[wp-trac] [WordPress Trac] #63630: Encoded HTML entities are decoded for users without unfiltered_html

WordPress Trac noreply at wordpress.org
Fri Jun 27 15:13:59 UTC 2025 

#63630: Encoded HTML entities are decoded for users without unfiltered_html
--------------------------+------------------------------
 Reporter:  jonsurrell    |       Owner:  (none)
     Type:  defect (bug)  |      Status:  assigned
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  General       |     Version:  2.0
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------
Description changed by jonsurrell:

Old description:

> When a user **without the [https://wordpress.org/documentation/article
> /roles-and-capabilities/#unfiltered_html unfiltered_html capability]**
> authors a post with text that appears to be a numeric (decimal or hex)
> HTML entity, the desired text is replaced with the HTML entity.
>
> For example, a authors a post with the text `'` or the following HTM
> in the block editor:
>
> {{{#!xml
> <!-- wp:paragraph -->
> <p>&#39;</p>
> <!-- /wp:paragraph -->
> }}}
>
> The user's ''intent'' is to write the text `'` which is correctly
> encoded as the HTML `&#39`.
>
> However, when the post is saved the post content is transformed to
> unescape the desired HTML escaping and leave the unescaped numeric HTML
> entity in the HTML, causing the corresponding character to be rendered by
> the browser, or `'` in the example.
>
> Querying the `post_content` field of the post reveals the same:
>

> {{{#!xml
> <!-- wp:paragraph -->
> <p>'</p>
> <!-- /wp:paragraph -->
> }}}
>
> When the post is published, the text `'` is displayed instead of the
> expected `'`.

New description:

 When a user **without the [https://wordpress.org/documentation/article
 /roles-and-capabilities/#unfiltered_html unfiltered_html capability]**
 authors a post with text that appears to be a numeric (decimal or hex)
 HTML character reference, the desired text is replaced with the HTML
 character reference.

 For example, a authors a post with the text `'` or the following HTM
 in the block editor:

 {{{#!xml
 <!-- wp:paragraph -->
 <p>&#39;</p>
 <!-- /wp:paragraph -->
 }}}

 The user's ''intent'' is to write the text `'` which is correctly
 encoded as the HTML `&#39`.

 However, when the post is saved the post content is transformed to
 unescape the desired HTML escaping and leave the unescaped numeric HTML
 character reference in the HTML, causing the corresponding character to be
 rendered by the browser, or `'` in the example.

 Querying the `post_content` field of the post reveals the same:


 {{{#!xml
 <!-- wp:paragraph -->
 <p>'</p>
 <!-- /wp:paragraph -->
 }}}

 When the post is published, the text `'` is displayed instead of the
 expected `'`.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63630#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list