From 534f200e4818116baaf2dd94ed1ba5e93c22ca15 Mon Sep 17 00:00:00 2001 From: hellofromTonya Date: Tue, 26 Sep 2023 12:38:19 +0000 Subject: [PATCH] General: Use wp_kses() in wp_trigger_error(). Uses `wp_kses()` instead of `esc_html()` to allow a list of HTML tags and protocols in the message rather than escaping them. Why? To retain message readability in the browser and server logs, especially given that Core itself adds HTML to messages in functions, e.g. `_doing_it_wrong()` and each of the `_deprecated_*()` functions. HTML tags allowed: * `a href` * `br` * `code` * `em` * `strong` Protocols allowed: `http` and `https`. To inform extenders, it also documents that any other HTML tags or protocols need to be escaped before passing the message to this function to avoid them being stripped from the message. Follow-up to [56530], [56705]. Props azaozz, costdev, flixos90, hellofromTonya, peterwilsoncc. Fixes #57686. Built from https://develop.svn.wordpress.org/trunk@56707 git-svn-id: http://core.svn.wordpress.org/trunk@56219 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/functions.php | 21 +++++++++++++++------ wp-includes/version.php | 2 +- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/wp-includes/functions.php b/wp-includes/functions.php index d52bcde0be..406ec773a5 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -5988,6 +5988,10 @@ function _doing_it_wrong( $function_name, $message, $version ) { * * @param string $function_name The function that triggered the error. * @param string $message The message explaining the error. + * The message can contain allowed HTML 'a' (with href), 'code', + * 'br', 'em', and 'strong' tags and http or https protocols. + * If it contains other HTML tags or protocols, the message should be escaped + * before passing to this function to avoid being stripped {@see wp_kses()}. * @param int $error_level Optional. The designated error type for this error. * Only works with E_USER family of constants. Default E_USER_NOTICE. */ @@ -6015,12 +6019,17 @@ function wp_trigger_error( $function_name, $message, $error_level = E_USER_NOTIC $message = sprintf( '%s(): %s', $function_name, $message ); } - /* - * If the message appears in the browser, then it needs to be escaped. - * Note the warning in the `trigger_error()` PHP manual. - * @link https://www.php.net/manual/en/function.trigger-error.php - */ - $message = esc_html( $message ); + $message = wp_kses( + $message, + array( + 'a' => array( 'href' ), + 'br', + 'code', + 'em', + 'strong', + ), + array( 'http', 'https' ) + ); trigger_error( $message, $error_level ); } diff --git a/wp-includes/version.php b/wp-includes/version.php index 6d3cd2c712..e5d6316b17 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.4-alpha-56706'; +$wp_version = '6.4-alpha-56707'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.