Message in the_post_format_chat() should be escaped
|Reported by:||tollmanz||Owned by:|
When the chat message is printed, it needs to be run through esc_html(). As lancewillet indicated, it was removed in r23876 because the links in the content were made to be clickable and escaping the data would nullify these efforts. While clickable links are great, I think escaping the data in much more important. I think that this issue should not be overlooked and this data should be properly escaped.
I think that one way of handling the issue would be to remove make_clickable() from get_content_chat(). There probably are a number of worthy use cases for getting that data in its rawest form anyway (e.g., some chat apps won't make links clickable). If we remove the make_clickable() call, we can easily call esc_html() on the content without concern. Functions calling the_post_format_chat() can then decide whether or not to make the links clickable (or we could even add an optional parameter to the function).