[wp-trac] [WordPress Trac] #64748: Privacy: get_the_privacy_policy_link() should strip HTML tags and return plain text
WordPress Trac
noreply at wordpress.org
Sat Feb 28 19:07:26 UTC 2026
#64748: Privacy: get_the_privacy_policy_link() should strip HTML tags and return
plain text
-----------------------------------+--------------------------
Reporter: wildworks | Owner: westonruter
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 7.1
Component: Privacy | Version: 4.9.8
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion | Focuses:
-----------------------------------+--------------------------
Changes (by sabernhardt):
* keywords: has-patch => has-patch 2nd-opinion
* version: => 4.9.8
* milestone: 7.0 => 7.1
Comment:
This is not a good change to make during beta, especially if the ticket
involves more links.
The Privacy Policy page title was added to the link with `esc_html()` in
#44192 / [43506].
I see three options to avoid unwanted or possibly dangerous HTML:
1. Keep the `esc_html()` escaping, and anyone who wants HTML can use the
`'the_privacy_policy_link'` hook to make specific elements display (which
has been possible since WordPress 4.9.8, more than 7 years ago).
2. Switch to `wp_strip_all_tags()`, assuming that no HTML elements belong
//within// the privacy link when using the core function (in places such
as the login screen or theme footer). This could help when the element was
pasted unintentionally. However, someone who wants HTML would still need
to use the filter, **in a new way**.
3. Use `wp_kses()` with a //small// set of allowed elements, not
`wp_kses_post()`. Possibilities include `br`, `em`, and `strong`, but I
would prefer to have specific examples of how they are appropriate before
adding support for each of them.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64748#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list