[wp-trac] [WordPress Trac] #62619: Remove `wp_kses_post()` filtering from admin notices
WordPress Trac
noreply at wordpress.org
Thu Feb 6 19:15:06 UTC 2025
#62619: Remove `wp_kses_post()` filtering from admin notices
----------------------------+---------------------
Reporter: azaozz | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.8
Component: Administration | Version: 6.4
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
----------------------------+---------------------
Comment (by joedolson):
As I recall from discussion (and I can't find the discussion, so I can't
be more detailed than that), the external error message case was the
primary reason for wanting this; as much as most of the cases are known
content, that is not the case 100% of the time. API requests are always
going to be somewhat of an unknown.
Regarding the performance with `wp_kses_post()`, that's not a significant
concern with short content, which is usually the case with admin notices.
Zack Tollman did a [https://www.tollmanz.com/wp-kses-performance/ review
of `wp_kses()` performance] comparing various types of content in
(sheesh...2015) which showed that the performance hit was minor on short
content. I would guess this is better now; but I'm not aware of a more
recent study. Admin notices are also infrequent, so that performance hit
is not something that will be executing a thousand times in a given screen
view.
Ultimately, I'd probably want somebody from the security team to voice an
opinion here.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62619#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list