[wp-trac] [WordPress Trac] #62619: Remove `wp_kses_post()` filtering from admin notices
WordPress Trac
noreply at wordpress.org
Mon Dec 2 03:43:53 UTC 2024
#62619: Remove `wp_kses_post()` filtering from admin notices
----------------------------+---------------------
Reporter: azaozz | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.8
Component: Administration | Version: 6.4
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
----------------------------+---------------------
Comment (by yogeshbhutkar):
Hi @azaozz,
Thank you for raising the ticket! I've added an initial patch to address
the removal of `wp_kses_post` in the `wp_admin_notice` function as
outlined.
As expected, this change impacts some test cases since the security checks
previously handled by `wp_kses_post` are now less restrictive.
Specifically, the following test cases in the `wpAdminNotice.php` file
will fail and may need to be removed:
1. Notices with unsafe types.
2. Notices with unsafe IDs.
3. Notices with unsafe class additions.
4. Notices with invalid additional attributes.
5. Notices with multiple attributes, including "role," invalid, "data-*,"
numeric, and boolean.
These cases were previously managed by `wp_kses_post`, and as noted in the
ticket, "It doesn't make sense to limit the use of HTML in these notices."
This means such scenarios will now need to be handled manually going
forward.
On the bright side, this change resolves the issue described in ticket
#62606, which is a positive step forward.
Could you confirm if it’s acceptable to address the failing test cases
(primarily removing them) as part of this PR? I’m happy to proceed
accordingly.
Looking forward to your feedback!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62619#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list