[wp-trac] [WordPress Trac] #62619: Remove `wp_kses_post()` filtering from admin notices
WordPress Trac
noreply at wordpress.org
Thu Dec 19 21:58:55 UTC 2024
#62619: Remove `wp_kses_post()` filtering from admin notices
----------------------------+---------------------
Reporter: azaozz | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.8
Component: Administration | Version: 6.4
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
----------------------------+---------------------
Comment (by azaozz):
Replying to [comment:6 peterwilsoncc]:
> I'm concerned that it's too late to remove it as third party developers
may have assumed that it was safe to pass user input to the function as it
escapes the output.
Yea, good point. It seems it would be a really bad decision for a plugin
to store and/or output any user input without sanitizing or escaping it,
but that has been in core for some time and should stay in case a plugin
would do such silly stuff :)
Seems to fix this the `wp_admin_notice()` function has to be deprecated
and replaced by a new function that will work properly. It only echoes the
output from `wp_get_admin_notice()` and runs an action that seems pretty
useless as it repeats exactly the `wp_admin_notice_markup` filter. The
name for the new function would probably be better as
`wp_print_admin_notice()` or maybe `wp_show_admin_notice()`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62619#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list