Security: Remove use of innerHTML in the the_block_template_skip_link() function.

There is no need to support HTML in this string and switching to `innerText` helps facilitate a more restrictive Content Security Policy. Props micromadness, sabernhardt Fixes #58765 Built from https://develop.svn.wordpress.org/trunk@59831 git-svn-id: http://core.svn.wordpress.org/trunk@59173 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2025-03-13 15:20:06 +01:00 · 2025-02-17 16:25:19 +00:00 · 2025-02-17 16:25:19 +00:00 · 732c732e5f
commit 732c732e5f
parent 1d6b7d6fe8
2 changed files with 2 additions and 2 deletions
--- a/wp-includes/theme-templates.php
+++ b/wp-includes/theme-templates.php
@ -205,7 +205,7 @@ function wp_enqueue_block_template_skip_link() {
 		skipLink.classList.add( 'skip-link', 'screen-reader-text' );
 		skipLink.id = 'wp-skip-link';
 		skipLink.href = '#' + skipLinkTargetID;
-		skipLink.innerHTML = '<?php /* translators: Hidden accessibility text. */ esc_html_e( 'Skip to content' ); ?>';
+		skipLink.innerText = '<?php /* translators: Hidden accessibility text. Do not use HTML entities (&nbsp;, etc.). */ esc_html_e( 'Skip to content' ); ?>';

 		// Inject the skip link.
 		sibling.parentElement.insertBefore( skipLink, sibling );
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.8-alpha-59830';
+$wp_version = '6.8-alpha-59831';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.