Make WordPress Core

Changeset 56707

09/26/2023 12:36:50 PM (8 months ago)

General: Use wp_kses() in wp_trigger_error().

Uses wp_kses() instead of esc_html() to allow a list of HTML tags and protocols in the message rather than escaping them.

Why? To retain message readability in the browser and server logs, especially given that Core itself adds HTML to messages in functions, e.g. _doing_it_wrong() and each of the _deprecated_*() functions.

HTML tags allowed:

  • a href
  • br
  • code
  • em
  • strong

Protocols allowed: http and https.

To inform extenders, it also documents that any other HTML tags or protocols need to be escaped before passing the message to this function to avoid them being stripped from the message.

Follow-up to [56530], [56705].

Props azaozz, costdev, flixos90, hellofromTonya, peterwilsoncc.
Fixes #57686.

1 edited


  • trunk/src/wp-includes/functions.php

    r56705 r56707  
    59895989 * @param string $function_name The function that triggered the error.
    59905990 * @param string $message       The message explaining the error.
     5991 *                              The message can contain allowed HTML 'a' (with href), 'code',
     5992 *                              'br', 'em', and 'strong' tags and http or https protocols.
     5993 *                              If it contains other HTML tags or protocols, the message should be escaped
     5994 *                              before passing to this function to avoid being stripped {@see wp_kses()}.
    59915995 * @param int    $error_level   Optional. The designated error type for this error.
    59925996 *                              Only works with E_USER family of constants. Default E_USER_NOTICE.
    60166020    }
    6018     /*
    6019      * If the message appears in the browser, then it needs to be escaped.
    6020      * Note the warning in the `trigger_error()` PHP manual.
    6021      * @link
    6022      */
    6023     $message = esc_html( $message );
     6022    $message = wp_kses(
     6023        $message,
     6024        array(
     6025            'a' => array( 'href' ),
     6026            'br',
     6027            'code',
     6028            'em',
     6029            'strong',
     6030        ),
     6031        array( 'http', 'https' )
     6032    );
    60256034    trigger_error( $message, $error_level );
Note: See TracChangeset for help on using the changeset viewer.