[wp-trac] [WordPress Trac] #63881: KSES: Deprecate wp_kses_stripslashes

WordPress Trac noreply at wordpress.org
Thu Sep 4 13:44:09 UTC 2025 

#63881: KSES: Deprecate wp_kses_stripslashes
------------------------------------------------+--------------------------
 Reporter:  jonsurrell                          |       Owner:  (none)
     Type:  enhancement                         |      Status:  new
 Priority:  normal                              |   Milestone:  Awaiting
                                                |  Review
Component:  General                             |     Version:
 Severity:  normal                              |  Resolution:
 Keywords:  2nd-opinion dev-feedback has-patch  |     Focuses:
------------------------------------------------+--------------------------

Comment (by jonsurrell):

 > Are we introducing any changed or new behaviors by trying to avoid
 double-stripping? I don’t have any good bearing on how this could go
 wrong?

 I think you saw [https://github.com/WordPress/wordpress-develop/pull/9559
 KSES: Prevent stripslashes from stripping escaped slashes] which is an
 unlinked draft PR. I ''think'' that fixes a problem with unescaping quotes
 that are not escaped, but it's hard to know whether it fixes something
 because the purpose and desired behavior of the function are so unclear.

 [https://github.com/WordPress/wordpress-develop/pull/9610 KSES: Deprecate
 wp_kses_stripslashes] is the PR that deprecates and stops using
 `wp_kses_stripslashes()` in Core. That does introduce a potentially more
 significant change in behavior. It's hard to know how relevant that is but
 it's what @duck_ [https://core.trac.wordpress.org/ticket/19877#comment:1
 mentioned years ago]:

 > Unfortunately removing the call would cause breakage for those passing
 in slashed data containing double quoted attributes as this happens to
 work at the moment.

 -----

 > Do we know of any current workarounds to the Core behavior?

 I'm only aware of the block editor example below.

 > Was there a case that brought this to your attention? I guess it was the
 issue with block attributes ending in `/`?

 Yes, for me this started with
 https://github.com/WordPress/gutenberg/issues/6181 and subsequently
 https://github.com/WordPress/gutenberg/pull/6619. Those reference
 `wp_kses_stripslashes()` as problematic and introduced a solution with its
 own problem of not being able to end an attribute values in `\` (#63917).

 I've proposed fixes for the `\` problem:

 - https://github.com/WordPress/gutenberg/pull/71291
 - https://github.com/WordPress/wordpress-develop/pull/9558

 I believe that specific case is safe from `wp_kses_stripslashes()` now,
 but it's such a

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63881#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list