id summary reporter owner description type status priority milestone component version severity resolution keywords cc focuses 24420 Message in the_post_format_chat() should be escaped tollmanz "Looks like this [http://core.trac.wordpress.org/ticket/23625#comment:41 was mentioned by lancewillet] in #23625, but never addressed. When the chat message is printed, it needs to be run through `esc_html()`. As lancewillet indicated, it was removed in r23876 because the links in the content were made to be clickable and escaping the data would nullify these efforts. While clickable links are great, I think escaping the data in much more important. I think that this issue should not be overlooked and this data should be properly escaped. I think that one way of handling the issue would be to remove `make_clickable()` from `get_content_chat()`. There probably are a number of worthy use cases for getting that data in its rawest form anyway (e.g., some chat apps won't make links clickable). If we remove the `make_clickable()` call, we can easily call `esc_html()` on the content without concern. Functions calling `the_post_format_chat()` can then decide whether or not to make the links clickable (or we could even add an optional parameter to the function)." defect (bug) closed normal Post Formats 3.6 normal invalid