[wp-trac] [WordPress Trac] #62619: Remove `wp_kses_post()` filtering from admin notices
WordPress Trac
noreply at wordpress.org
Mon Dec 2 21:45:57 UTC 2024
#62619: Remove `wp_kses_post()` filtering from admin notices
----------------------------+---------------------
Reporter: azaozz | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.8
Component: Administration | Version: 6.4
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
----------------------------+---------------------
Comment (by azaozz):
Replying to [comment:3 yogeshbhutkar]:
> As expected, this change impacts some test cases since the security
checks previously handled by `wp_kses_post` are now less restrictive
Yea, many of the tests in Tests_Functions_WpAdminNotice won't pass after
reverting that change. I wouldn't call these "security" tests. They just
confirm how the HTML is restricted in admin notices.
> Could you confirm if it’s acceptable to address the failing test cases
(primarily removing them) as part of this PR?
Yes, thinking these should eventually be removed.
There may be more to it though. I'd really want to hear from the
contributors that worked to implement #57791 why these restrictions were
added in the first place. Also any links to any discussions regarding the
restricting of HTML added by core and plugins would be very nice.
Frankly I don't see why plugins should be forbidden to do:
{{{
wp_admin_notice( '<script>anything goes here</script>' );
}}}
when they can so easily do something like:
{{{
add_action(
'admin_head',
function() {
echo '<script>anything goes here</script>';
}
);
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62619#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list