = true;
 			}
 		}
 
@@ -472,6 +472,10 @@ public function render(): string|false {
 			return false;
 		}
 
-		return WP_HTML_Processor::normalize( $html ) ?? $html;
+		/*
+		 * @todo ideally, just call `$processor->serialize()`.
+		 * @todo doing it wrong?
+		 */
+		return WP_HTML_Processor::normalize( $processor->get_updated_html() ) ?? false;
 	}
 }

From fa9d84e9b888f0dbfc5a10d0d254b4f478dd638d Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 9 Feb 2026 15:42:32 +0100
Subject: [PATCH 54/66] Tests: Refactor static text escaping test to use data
 provider

Converts test_escapes_static_text_around_placeholder_in_attribute from
inline multiple assertions to a @dataProvider pattern for better test
isolation and clearer failure messages.
---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 69 +++++++++++--------
 1 file changed, 39 insertions(+), 30 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index fa590562916b9..ce360562a66c7 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -902,40 +902,49 @@ public function test_extracts_attribute_placeholders() {
 	 *
 	 * @ticket 60229
 	 *
+	 * @dataProvider data_escapes_static_text_around_placeholder_in_attribute
+	 *
 	 * @covers ::from
 	 * @covers ::bind
 	 * @covers ::render
 	 */
-	public function test_escapes_static_text_around_placeholder_in_attribute() {
-		// Leading static text (prefix before placeholder)
-		$result = T::from( '<a href="/path/</%slug>">Link</a>' )
-			->bind( array( 'slug' => 'hello' ) )
-			->render();
-		$this->assertEqualHTML( '<a href="/path/hello">Link</a>', $result );
-
-		// Trailing static text (suffix after placeholder)
-		$result = T::from( '<a href="</%slug>/page">Link</a>' )
-			->bind( array( 'slug' => 'hello' ) )
-			->render();
-		$this->assertEqualHTML( '<a href="hello/page">Link</a>', $result );
-
-		// Ampersand in trailing static text must be escaped
-		$result = T::from( '<a href="</%base>&amp;extra=1">Link</a>' )
-			->bind( array( 'base' => '/search?q=test' ) )
-			->render();
-		$this->assertEqualHTML( '<a href="/search?q=test&amp;extra=1">Link</a>', $result );
-
-		// Ampersand entity in leading static text must not be double-escaped
-		$result = T::from( '<a href="/search?a=1&amp;b=</%val>">Link</a>' )
-			->bind( array( 'val' => '2' ) )
-			->render();
-		$this->assertEqualHTML( '<a href="/search?a=1&amp;b=2">Link</a>', $result );
-
-		// Character reference in trailing static text is preserved (not double-escaped)
-		$result = T::from( '<meta name="</%placeholder>&not;">' )
-			->bind( array( 'placeholder' => '' ) )
-			->render();
-		$this->assertEqualHTML( '<meta name="¬">', $result );
+	public function test_escapes_static_text_around_placeholder_in_attribute( string $template_string, array $replacements, string $expected ) {
+		$result = T::from( $template_string )->bind( $replacements )->render();
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	public static function data_escapes_static_text_around_placeholder_in_attribute() {
+		return array(
+			'leading static text (prefix before placeholder)'              => array(
+				'<a href="/path/</%slug>">Link</a>',
+				array( 'slug' => 'hello' ),
+				'<a href="/path/hello">Link</a>',
+			),
+
+			'trailing static text (suffix after placeholder)'              => array(
+				'<a href="</%slug>/page">Link</a>',
+				array( 'slug' => 'hello' ),
+				'<a href="hello/page">Link</a>',
+			),
+
+			'ampersand in trailing static text must be escaped'            => array(
+				'<a href="</%base>&amp;extra=1">Link</a>',
+				array( 'base' => '/search?q=test' ),
+				'<a href="/search?q=test&amp;extra=1">Link</a>',
+			),
+
+			'ampersand entity in leading static text not double-escaped'   => array(
+				'<a href="/search?a=1&amp;b=</%val>">Link</a>',
+				array( 'val' => '2' ),
+				'<a href="/search?a=1&amp;b=2">Link</a>',
+			),
+
+			'character reference in trailing static text preserved'        => array(
+				'<meta name="</%placeholder>&not;">',
+				array( 'placeholder' => '' ),
+				'<meta name="¬">',
+			),
+		);
 	}
 
 	public function test_context_promotion_text_to_attribute() {

From 26a45328f6d9fefbda70c978b16676bf7a218a17 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 9 Feb 2026 16:18:56 +0100
Subject: [PATCH 55/66] Remove dangling docblock

---
 tests/phpunit/tests/html-api/wpHtmlTemplate.php | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index ce360562a66c7..8419ce8e5ca1a 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -887,16 +887,6 @@ public function test_extracts_attribute_placeholders() {
 		$this->assertSame( 'attribute', $placeholders['c']['context'] );
 	}
 
-	/**
-	 * Verifies context promotion from text to attribute.
-	 *
-	 * When a placeholder appears in both text and attribute contexts,
-	 * the attribute context takes precedence (more restrictive escaping).
-	 *
-	 * @ticket 60229
-	 *
-	 * @covers ::get_placeholders
-	 */
 	/**
 	 * Verifies that static text around placeholders in attributes is escaped.
 	 *

From 6ec99ea02d98bda412ff7bb02577e03d956baf0f Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 9 Feb 2026 16:20:53 +0100
Subject: [PATCH 56/66] Remove is_compiled (derive)

---
 .../html-api/class-wp-html-template.php          | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index c42c93ad7f4e1..47bd3b44f5ce6 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -26,14 +26,6 @@ class WP_HTML_Template {
 	 */
 	private ?array $replacements = null;
 
