[wp-trac] [WordPress Trac] #63630: Encoded HTML entities are decoded for users without unfiltered_html
WordPress Trac
noreply at wordpress.org
Fri Jun 27 15:06:28 UTC 2025
#63630: Encoded HTML entities are decoded for users without unfiltered_html
--------------------------+-----------------------------
Reporter: jonsurrell | Owner: (none)
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 2.0
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
When a user **without the [https://wordpress.org/documentation/article
/roles-and-capabilities/#unfiltered_html unfiltered_html capability]**
authors a post with text that appears to be a numeric (decimal or hex)
HTML entity, the desired text is replaced with the HTML entity.
For example, a authors a post with the text `'` or the following HTM
in the block editor:
{{{#!xml
<!-- wp:paragraph -->
<p>'</p>
<!-- /wp:paragraph -->
}}}
The user's ''intent'' is to write the text `'` which is correctly
encoded as the HTML `'`.
However, when the post is saved the post content is transformed to
unescape the desired HTML escaping and leave the unescaped numeric HTML
entity in the HTML, causing the corresponding character to be rendered by
the browser, or `'` in the example.
Querying the `post_content` field of the post reveals the same:
{{{#!xml
<!-- wp:paragraph -->
<p>'</p>
<!-- /wp:paragraph -->
}}}
When the post is published, the text `'` is displayed instead of the
expected `'`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63630>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list