[wp-trac] [WordPress Trac] #63630: Encoded HTML entities are decoded for users without unfiltered_html
WordPress Trac
noreply at wordpress.org
Thu Aug 7 07:58:49 UTC 2025
#63630: Encoded HTML entities are decoded for users without unfiltered_html
-------------------------------------------------+-------------------------
Reporter: jonsurrell | Owner: jonsurrell
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 6.9
Component: General | Version: 2.0
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests dev- | Focuses:
feedback 2nd-opinion |
-------------------------------------------------+-------------------------
Changes (by jonsurrell):
* owner: (none) => jonsurrell
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"60616" 60616]:
{{{
#!CommitTicketReference repository="" revision="60616"
KSES: Prevent normalization from unescaping escaped numeric character
references.
Fixes an issue where `wp_kses_normalize_entities` would transform inputs
like "'" into "'", changing the intended HTML text.
This behavior has present since the initial version of KSES was introduced
in [649].
[2896] applied the normalization to post content for users without the
"unfiltered_html" capability.
Developed in https://github.com/WordPress/wordpress-develop/pull/9099.
Props jonsurrell, dmsnell, sirlouen.
Fixes #63630.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63630#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list