-	/**
-	 * Whether the template has been compiled.
-	 *
-	 * @since 7.0.0
-	 * @var bool
-	 */
-	private bool $is_compiled = false;
-
 	/**
 	 * Unified edit operations list.
 	 *
@@ -46,9 +38,9 @@ class WP_HTML_Template {
 	 *   ['start' => int, 'length' => int, 'placeholder' => string, 'context' => 'text'|'attribute']
 	 *
 	 * @since 7.0.0
-	 * @var (array{'start': int, 'length': int, 'placeholder': string, 'context': 'text'|'attribute'}|WP_HTML_Text_Replacement)[]
+	 * @var null|array<array{'start': int, 'length': int, 'placeholder': string, 'context': 'text'|'attribute'}|WP_HTML_Text_Replacement>
 	 */
-	private array $edits = array();
+	private ?array $edits = null;
 
 	/**
 	 * Placeholder names for O(1) validation.
@@ -110,11 +102,10 @@ public function get_placeholders(): array {
 	 * @since 7.0.0
 	 */
 	private function compile(): void {
-		if ( $this->is_compiled ) {
+		if ( null !== $this->edits ) {
 			return;
 		}
 
-		$this->is_compiled       = true;
 		$this->edits             = array();
 		$this->placeholder_names = array();
 
@@ -385,7 +376,6 @@ public function bind( array $replacements ): static {
 		}
 
 		$new                    = new static( $this->template_string, $replacements );
-		$new->is_compiled       = $this->is_compiled;
 		$new->edits             = $this->edits;
 		$new->placeholder_names = $this->placeholder_names;
 		return $new;

From 73ff19e035bce19a88e92675e289a7f7af08a319 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 9 Feb 2026 17:02:15 +0100
Subject: [PATCH 57/66] Add replacement warning test

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php  | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 8419ce8e5ca1a..802f3ad0a70ca 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -947,4 +947,22 @@ public function test_context_promotion_text_to_attribute() {
 		$this->assertSame( 'attribute', $placeholders['url']['context'] );
 		$this->assertCount( 2, $placeholders['url']['offsets'] );
 	}
+
+	/**
+	 * @ticket 60229
+	 */
+	public function test_warns_on_unrecognized_replacements() {
+		$this->setExpectedIncorrectUsage( 'WP_HTML_Template::bind' );
+		$template = T::from( '<meta>' );
+		$template->bind( array( 'extra' => 'oops' ) );
+	}
+
+	/**
+	 * @ticket 60229
+	 */
+	public function test_warns_on_omit_replacement() {
+		$this->setExpectedIncorrectUsage( 'WP_HTML_Template::bind' );
+		$template = T::from( '</% omitted >' );
+		$template->bind( array() );
+	}
 }

From 51640e630d46b45ca179af58a1501ee031c53ffe Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Mon, 9 Feb 2026 17:03:31 +0100
Subject: [PATCH 58/66] remove get_placeholders

---
 .../html-api/class-wp-html-template.php       | 42 ----------
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 84 -------------------
 2 files changed, 126 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 47bd3b44f5ce6..e1f9503c215ff 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -50,48 +50,6 @@ class WP_HTML_Template {
 	 */
 	private array $placeholder_names = array();
 
-	/**
-	 * Returns the compiled placeholder metadata.
-	 *
-	 * Derives the grouped structure from $edits on-demand.
-	 * If a placeholder appears in both text and attribute contexts,
-	 * the attribute context takes precedence (more restrictive).
-	 *
-	 * @since 7.0.0
-	 *
-	 * @return array Associative array of placeholder_name => metadata.
-	 */
-	public function get_placeholders(): array {
-		$this->compile();
-
-		$result = array();
-
-		foreach ( $this->edits as $edit ) {
-			if ( ! isset( $edit['placeholder'] ) ) {
-				continue;
-			}
-
-			$placeholder = $edit['placeholder'];
-			$context     = $edit['context'];
-
-			if ( ! isset( $result[ $placeholder ] ) ) {
-				$result[ $placeholder ] = array(
-					'offsets' => array(),
-					'context' => $context,
-				);
-			} else {
-				// Promote text context to attribute context.
-				if ( 'attribute' === $context ) {
-					$result[ $placeholder ]['context'] = 'attribute';
-				}
-			}
-
-			$result[ $placeholder ]['offsets'][] = array( $edit['start'], $edit['length'] );
-		}
-
-		return $result;
-	}
-
 	/**
 	 * Compiles the template to extract placeholder metadata.
 	 *
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 802f3ad0a70ca..29dfa1c78fd37 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -814,79 +814,6 @@ public function test_bind_warns_on_template_in_attribute_context() {
 		$template->bind( array( 'html' => T::from( '<b>nested</b>' ) ) );
 	}
 
