[wp-trac] [WordPress Trac] #64054: HTML API: Attribute escaping should escape all HTML entities
WordPress Trac
noreply at wordpress.org
Thu Oct 9 23:36:25 UTC 2025
#64054: HTML API: Attribute escaping should escape all HTML entities
--------------------------+------------------------------
Reporter: jonsurrell | Owner: dmsnell
Type: defect (bug) | Status: closed
Priority: normal | Milestone: Awaiting Review
Component: HTML API | Version: 6.2
Severity: normal | Resolution: fixed
Keywords: has-patch | Focuses:
--------------------------+------------------------------
Changes (by dmsnell):
* owner: (none) => dmsnell
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"60919" 60919]:
{{{
#!CommitTicketReference repository="" revision="60919"
HTML API: Escape all submitted HTML character references.
The HTML API has relied on `esc_attr()` and `esc_html()` when setting
string attribute values or the contents of modifiable text. This leads to
unexpected behavior when those functions attempt to prevent double-
escaping of existing character references, and it can make certain
contents impossible to represent.
After this change, the HTML API will reliably escape all submitted
plaintext such that it appears in the browser the way it was submitted to
the HTML API, with all character references escaped. This does not change
the behavior of how URL attributes are escaped.
Developed in https://github.com/WordPress/wordpress-develop/pull/10143
Discussed in https://core.trac.wordpress.org/ticket/64054
Props dmsnell, jonsurrell, westonruter.
Fixes #64054.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64054#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list