General: Use wp_kses() in wp_trigger_error().

Uses `wp_kses()` instead of `esc_html()` to allow a list of HTML tags and protocols in the message rather than escaping them. Why? To retain message readability in the browser and server logs, especially given that Core itself adds HTML to messages in functions, e.g. `_doing_it_wrong()` and each of the `_deprecated_*()` functions. HTML tags allowed: * `a href` * `br` * `code` * `em` * `strong` Protocols allowed: `http` and `https`. To inform extenders, it also documents that any other HTML tags or protocols need to be escaped before passing the message to this function to avoid them being stripped from the message. Follow-up to [56530], [56705]. Props azaozz, costdev, flixos90, hellofromTonya, peterwilsoncc. Fixes #57686. Built from https://develop.svn.wordpress.org/trunk@56707 git-svn-id: http://core.svn.wordpress.org/trunk@56219 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-09-26 12:38:19 +00:00 · 2023-09-26 12:38:19 +00:00 · 534f200e48
parent d969240845
commit 534f200e48
2 changed files with 16 additions and 7 deletions
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@ -5988,6 +5988,10 @@ function _doing_it_wrong( $function_name, $message, $version ) {
 *
 * @param string $function_name The function that triggered the error.
 * @param string $message       The message explaining the error.
+ *                              The message can contain allowed HTML 'a' (with href), 'code',
+ *                              'br', 'em', and 'strong' tags and http or https protocols.
+ *                              If it contains other HTML tags or protocols, the message should be escaped
+ *                              before passing to this function to avoid being stripped {@see wp_kses()}.
 * @param int    $error_level   Optional. The designated error type for this error.
 *                              Only works with E_USER family of constants. Default E_USER_NOTICE.
 */
@ -6015,12 +6019,17 @@ function wp_trigger_error( $function_name, $message, $error_level = E_USER_NOTIC
 		$message = sprintf( '%s(): %s', $function_name, $message );
 	}

-	/*
-	 * If the message appears in the browser, then it needs to be escaped.
-	 * Note the warning in the `trigger_error()` PHP manual.
-	 * @link https://www.php.net/manual/en/function.trigger-error.php
-	 */
-	$message = esc_html( $message );
+	$message = wp_kses(
+		$message,
+		array(
+			'a' => array( 'href' ),
+			'br',
+			'code',
+			'em',
+			'strong',
+		),
+		array( 'http', 'https' )
+	);

 	trigger_error( $message, $error_level );
 }
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.4-alpha-56706';
+$wp_version = '6.4-alpha-56707';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.