-	/**
-	 * Verifies that get_placeholders returns placeholder metadata.
-	 *
-	 * @ticket 60229
-	 *
-	 * @covers ::get_placeholders
-	 */
-	public function test_get_placeholders_returns_metadata() {
-		$template = T::from( '<p class="</%class>"></%content></p>' );
-
-		$placeholders = $template->get_placeholders();
-
-		$this->assertArrayHasKey( 'class', $placeholders );
-		$this->assertArrayHasKey( 'content', $placeholders );
-		$this->assertSame( 'attribute', $placeholders['class']['context'] );
-		$this->assertSame( 'text', $placeholders['content']['context'] );
-	}
-
-	/**
-	 * Verifies text placeholders are extracted with correct offsets.
-	 *
-	 * @ticket 60229
-	 *
-	 * @covers ::get_placeholders
-	 */
-	public function test_extracts_text_placeholders_with_offsets() {
-		$template = T::from( '<p></%name></p>' );
-
-		$placeholders = $template->get_placeholders();
-
-		$this->assertArrayHasKey( 'name', $placeholders );
-		$this->assertSame( 'text', $placeholders['name']['context'] );
-		$this->assertCount( 1, $placeholders['name']['offsets'] );
-		// <p> is 3 chars, so </%name> starts at offset 3
-		$this->assertSame( 3, $placeholders['name']['offsets'][0][0] );
-		// </%name> is 8 chars
-		$this->assertSame( 8, $placeholders['name']['offsets'][0][1] );
-	}
-
-	/**
-	 * Verifies repeated text placeholders are captured.
-	 *
-	 * @ticket 60229
-	 *
-	 * @covers ::get_placeholders
-	 */
-	public function test_extracts_repeated_text_placeholders() {
-		$template = T::from( '<p></%name> and </%name></p>' );
-
-		$placeholders = $template->get_placeholders();
-
-		$this->assertArrayHasKey( 'name', $placeholders );
-		$this->assertCount( 2, $placeholders['name']['offsets'] );
-	}
-
-	/**
-	 * Verifies attribute placeholders are extracted.
-	 *
-	 * @ticket 60229
-	 *
-	 * @covers ::get_placeholders
-	 */
-	public function test_extracts_attribute_placeholders() {
-		$template = T::from( '<meta name="</%n>" content="</%c>">' );
-
-		$placeholders = $template->get_placeholders();
-
-		$this->assertArrayHasKey( 'n', $placeholders );
-		$this->assertArrayHasKey( 'c', $placeholders );
-		$this->assertSame( 'attribute', $placeholders['n']['context'] );
-		$this->assertSame( 'attribute', $placeholders['c']['context'] );
-	}
-
 	/**
 	 * Verifies that static text around placeholders in attributes is escaped.
 	 *
@@ -937,17 +864,6 @@ public static function data_escapes_static_text_around_placeholder_in_attribute(
 		);
 	}
 
-	public function test_context_promotion_text_to_attribute() {
-		$template = T::from( '<a href="</%url>"></%url></a>' );
-
-		$placeholders = $template->get_placeholders();
-
-		$this->assertArrayHasKey( 'url', $placeholders );
-		// Both occurrences should use attribute context
-		$this->assertSame( 'attribute', $placeholders['url']['context'] );
-		$this->assertCount( 2, $placeholders['url']['offsets'] );
-	}
-
 	/**
 	 * @ticket 60229
 	 */

From ee24adc327696ff04b534ba196c43f4c36aaef77 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 10 Feb 2026 17:03:38 +0100
Subject: [PATCH 59/66] Drop numeric placeholders / list replacements

---
 .../html-api/class-wp-html-template.php       | 24 ++++++++-----------
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 24 +++++++------------
 2 files changed, 19 insertions(+), 29 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index e1f9503c215ff..61e7433527221 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -125,8 +125,12 @@ public function get_tag_attributes(): array {
 
 					$placeholder = trim( substr( $html, $start + 3, $length - 4 ), " \t\n\r\f" );
 
-					// Valid placeholders match `/[a-z0-9_-]+/i`
-					if ( strlen( $placeholder ) !== strspn( $placeholder, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-' ) ) {
+					// Valid placeholders match `/[a-z][a-z0-9_-]*/i` (must start with letter).
+					if (
+						'' === $placeholder ||
+						! ctype_alpha( $placeholder[0] ) ||
+						strlen( $placeholder ) !== strspn( $placeholder, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-' )
+					) {
 						break;
 					}
 
@@ -162,7 +166,7 @@ public function get_tag_attributes(): array {
 
 						while (
 							1 === preg_match(
-								'#</%[ \\t\\r\\f\\n]*([a-z0-9_-]+)[ \\t\\r\\f\\n]*>#i',
+								'#</%[ \\t\\r\\f\\n]*([a-z][a-z0-9_-]*)[ \\t\\r\\f\\n]*>#i',
 								$html,
 								$matches,
 								PREG_OFFSET_CAPTURE,
@@ -277,12 +281,7 @@ public function bind( array $replacements ): static {
 
 		// Check for missing keys (placeholder without replacement).
 		foreach ( $this->placeholder_names as $placeholder => $_ ) {
-			$placeholder = (string) $placeholder;
-			$found       = array_key_exists( $placeholder, $replacements );
-			if ( ! $found && ctype_digit( $placeholder ) ) {
-				$found = array_key_exists( (int) $placeholder, $replacements );
-			}
-			if ( ! $found ) {
+			if ( ! array_key_exists( $placeholder, $replacements ) ) {
 				_doing_it_wrong(
 					__METHOD__,
 					sprintf(
@@ -296,9 +295,7 @@ public function bind( array $replacements ): static {
 
 		// Check for unused keys (replacement without placeholder).
 		foreach ( $replacements as $key => $value ) {
-			$str_key = (string) $key;
-			$found   = isset( $this->placeholder_names[ $key ] ) || isset( $this->placeholder_names[ $str_key ] );
-			if ( ! $found ) {
+			if ( ! isset( $this->placeholder_names[ $key ] ) ) {
 				_doing_it_wrong(
 					__METHOD__,
 					sprintf(
@@ -317,8 +314,7 @@ public function bind( array $replacements ): static {
 			}
 
 			$placeholder = $edit['placeholder'];
-			$key         = ctype_digit( $placeholder ) ? (int) $placeholder : $placeholder;
-			$value       = $replacements[ $key ] ?? $replacements[ $placeholder ] ?? null;
+			$value       = $replacements[ $placeholder ] ?? null;
 
 			if ( $value instanceof self ) {
 				_doing_it_wrong(
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 29dfa1c78fd37..483c6cd701ac7 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -186,16 +186,10 @@ public static function data_template() {
 				'<p>Hello, &lt;little-bobby-tags&gt;!</p>',
 			),
 
-			'numeric placeholders'               => array(
-				'<p>Hello, </%0> and </%1>!</p>',
-				array( 'Alice', 'Bob' ),
-				'<p>Hello, Alice and Bob!</p>',
-			),
-
 			'repeated placeholders'              => array(
-				'<p></%0>, </% 0 >, </%name>, & </%name>!</p>',
+				'<p></%a>, </% a >, </%name>, & </%name>!</p>',
 				array(
-					'Alice',
+					'a'    => 'Alice',
 					'name' => 'Bob',
 				),
 				'<p>Alice, Alice, Bob, &amp; Bob!</p>',
@@ -402,14 +396,14 @@ public static function data_real_world_examples() {
 			'<label for="user_name">Name:</label> <input id="user_name" name="user_name" type="text" />',
 		);
 
