[wp-trac] [WordPress Trac] #62619: Remove `wp_kses_post()` filtering from admin notices
WordPress Trac
noreply at wordpress.org
Wed Jun 4 10:17:35 UTC 2025
#62619: Remove `wp_kses_post()` filtering from admin notices
----------------------------+---------------------
Reporter: azaozz | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.9
Component: Administration | Version: 6.4
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
----------------------------+---------------------
Comment (by logicrays):
The use of `wp_kses_post()` in admin notices is unnecessary because KSES
is meant for sanitizing content saved to the database, not for displaying
trusted content. Admin notices are hardcoded by WordPress or plugins,
making additional filtering redundant and restrictive. Removing
`wp_kses_post()` improves performance and allows full HTML usage in
notices. The recommended fix is to replace `echo wp_kses_post( $message
);` with `echo $message;` when the content is trusted.
{{{
function my_admin_notice() {
$message = '<div class="notice notice-
success"><p><strong>Success!</strong> HTML is allowed.</p></div>';
echo wp_kses_post( $message );
}
add_action( 'admin_notices', 'my_admin_notice' );
}}}
{{{
function my_admin_notice() {
$message = '<div class="notice notice-
success"><p><strong>Success!</strong> HTML is allowed.</p></div>';
echo $message; // Trusted output, so no need for wp_kses_post()
}
add_action( 'admin_notices', 'my_admin_notice' );
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62619#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list