[wp-trac] [WordPress Trac] #65090: Missing escaping for dynamic link text
WordPress Trac
noreply at wordpress.org
Fri Apr 17 15:12:12 UTC 2026
#65090: Missing escaping for dynamic link text
--------------------------+-------------------------------
Reporter: maheshpatel | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses: coding-standards
--------------------------+-------------------------------
Changes (by mukesh27):
* version: trunk =>
Old description:
> **File:** [src/wp-login.php](src/wp-login.php#L234)
> - **Line:** 234
> - **Problem:** `$message` output without escaping (filterable content)
> - **Current Code:**
>
> if ( ! empty( $message ) ) {
> echo $message . "\n";
> }
>
> - **Context:** `$message` comes from `apply_filters( 'login_message',
> $message )` but could contain HTML or special chars
> - **Fix:** Context-dependent, could be:
>
> // If message is expected to have HTML:
> if ( ! empty( $message ) ) {
> echo wp_kses_post( $message ) . "\n";
> }
> // Or if plain text:
> if ( ! empty( $message ) ) {
> echo esc_html( $message ) . "\n";
> }
New description:
**File:** [src/wp-login.php](src/wp-login.php#L234)
- **Line:** 234
- **Problem:** `$message` output without escaping (filterable content)
- **Current Code:**
{{{
if ( ! empty( $message ) ) {
echo $message . "\n";
}
}}}
- **Context:** `$message` comes from `apply_filters( 'login_message',
$message )` but could contain HTML or special chars
- **Fix:** Context-dependent, could be:
{{{
// If message is expected to have HTML:
if ( ! empty( $message ) ) {
echo wp_kses_post( $message ) . "\n";
}
// Or if plain text:
if ( ! empty( $message ) ) {
echo esc_html( $message ) . "\n";
}
}}}
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/65090#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list