-		// Numeric placeholders like sprintf
-		yield 'numeric placeholders' => array(
-			'<a href="</%0>"></%1></a> by <a href="</%2>"></%3></a>',
+		// Named placeholders
+		yield 'named placeholders' => array(
+			'<a href="</%postUrl>"></%postTitle></a> by <a href="</%authorUrl>"></%authorName></a>',
 			array(
-				'https://example.com/post/',
-				'Post Title',
-				'https://example.com/author/',
-				'Author Name',
+				'postUrl'    => 'https://example.com/post/',
+				'postTitle'  => 'Post Title',
+				'authorUrl'  => 'https://example.com/author/',
+				'authorName' => 'Author Name',
 			),
 			'<a href="https://example.com/post/">Post Title</a> by <a href="https://example.com/author/">Author Name</a>',
 		);

From 7187586de8a4f646d95f01f0e59affeaf61fcc67 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 10 Feb 2026 17:28:59 +0100
Subject: [PATCH 60/66] Tests: Add coverage for invalid replacement type
 rejection

Verify that render() returns false when replacements are:
- integers
- arrays
- objects (without __toString)
- null
- booleans

Only strings and WP_HTML_Template instances are valid replacement values.

See #60229.
---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 60 +++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 483c6cd701ac7..3f448f6aa2cfa 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -875,4 +875,64 @@ public function test_warns_on_omit_replacement() {
 		$template = T::from( '</% omitted >' );
 		$template->bind( array() );
 	}
+
+	/**
+	 * Verifies render() returns false for integer replacement value.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::render
+	 */
+	public function test_render_returns_false_for_integer_replacement() {
+		$result = T::from( '<p></%val></p>' )->bind( array( 'val' => 123 ) )->render();
+		$this->assertFalse( $result );
+	}
+
+	/**
+	 * Verifies render() returns false for array replacement value.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::render
+	 */
+	public function test_render_returns_false_for_array_replacement() {
+		$result = T::from( '<p></%val></p>' )->bind( array( 'val' => array( 'a', 'b' ) ) )->render();
+		$this->assertFalse( $result );
+	}
+
+	/**
+	 * Verifies render() returns false for object replacement value without __toString.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::render
+	 */
+	public function test_render_returns_false_for_object_replacement() {
+		$result = T::from( '<p></%val></p>' )->bind( array( 'val' => new stdClass() ) )->render();
+		$this->assertFalse( $result );
+	}
+
+	/**
+	 * Verifies render() returns false for null replacement value.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::render
+	 */
+	public function test_render_returns_false_for_null_replacement() {
+		$result = T::from( '<p></%val></p>' )->bind( array( 'val' => null ) )->render();
+		$this->assertFalse( $result );
+	}
+
+	/**
+	 * Verifies render() returns false for boolean replacement value.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::render
+	 */
+	public function test_render_returns_false_for_boolean_replacement() {
+		$result = T::from( '<p></%val></p>' )->bind( array( 'val' => true ) )->render();
+		$this->assertFalse( $result );
+	}
 }

From a8ca49d896c1ec6027540455338071741f4a7e19 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 10 Feb 2026 17:40:07 +0100
Subject: [PATCH 61/66] Add status assessment

---
 STATUS.md | 118 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 118 insertions(+)
 create mode 100644 STATUS.md

