[wp-trac] [WordPress Trac] #65047: Missing escaping for XML error message

[WordPress Trac]

#65047: Missing escaping for XML error message
------------------------------+-----------------------------
 Reporter:  maheshpatel       |      Owner:  (none)
     Type:  defect (bug)      |     Status:  new
 Priority:  normal            |  Milestone:  Awaiting Review
Component:  Pings/Trackbacks  |    Version:  trunk
 Severity:  normal            |   Keywords:
  Focuses:                    |
------------------------------+-----------------------------
 **File:** [src/wp-trackback.php](src/wp-trackback.php#L37)
 - **Line:** 37
 - **Problem:** `$error_message` output in XML without escaping
 - **Severity:** XML parsing vulnerability
 - **Current Code:**


   if ( $error ) {
       echo '<?xml version="1.0" encoding="utf-8"?' . ">\n";
       echo "<response>\n";
       echo "<error>1</error>\n";
       echo "<message>$error_message</message>\n";
       echo '</response>';
   }


 - **Fix:**


   if ( $error ) {
       echo '<?xml version="1.0" encoding="utf-8"?' . ">\n";
       echo "<response>\n";
       echo "<error>1</error>\n";
       echo "<message>" . esc_html ( $error_message ) . "</message>\n";
       echo '</response>';
   }


 - **Why It Matters:**
   - XML special characters (`&`, `<`, `>`) can break XML parsing
   - Error messages come from user actions or system states

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/65047>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform