Bug when using ampersand "&" in menutitle WP multisite

[lrgolf]

I just discovered when using a ampersand symbol "&" in menutitles, it echos as html code on the livesite.
This only happens on a multisite network and on any roles that are not super admins. For super admins there is no problem in using the symbol.

Very strange.

Best regards
Lars Thyregod
Denmark

[jeremyfelt]

Hi @lrgolf, thanks for the report.

In a single site configuration, administrators have the unfiltered_html capability, which means the default kses filters do not fire and & survives. In a multisite configuration, only super admins have this unfiltered_html capability. Standard site administrators will have their menu titles filtered through a chain that includes wp_kses_normalize_entities, which replaces & with &.

While this can be confusing, it is expected behavior for now. The ​roadmap for multisite includes a possible future where other users on a closed network are trusted with the unfiltered_html capability.