[wp-trac] [WordPress Trac] #64054: HTML API: Attribute escaping should escape all HTML entities
WordPress Trac
noreply at wordpress.org
Wed Oct 1 18:45:43 UTC 2025
#64054: HTML API: Attribute escaping should escape all HTML entities
--------------------------+------------------------------
Reporter: jonsurrell | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: HTML API | Version: 6.2
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+------------------------------
Comment (by dmsnell):
You’ve stumbled upon something fairly contentious in the design.
Originally we wanted zero dependencies on WordPress, especially from
functions like `esc_attr()` and `esc_url()` and `esc_html()` which carry
so much existing baggage.
For those attributes which aren’t being escaped by `esc_url()` it’s
probably fair.
So far, I have largely collapsed onto adopting the risk profile of
`esc_attr()` with the hopes of improving that function. I did some work on
that function a couple years ago and got distracted by other priorities.
So perhaps it would have been best to readdress this then.
You can examine [https://github.com/WordPress/wordpress-develop/pull/5949
wordpress/wordpress-develop#5949] where I was starting to move more
attribute processing into the Tag Processor. There’s a tie-in with several
`kses` functions that would be worth coordinating.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64054#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list