diff --git a/STATUS.md b/STATUS.md
new file mode 100644
index 0000000000000..5e4ccae50ec72
--- /dev/null
+++ b/STATUS.md
@@ -0,0 +1,118 @@
+## Critical Analysis: WP_HTML_Template vs. Ticket #60229 Requirements
+
+I've examined ticket #60229, the current branch implementation, and the test suite. Here's my analysis:
+
+---
+
+### What's Working Well
+
+**1. Core Safety Goal Achieved**
+The implementation delivers on the primary promise: context-aware auto-escaping. The code correctly escapes `&`, `<`, `>`, `"`, `'` in both text and attribute contexts. Tests confirm placeholders can't be injected via replacement values (non-recursive replacement).
+
+**2. Funky Comment Syntax**
+The `</%placeholder>` syntax is a smart choice—it's valid HTML (parsed as a funky comment), can't be nested by construction, and is visually distinctive. The parsing handles whitespace around names correctly.
+
+**3. Nested Templates**
+Template composition (`WP_HTML_Template` as replacement value) works for text context with proper escaping propagation. The rejection of templates in attribute context is the right safety call.
+
+**4. Compile-once Design**
+Lazy compilation with cached edits (`$edits` array) is efficient for template reuse.
+
+---
+
+### What's Missing from the Ticket Requirements
+
+**1. No URL Escaping (Ticket TODO)**
+The ticket explicitly says "does not escape URLs differently than other attributes." The XSS test shows `javascript:alert("xss")` only escapes quotes—no `esc_url()` equivalent. This is a security gap for `href`/`src` attributes.
+
+**2. Boolean Attributes Not Implemented**
+Ticket promises: "supply true to create a boolean attribute or false/null remove an attribute." The current implementation only handles string and Template replacement values. No boolean support visible.
+
+**3. No Attribute Spread**
+Ticket comment 9 discusses "spread" attributes for making tags placeholders. Not implemented.
+
+**4. Missing Output Format Methods**
+Ticket TODO lists `->final_output_to_browser()`, `->final_output_to_plaintext()`, `->final_output_to_markdown()`, etc. None exist.
+
+**5. Embed Replacement in Tag Processor (Ticket TODO)**
+The ticket wants replacement embedded in the Tag Processor. Current implementation uses a separate class with its own parsing pass.
+
+---
+
+### Overlooked Issues in the Ticket
+
+**1. RAWTEXT/RCDATA Element Handling Is Half-Baked**
+Tests show placeholders inside `<script>`, `<style>` are preserved literally, while `<title>`, `<textarea>` escape them as text. Neither allows actual replacement. The ticket doesn't acknowledge this limitation clearly. If I write a template for a script tag's content, I'd expect placeholders to work.
+
+**2. Table Context Parsing**
+Test explicitly skipped: "IN TABLE templates are not supported yet." HTML parsing rules for tables are complex—implicit elements, foster parenting. The ticket doesn't address this at all. Tables are everywhere in WordPress admin.
+
+**3. No i18n Integration**
+The ticket mentions "translation" as a sigil use case, and gziolo's comment asks about `createInterpolateElement` parity. Zero implementation of translation awareness. For WordPress core, this is a big miss.
+
+**4. Performance Not Benchmarked**
+Normalization runs twice: once in `compile()` for text detection, once in `render()` for final output. For high-frequency template rendering (e.g., list items), this could add up.
+
+**5. Error Handling Philosophy Unclear**
+`render()` returns `false` on errors, but `bind()` uses `_doing_it_wrong()` warnings and still returns a template. Mixed signals—should errors be fatal or recoverable? The test gaps document lists many untested failure cases.
+
+---
+
+### Gaps in Test Coverage (From Test-Gaps.md + My Observations)
+
+**High Priority Missing:**
+
+-   Non-string replacement values (integers, arrays, nulls) → should fail gracefully
+-   Multiple placeholders in single attribute (e.g., `href="</%scheme>://</%host>"`)
+-   Template immutability verification (`bind()` returns new instance)
+
+**The PRE newline test is skipped** but the behavior matters—WordPress often outputs preformatted code.
+
+**No tests for:**
+
+-   Very long templates/replacements (memory/performance)
+-   Deeply nested templates (stack depth)
+-   Unicode/multibyte characters in placeholder names
+-   SVG/MathML elements
+
+---
+
+### API Design Questions
+
+**1. Why `from()` → `bind()` → `render()` instead of a single call?**
+For reusable templates, the separation makes sense. But most WordPress use cases are one-shot renders. A convenience method like `::render($template, $replacements)` would be more ergonomic.
+
+**2. `render()` Returns `string|false`—Is That Right?**
+Returning `false` on error is classic WordPress, but it means every call site needs error checking. Exceptions or a Result type would be safer, though breaking with WP conventions.
+
+**3. What About Streaming/Chunked Output?**
+For large templates, building the entire string in memory before output is wasteful. No consideration of echo-as-you-go.
+
+---
+
+### What's the Competition Doing That WP Isn't?
+
+-   **Blade/Twig**: Rich conditionals, loops, inheritance. WP_HTML_Template is deliberately minimal.
+-   **htmx/alpine patterns**: Server-side templating with client-side enhancement. No thought given here.
+-   **Lit/React SSR**: Hydration markers. Not applicable, but WP could learn from structured output strategies.
+
+The ticket's philosophy is "prefer trust and safety over features"—valid, but means this won't replace most template use cases. It's targeted at safe HTML generation, not a full templating language.
+
+---
+
+### Summary Table
+
+| Requirement                | Status | Notes                          |
+| -------------------------- | ------ | ------------------------------ |
+| Context-aware escaping     | ✅     | Works for text and attributes  |
+| Funky comment placeholders | ✅     | Clean implementation           |
+| Nested HTML via Templates  | ✅     | Text context only              |
+| Boolean attributes         | ❌     | Not implemented                |
+| URL escaping               | ❌     | Only generic escaping          |
+| Attribute spread           | ❌     | Not implemented                |
+| Output format methods      | ❌     | Not implemented                |
+| Tag Processor integration  | ❌     | Separate class                 |
+| Table context support      | ❌     | Explicitly unsupported         |
+| i18n integration           | ❌     | Not addressed                  |
+| RAWTEXT/RCDATA replacement | ❌     | Placeholders don't work inside |
+

From 7cb1f7417e501b2e522693c4ca00fc2d9e3ce29e Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 10 Feb 2026 17:42:06 +0100
Subject: [PATCH 62/66] Add multiple placeholder tests

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 83 +++++++++++++++++++
 1 file changed, 83 insertions(+)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index 3f448f6aa2cfa..e68abf37699e0 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -858,6 +858,89 @@ public static function data_escapes_static_text_around_placeholder_in_attribute(
 		);
 	}
 
+	/**
+	 * Verifies multiple placeholders work in a single attribute value.
+	 *
+	 * @ticket 60229
+	 *
+	 * @dataProvider data_multiple_placeholders_in_single_attribute
+	 *
+	 * @covers ::from
+	 * @covers ::bind
+	 * @covers ::render
+	 */
+	public function test_multiple_placeholders_in_single_attribute( string $template_string, array $replacements, string $expected ) {
+		$result = T::from( $template_string )->bind( $replacements )->render();
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	public static function data_multiple_placeholders_in_single_attribute() {
+		return array(
+			'two placeholders in href'                       => array(
+				'<a href="</%base>/</%slug>">link</a>',
+				array(
+					'base' => '/posts',
+					'slug' => 'hello-world',
+				),
+				'<a href="/posts/hello-world">link</a>',
+			),
+
+			'three placeholders building URL'                => array(
+				'<a href="</%scheme>://</%host>/</%path>">link</a>',
+				array(
+					'scheme' => 'https',
+					'host'   => 'example.com',
+					'path'   => 'page',
+				),
+				'<a href="https://example.com/page">link</a>',
+			),
+
+			'adjacent placeholders (no separator)'           => array(
+				'<meta content="</%a></%b>">',
+				array(
+					'a' => 'Hello',
+					'b' => 'World',
+				),
+				'<meta content="HelloWorld">',
+			),
+
+			'placeholders with static text between'          => array(
+				'<a href="</%base>?page=</%page>&sort=</%sort>">link</a>',
+				array(
+					'base' => '/search',
+					'page' => '2',
+					'sort' => 'date',
+				),
+				'<a href="/search?page=2&amp;sort=date">link</a>',
+			),
+
+			'same placeholder repeated in attribute'         => array(
+				'<meta content="</%val>-</%val>">',
+				array( 'val' => 'test' ),
+				'<meta content="test-test">',
+			),
+
+			'escaping in multiple placeholders'              => array(
+				'<a href="</%base>?q=</%query>">link</a>',
+				array(
+					'base'  => '/search',
+					'query' => 'a&b<c>"d',
+				),
+				'<a href="/search?q=a&amp;b&lt;c&gt;&quot;d">link</a>',
+			),
+
+			'multiple placeholders across multiple attributes' => array(
+				'<a href="</%url>" title="</%a> &amp; </%b>">link</a>',
+				array(
+					'url' => '/page',
+					'a'   => 'Alice',
+					'b'   => 'Bob',
+				),
+				'<a href="/page" title="Alice &amp; Bob">link</a>',
+			),
+		);
+	}
+
 	/**
 	 * @ticket 60229
 	 */

