[wp-trac] [WordPress Trac] #65090: Missing escaping for dynamic link text

[WordPress Trac]

#65090: Missing escaping for dynamic link text
------------------------------+-----------------------------
 Reporter:  maheshpatel       |      Owner:  (none)
     Type:  defect (bug)      |     Status:  new
 Priority:  normal            |  Milestone:  Awaiting Review
Component:  General           |    Version:  trunk
 Severity:  normal            |   Keywords:  has-patch
  Focuses:  coding-standards  |
------------------------------+-----------------------------
 **File:** [src/wp-login.php](src/wp-login.php#L234)
 - **Line:** 234
 - **Problem:** `$message` output without escaping (filterable content)
 - **Current Code:**

   if ( ! empty( $message ) ) {
       echo $message . "\n";
   }

 - **Context:** `$message` comes from `apply_filters( 'login_message',
 $message )` but could contain HTML or special chars
 - **Fix:** Context-dependent, could be:

   // If message is expected to have HTML:
   if ( ! empty( $message ) ) {
       echo wp_kses_post( $message ) . "\n";
   }
   // Or if plain text:
   if ( ! empty( $message ) ) {
       echo esc_html( $message ) . "\n";
   }

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/65090>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform