[wp-trac] [WordPress Trac] #63071: Getting All output should be run through an escaping function error into the WordPress core files.
WordPress Trac
noreply at wordpress.org
Tue Jan 27 10:36:01 UTC 2026
#63071: Getting All output should be run through an escaping function error into
the WordPress core files.
--------------------------------------------+------------------------------
Reporter: viralsampat | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: dev-feedback changes-requested | Focuses: coding-
| standards
--------------------------------------------+------------------------------
Changes (by sajib1223):
* keywords: dev-feedback needs-testing changes-requested => dev-feedback
changes-requested
Comment:
== Test Report
=== Description
This report validates whether the indicated patch works as expected.
Patch tested:
https://core.trac.wordpress.org/attachment/ticket/63071/63071.2.patch
=== Environment
- WordPress: 7.0-alpha-61215-src
- PHP: 8.2.29
- Server: nginx/1.27.5
- Database: mysqli (Server: 8.4.7 / Client: mysqlnd 8.2.29)
- Browser: Firefox 147.0
- OS: Windows 10/11
- Theme: Twenty Twenty-Five 1.4
- MU Plugins: None activated
- Plugins:
* Test Reports 1.2.1
=== Actual Results
1. ✅ Patch escapes not allowed HTML tags, ie: style, link etc.
=== Additional Notes
- Only Modified files from this patch:
- /wp-admin/includes/class-wp-privacy-policy-content.php
- /wp-admin/includes/dashboard.php
=== Supplemental Artifacts
I have tried adding `<style>p > strong { color: red; }</style>` to the
contextual sidebar. Following is the outcome.
==== Before Patch:
[[Image(https://files.catbox.moe/2kksp0.png)]]
==== After Patch:
[[Image(https://files.catbox.moe/mp7sox.png)]]
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63071#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list