From 623e938af96b6de96eab85e097c41c02e3d0a5af Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 10 Feb 2026 17:44:51 +0100
Subject: [PATCH 63/66] Add more attribute tests, multiple attributes

---
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 42 +++++--------------
 1 file changed, 11 insertions(+), 31 deletions(-)

diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index e68abf37699e0..aee4c8e1c0832 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -826,57 +826,37 @@ public function test_escapes_static_text_around_placeholder_in_attribute( string
 
 	public static function data_escapes_static_text_around_placeholder_in_attribute() {
 		return array(
-			'leading static text (prefix before placeholder)'              => array(
+			'leading static text (prefix before placeholder)' => array(
 				'<a href="/path/</%slug>">Link</a>',
 				array( 'slug' => 'hello' ),
 				'<a href="/path/hello">Link</a>',
 			),
 
-			'trailing static text (suffix after placeholder)'              => array(
+			'trailing static text (suffix after placeholder)' => array(
 				'<a href="</%slug>/page">Link</a>',
 				array( 'slug' => 'hello' ),
 				'<a href="hello/page">Link</a>',
 			),
 
-			'ampersand in trailing static text must be escaped'            => array(
+			'ampersand in trailing static text must be escaped' => array(
 				'<a href="</%base>&amp;extra=1">Link</a>',
 				array( 'base' => '/search?q=test' ),
 				'<a href="/search?q=test&amp;extra=1">Link</a>',
 			),
 
-			'ampersand entity in leading static text not double-escaped'   => array(
+			'ampersand entity in leading static text not double-escaped' => array(
 				'<a href="/search?a=1&amp;b=</%val>">Link</a>',
 				array( 'val' => '2' ),
 				'<a href="/search?a=1&amp;b=2">Link</a>',
 			),
 
-			'character reference in trailing static text preserved'        => array(
+			'character reference in trailing static text preserved' => array(
 				'<meta name="</%placeholder>&not;">',
 				array( 'placeholder' => '' ),
 				'<meta name="¬">',
 			),
-		);
-	}
-
-	/**
-	 * Verifies multiple placeholders work in a single attribute value.
-	 *
-	 * @ticket 60229
-	 *
-	 * @dataProvider data_multiple_placeholders_in_single_attribute
-	 *
-	 * @covers ::from
-	 * @covers ::bind
-	 * @covers ::render
-	 */
-	public function test_multiple_placeholders_in_single_attribute( string $template_string, array $replacements, string $expected ) {
-		$result = T::from( $template_string )->bind( $replacements )->render();
-		$this->assertEqualHTML( $expected, $result );
-	}
 
-	public static function data_multiple_placeholders_in_single_attribute() {
-		return array(
-			'two placeholders in href'                       => array(
+			'two placeholders in href'               => array(
 				'<a href="</%base>/</%slug>">link</a>',
 				array(
 					'base' => '/posts',
@@ -885,7 +865,7 @@ public static function data_multiple_placeholders_in_single_attribute() {
 				'<a href="/posts/hello-world">link</a>',
 			),
 
-			'three placeholders building URL'                => array(
+			'three placeholders building URL'        => array(
 				'<a href="</%scheme>://</%host>/</%path>">link</a>',
 				array(
 					'scheme' => 'https',
@@ -895,7 +875,7 @@ public static function data_multiple_placeholders_in_single_attribute() {
 				'<a href="https://example.com/page">link</a>',
 			),
 
-			'adjacent placeholders (no separator)'           => array(
+			'adjacent placeholders (no separator)'   => array(
 				'<meta content="</%a></%b>">',
 				array(
 					'a' => 'Hello',
@@ -904,7 +884,7 @@ public static function data_multiple_placeholders_in_single_attribute() {
 				'<meta content="HelloWorld">',
 			),
 
-			'placeholders with static text between'          => array(
+			'placeholders with static text between'  => array(
 				'<a href="</%base>?page=</%page>&sort=</%sort>">link</a>',
 				array(
 					'base' => '/search',
@@ -914,13 +894,13 @@ public static function data_multiple_placeholders_in_single_attribute() {
 				'<a href="/search?page=2&amp;sort=date">link</a>',
 			),
 
-			'same placeholder repeated in attribute'         => array(
+			'same placeholder repeated in attribute' => array(
 				'<meta content="</%val>-</%val>">',
 				array( 'val' => 'test' ),
 				'<meta content="test-test">',
 			),
 
-			'escaping in multiple placeholders'              => array(
+			'escaping in multiple placeholders'      => array(
 				'<a href="</%base>?q=</%query>">link</a>',
 				array(
 					'base'  => '/search',

From 9c3ee7dfe27412241569eb15c29084c64e3bb86b Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 10 Feb 2026 17:45:54 +0100
Subject: [PATCH 64/66] Update status

