[wp-trac] [WordPress Trac] #65090: Missing escaping for dynamic link text
WordPress Trac
noreply at wordpress.org
Fri Apr 17 21:18:01 UTC 2026
#65090: Missing escaping for dynamic link text
-----------------------------------+-------------------------------
Reporter: maheshpatel | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion | Focuses: coding-standards
-----------------------------------+-------------------------------
Changes (by johnbillion):
* keywords: has-patch => has-patch 2nd-opinion
Comment:
@maheshpatel There are ''thousands'' of places in WordPress where escaping
or KSES could be added. If the value comes from user generated data then
escaping or KSES should be considered, but there are backwards
compatibility, interoperability, and performance concerns with escaping or
KSESing everything.
If we were writing WordPress from scratch today then we'd probably escape
almost everything by default. But we're not.
Therefore these missing escaping tickets aren't particularly helpful and
aren't the best use of everyone's time unless you can demonstrate a real
problem that's caused by the lack of escaping, or you can demonstrate that
the value comes from user generated data.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/65090#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list