[wp-trac] [WordPress Trac] #63630: Encoded HTML entities are decoded for users without unfiltered_html
WordPress Trac
noreply at wordpress.org
Fri Jun 27 17:43:19 UTC 2025
#63630: Encoded HTML entities are decoded for users without unfiltered_html
--------------------------------------+------------------------------
Reporter: jonsurrell | Owner: (none)
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 2.0
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+------------------------------
Comment (by jonsurrell):
I believe this issue goes back as far as [649] when kses.php was
introduced in WordPress.
The `unfiltered_html` behavior changed in [2896], however I did not check
how that changed the behavior on post save.
[https://github.com/soosyze/kses/blob/100564f46338f303fcfe17b8b4ccc37fc7e145b3/src/Xss.php#L560-L589
I found what appears to be a recent version of KSES] where the normalize
entities transforms follows the same order as proposed in
[https://github.com/WordPress/wordpress-develop/pull/9099 PR 9099] which
suggests that it was a bug in KSES and that the fix is appropriate.
Unfortunately, I was unable to find commit history that discusses the
change.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63630#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list