---
 STATUS.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/STATUS.md b/STATUS.md
index 5e4ccae50ec72..d70851176470d 100644
--- a/STATUS.md
+++ b/STATUS.md
@@ -62,8 +62,8 @@ Normalization runs twice: once in `compile()` for text detection, once in `rende
 
 **High Priority Missing:**
 
--   Non-string replacement values (integers, arrays, nulls) → should fail gracefully
--   Multiple placeholders in single attribute (e.g., `href="</%scheme>://</%host>"`)
+-   ~~Non-string replacement values (integers, arrays, nulls) → should fail gracefully~~ ✅ Tests exist
+-   ~~Multiple placeholders in single attribute (e.g., `href="</%scheme>://</%host>"`)~~ ✅ Works, tests added
 -   Template immutability verification (`bind()` returns new instance)
 
 **The PRE newline test is skipped** but the behavior matters—WordPress often outputs preformatted code.

From 0e814662a273a2401a04a440e269c9827565481d Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 10 Feb 2026 18:21:26 +0100
Subject: [PATCH 65/66] Add boolean attribute support to WP_HTML_Template

Implements ticket #60229 requirement for boolean attributes:
- `true` converts `disabled="</%d>"` to `disabled` (boolean form)
- `false` or `null` removes the attribute entirely
- Only works when placeholder is the entire attribute value
- Partial placeholders with boolean values return false
---
 .../html-api/class-wp-html-template.php       |  36 ++++-
 .../phpunit/tests/html-api/wpHtmlTemplate.php | 130 ++++++++++++++++++
 2 files changed, 161 insertions(+), 5 deletions(-)

diff --git a/src/wp-includes/html-api/class-wp-html-template.php b/src/wp-includes/html-api/class-wp-html-template.php
index 61e7433527221..91db36568e3c8 100644
--- a/src/wp-includes/html-api/class-wp-html-template.php
+++ b/src/wp-includes/html-api/class-wp-html-template.php
@@ -203,12 +203,22 @@ public function get_tag_attributes(): array {
 								}
 							}
 
-							// New: append placeholder edit and register name.
+							// Detect if placeholder is the entire attribute value.
+							$is_whole_attribute = (
+								$match_start === $attribute->value_starts_at &&
+								$match_start + $match_length === $end
+							);
+
+							// Append placeholder edit with attribute metadata.
 							$this->edits[]                           = array(
-								'start'       => $match_start,
-								'length'      => $match_length,
-								'placeholder' => $placeholder,
-								'context'     => 'attribute',
+								'start'              => $match_start,
+								'length'             => $match_length,
+								'placeholder'        => $placeholder,
+								'context'            => 'attribute',
+								'is_whole_attribute' => $is_whole_attribute,
+								'attr_name'          => $is_whole_attribute ? $attribute->name : null,
+								'attr_start'         => $is_whole_attribute ? $attribute->start : null,
+								'attr_length'        => $is_whole_attribute ? $attribute->length : null,
 							);
 							$this->placeholder_names[ $placeholder ] = true;
 
@@ -403,6 +413,22 @@ public function push_update( WP_HTML_Text_Replacement $update ) {
 					$processor->push_update(
 						new WP_HTML_Text_Replacement( $edit['start'], $edit['length'], $escaped ),
 					);
+				} elseif ( true === $value ) {
+					// Boolean true: convert to boolean attribute (remove value, keep name).
+					if ( empty( $edit['is_whole_attribute'] ) ) {
+						return false;
+					}
+					$processor->push_update(
+						new WP_HTML_Text_Replacement( $edit['attr_start'], $edit['attr_length'], $edit['attr_name'] ),
+					);
+				} elseif ( false === $value || null === $value ) {
+					// Boolean false or null: remove entire attribute.
+					if ( empty( $edit['is_whole_attribute'] ) ) {
+						return false;
+					}
+					$processor->push_update(
+						new WP_HTML_Text_Replacement( $edit['attr_start'], $edit['attr_length'], '' ),
+					);
 				} else {
 					// @todo doing it wrong.
 					return false;
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
index aee4c8e1c0832..c27dfb3c81dd5 100644
--- a/tests/phpunit/tests/html-api/wpHtmlTemplate.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -939,6 +939,136 @@ public function test_warns_on_omit_replacement() {
 		$template->bind( array() );
 	}
 
