[wp-trac] [WordPress Trac] #65047: Missing escaping for XML error message
WordPress Trac
noreply at wordpress.org
Thu Apr 9 13:29:10 UTC 2026
#65047: Missing escaping for XML error message
------------------------------+------------------------------
Reporter: maheshpatel | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Pings/Trackbacks | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
------------------------------+------------------------------
Changes (by sabernhardt):
* version: trunk =>
Old description:
> **File:** [src/wp-trackback.php](src/wp-trackback.php#L37)
> - **Line:** 37
> - **Problem:** `$error_message` output in XML without escaping
> - **Severity:** XML parsing vulnerability
> - **Current Code:**
>
> if ( $error ) {
> echo '<?xml version="1.0" encoding="utf-8"?' . ">\n";
> echo "<response>\n";
> echo "<error>1</error>\n";
> echo "<message>$error_message</message>\n";
> echo '</response>';
> }
>
> - **Fix:**
>
> if ( $error ) {
> echo '<?xml version="1.0" encoding="utf-8"?' . ">\n";
> echo "<response>\n";
> echo "<error>1</error>\n";
> echo "<message>" . esc_html ( $error_message ) . "</message>\n";
> echo '</response>';
> }
>
> - **Why It Matters:**
> - XML special characters (`&`, `<`, `>`) can break XML parsing
> - Error messages come from user actions or system states
New description:
- **File:** [https://github.com/WordPress/wordpress-
develop/blob/e12ddb3c76e73ef32510e5464472e04f0cd1483a/src/wp-
trackback.php#L37 src/wp-trackback.php]
- **Line:** 37
- **Problem:** `$error_message` output in XML without escaping
**Current Code:**
{{{
if ( $error ) {
echo '<?xml version="1.0" encoding="utf-8"?' . ">\n";
echo "<response>\n";
echo "<error>1</error>\n";
echo "<message>$error_message</message>\n";
echo '</response>';
}
}}}
**Fix:**
{{{
if ( $error ) {
echo '<?xml version="1.0" encoding="utf-8"?' . ">\n";
echo "<response>\n";
echo "<error>1</error>\n";
echo "<message>" . esc_html ( $error_message ) . "</message>\n";
echo '</response>';
}
}}}
**Why It Matters:**
- XML special characters (`&`, `<`, `>`) can break XML parsing
- Error messages come from user actions or system states
--
Comment:
The `trackback_response()` function has been available since
[https://core.trac.wordpress.org/browser/trunk/b2-include/b2functions.php?rev=8&marks=809#L803
changeset 8], and the escaping functions were added later.
Would `esc_xml()` be a better choice?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/65047#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list