[wp-trac] [WordPress Trac] #63611: wp_widget_rss_output: should escape HTML entities
WordPress Trac
noreply at wordpress.org
Sat Jun 21 01:06:44 UTC 2025
#63611: wp_widget_rss_output: should escape HTML entities
--------------------------+-----------------------------
Reporter: wildworks | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Widgets | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Related to [https://github.com/WordPress/gutenberg/issues/70477 GB 70477]
Some RSS feeds seem to have HTML tags in the title field escaped to HTML
entities.
- RSS feed example:
https://pubmed.ncbi.nlm.nih.gov/rss/search/16cUU5Jcud0BSYRzHgbqJGm_F6kq07gr9atM8kZoogUmZdX5oj/
- Title example: `Oral administration of <em>Lactiplantibacillus
plantarum</em> GKK1 ameliorates atopic dermatitis in a mouse model`
The `wp_widget_rss_output()` function correctly strips HTML tags, but
doesn't remove HTML entities that have already been escaped:
https://github.com/WordPress/WordPress/blob/abe9603d9f318e9395caa792a722d979246035c0
/wp-includes/widgets.php#L1633
Maybe we need to decode the HTML before stripping the tags:
{{{
$title = esc_html( trim( strip_tags( html_entity_decode(
$item->get_title() ) ) ) );
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63611>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list