+	/**
+	 * Verifies that boolean true creates a boolean attribute.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::from
+	 * @covers ::bind
+	 * @covers ::render
+	 */
+	public function test_boolean_true_creates_boolean_attribute() {
+		$result = T::from( '<input disabled="</%disabled>">' )
+			->bind( array( 'disabled' => true ) )
+			->render();
+		$this->assertEqualHTML( '<input disabled>', $result );
+	}
+
+	/**
+	 * Verifies that boolean false removes the attribute.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::from
+	 * @covers ::bind
+	 * @covers ::render
+	 */
+	public function test_boolean_false_removes_attribute() {
+		$result = T::from( '<input disabled="</%disabled>" type="text">' )
+			->bind( array( 'disabled' => false ) )
+			->render();
+		$this->assertEqualHTML( '<input type="text">', $result );
+	}
+
+	/**
+	 * Verifies that null removes the attribute (same as false).
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::from
+	 * @covers ::bind
+	 * @covers ::render
+	 */
+	public function test_null_removes_attribute() {
+		$result = T::from( '<input class="</%class>" type="text">' )
+			->bind( array( 'class' => null ) )
+			->render();
+		$this->assertEqualHTML( '<input type="text">', $result );
+	}
+
+	/**
+	 * Verifies that boolean with partial placeholder returns false.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers ::from
+	 * @covers ::bind
+	 * @covers ::render
+	 */
+	public function test_partial_placeholder_rejects_boolean() {
+		$result = T::from( '<input class="prefix-</%suffix>">' )
+			->bind( array( 'suffix' => true ) )
+			->render();
+		$this->assertFalse( $result );
+	}
+
+	/**
+	 * @ticket 60229
+	 *
+	 * @dataProvider data_boolean_attribute_handling
+	 *
+	 * @covers ::from
+	 * @covers ::bind
+	 * @covers ::render
+	 */
+	public function test_boolean_attribute_handling( string $template, array $replacements, string $expected ) {
+		$result = T::from( $template )->bind( $replacements )->render();
+		$this->assertEqualHTML( $expected, $result );
+	}
+
+	public static function data_boolean_attribute_handling() {
+		return array(
+			'true creates boolean attribute'            => array(
+				'<input disabled="</%disabled>">',
+				array( 'disabled' => true ),
+				'<input disabled>',
+			),
+
+			'false removes attribute'                   => array(
+				'<input disabled="</%disabled>" type="text">',
+				array( 'disabled' => false ),
+				'<input type="text">',
+			),
+
+			'null removes attribute'                    => array(
+				'<input class="</%class>" type="text">',
+				array( 'class' => null ),
+				'<input type="text">',
+			),
+
+			'empty string keeps attribute with empty value' => array(
+				'<input value="</%value>">',
+				array( 'value' => '' ),
+				'<input value="">',
+			),
+
+			'mixed boolean and string replacements'     => array(
+				'<input disabled="</%d>" value="</%v>">',
+				array(
+					'd' => true,
+					'v' => 'test',
+				),
+				'<input disabled value="test">',
+			),
+
+			'multiple attributes, one removed'          => array(
+				'<input class="</%c>" id="</%i>" name="field">',
+				array(
+					'c' => false,
+					'i' => 'my-id',
+				),
+				'<input id="my-id" name="field">',
+			),
+
+			'single-quoted attribute with boolean'      => array(
+				"<input disabled='</%disabled>'>",
+				array( 'disabled' => true ),
+				'<input disabled>',
+			),
+		);
+	}
+
 	/**
 	 * Verifies render() returns false for integer replacement value.
 	 *

From e8eb68148e2fab106694666df6e7a6335ff441f7 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 10 Feb 2026 18:23:40 +0100
Subject: [PATCH 66/66] update status

---
 STATUS.md | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/STATUS.md b/STATUS.md
index d70851176470d..0d7f17d152652 100644
--- a/STATUS.md
+++ b/STATUS.md
@@ -18,6 +18,9 @@ Template composition (`WP_HTML_Template` as replacement value) works for text co
 **4. Compile-once Design**
 Lazy compilation with cached edits (`$edits` array) is efficient for template reuse.
 
+**5. Boolean Attribute Support**
+Supply `true` to create a boolean attribute (`disabled="</%d>"` + `true` → `disabled`), or `false`/`null` to remove an attribute entirely. Only works for whole-attribute placeholders—partial placeholders reject boolean values.
+
 ---
 
 ### What's Missing from the Ticket Requirements
@@ -25,16 +28,13 @@ Lazy compilation with cached edits (`$edits` array) is efficient for template re
 **1. No URL Escaping (Ticket TODO)**
 The ticket explicitly says "does not escape URLs differently than other attributes." The XSS test shows `javascript:alert("xss")` only escapes quotes—no `esc_url()` equivalent. This is a security gap for `href`/`src` attributes.
 
-**2. Boolean Attributes Not Implemented**
-Ticket promises: "supply true to create a boolean attribute or false/null remove an attribute." The current implementation only handles string and Template replacement values. No boolean support visible.
-
-**3. No Attribute Spread**
+**2. No Attribute Spread**
 Ticket comment 9 discusses "spread" attributes for making tags placeholders. Not implemented.
 
-**4. Missing Output Format Methods**
+**3. Missing Output Format Methods**
 Ticket TODO lists `->final_output_to_browser()`, `->final_output_to_plaintext()`, `->final_output_to_markdown()`, etc. None exist.
 
-**5. Embed Replacement in Tag Processor (Ticket TODO)**
+**4. Embed Replacement in Tag Processor (Ticket TODO)**
 The ticket wants replacement embedded in the Tag Processor. Current implementation uses a separate class with its own parsing pass.
 
 ---
@@ -102,17 +102,17 @@ The ticket's philosophy is "prefer trust and safety over features"—valid, but
 
 ### Summary Table
 
-| Requirement                | Status | Notes                          |
-| -------------------------- | ------ | ------------------------------ |
-| Context-aware escaping     | ✅     | Works for text and attributes  |
-| Funky comment placeholders | ✅     | Clean implementation           |
-| Nested HTML via Templates  | ✅     | Text context only              |
-| Boolean attributes         | ❌     | Not implemented                |
-| URL escaping               | ❌     | Only generic escaping          |
-| Attribute spread           | ❌     | Not implemented                |
-| Output format methods      | ❌     | Not implemented                |
-| Tag Processor integration  | ❌     | Separate class                 |
-| Table context support      | ❌     | Explicitly unsupported         |
-| i18n integration           | ❌     | Not addressed                  |
-| RAWTEXT/RCDATA replacement | ❌     | Placeholders don't work inside |
+| Requirement                | Status | Notes                              |
+| -------------------------- | ------ | ---------------------------------- |
+| Context-aware escaping     | ✅     | Works for text and attributes      |
+| Funky comment placeholders | ✅     | Clean implementation               |
+| Nested HTML via Templates  | ✅     | Text context only                  |
+| Boolean attributes         | ✅     | true/false/null for whole-attr     |
+| URL escaping               | ❌     | Only generic escaping              |
+| Attribute spread           | ❌     | Not implemented                    |
+| Output format methods      | ❌     | Not implemented                    |
+| Tag Processor integration  | ❌     | Separate class                     |
+| Table context support      | ❌     | Explicitly unsupported             |
+| i18n integration           | ❌     | Not addressed                      |
+| RAWTEXT/RCDATA replacement | ❌     | Placeholders don't work inside     |