[wp-trac] [WordPress Trac] #63630: Encoded HTML entities are decoded for users without unfiltered_html

WordPress Trac noreply at wordpress.org
Thu Jul 3 11:54:59 UTC 2025 

#63630: Encoded HTML entities are decoded for users without unfiltered_html
-------------------------------------------------+-------------------------
 Reporter:  jonsurrell                           |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  assigned
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  General                              |     Version:  2.0
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch has-unit-tests dev-        |     Focuses:
  feedback                                       |
-------------------------------------------------+-------------------------
Changes (by SirLouen):

 * keywords:  has-patch has-unit-tests needs-testing dev-feedback => has-
     patch has-unit-tests dev-feedback


Comment:

 == Patch Test Report
 === Description
 ✅ This report validates that the indicated patch works as expected.

 Patch tested: https://github.com/WordPress/wordpress-
 develop/pull/9099.diff

 === Environment
 - WordPress: 6.9-alpha-60093-src
 - PHP: 8.2.28
 - Server: nginx/1.29.0
 - Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
 - Browser: Chrome 138.0.0.0
 - OS: Windows 10/11
 - Theme: Twenty Twenty-Five 1.2
 - MU Plugins:
   * Exporting Test 1.0.0
 - Plugins:
   * Test Reports 1.2.0

 === Reproduction Steps
 1. Follow instructions provided in OP (or check screenshots in supp
 artifacts)

 === Actual Results
 1.  ✅ Issue resolved with patch.

 === Additional Notes
 - Patch works as expected but formatting and kses in general is something
 I've never gone too far deeply; I wonder if helping users without
 unescaping capabilities, to unescape certain chars, could help some users
 to build their way up for security concerning applications.

 ==== Without unfiltered html cap before patch

 Backend:
 [[Image(https://i.imgur.com/pBl3Ctz.png)]]
 Frontend:
 [[Image(https://i.imgur.com/BwkYgBJ.png)]]

 ==== With unfiltered html cap

 Backend
 [[Image(https://i.imgur.com/whI0uah.png)]]
 Frontend
 [[Image(https://i.imgur.com/Tu9G2Xv.png)]]

 ==== Without unfiltered html cap after patch

 Frontend
 [[Image(https://i.imgur.com/SYZeY7a.png)]]

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63630#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list