[wp-trac] [WordPress Trac] #62619: Remove `wp_kses_post()` filtering from admin notices

WordPress Trac noreply at wordpress.org
Thu Feb 27 22:36:11 UTC 2025 

#62619: Remove `wp_kses_post()` filtering from admin notices
----------------------------+---------------------
 Reporter:  azaozz          |       Owner:  (none)
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  6.8
Component:  Administration  |     Version:  6.4
 Severity:  normal          |  Resolution:
 Keywords:  has-patch       |     Focuses:
----------------------------+---------------------

Comment (by azaozz):

 Replying to [comment:10 joedolson]:
 > It's not only user input to be escaped, but also error responses from
 external requests that may require escaping before output.
 > ...
 > Ultimately, I'd probably want somebody from the security team to voice
 an opinion here.

 Sure, I am part of the security team :)
 From purely security point of view the current code in `wp_admin_notice()`
 does not meet the requirements as it doesn't escape anything. The above is
 slightly incorrect. The code there just filters some of the HTML tags and
 allows others. From security point of view this is not good enough for
 untrusted content as the allowed tags can still be used to
 manipulate/deface the page where the user notice is shown.

 > Requiring core and plugin authors to handle escaping themselves by
 default, rather than by exception, goes against the well-established
 practice of late escaping.

 What do you mean "escape by exception"? All plugins authors as well as all
 places in core are always required to escape untrusted content. This was
 the case with the user warnings for many years before `wp_admin_notice()`
 was introduced, right? Passing unescaped untrusted content to that
 function would still be considered a security risk as that that content is
 never really escaped (see above).

 > There's ultimately no need to deprecate `wp_admin_notice()` or to change
 its established use of `wp_kses_post()` in line with well established
 convention in and out of core.

 Yea, perhaps another solution (apart from deprecation) can be found.
 However the use of  `wp_kses_post()` in `wp_admin_notice()` is not inline
 with any WP conventions as it doesn't really provide anything useful. It
 does not provide adequate security for untrusted content. On top of that
 it is "dead code"/unneeded overhead in nearly all cases as the user
 warnings/messages text is hard-coded.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62619#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list