wp_get_attachment_link() does not allow HTML in link text

[SergeyBiryukov]

Background: #18156

Escaping $link_text was introduced in [10495] along with the $text parameter itself and changed to esc_attr() in [11204]. Looks like it shouldn't really be there:

1. $link_text is not an attribute, it's literally a link text.
2. adjacent_post_link() doesn't escape link text.

[griffinjt]

Letting straight HTML come through doesn't seem like the safest way to go. Why not just filter using wp_kses_post()? Not escaping allows for <script> tags to pass through, so if we want to add HTML, let's at least filter what type of HTML tags can come through. I've attached an updated diff for it.

[SergeyBiryukov]

I don't see a reason to escape the text here. If someone calls wp_get_attachment_link() with <script> tags, they could as well insert them into the template file directly.

That would be inconsistent with other *_link() functions which don't escape anchor text:

• the_feed_link()
• post_comments_feed_link()
• edit_term_link()
• edit_post_link()
• edit_comment_link()
• edit_bookmark_link()
• adjacent_post_link()
• get_next_posts_link()
• get_previous_posts_link()
• get_next_comments_link()
• get_previous_comments_link()

[nacin]

We try to avoid kses on the frontend for performance reasons.

Removing the escaping seems appropriate here.

[ryan]

In [20654]:

Don't escape anchor text as an attributein wp_get_attachment_link(). Props SergeyBiryukov. fixes #19282