plugin activation errors are accidentally hidden

[ttodua]

in recent versions (can't tell exactly when) seems the admin_notice messages were being filtered by wp_kses_post, which caused breaking changes, which contradicts WP core itself.

to reproduce, add this to plugin:

register_activation_hook(__FILE__, function($x){ die('plugin can not activate, because XYZ'); } );

then try to activate. it will show admin notice Plugin could not be activated because it triggered a fatal error and nothing more. however, it should have shown that XYZ message inside iframe, you can confirm that by looking :
https://core.trac.wordpress.org/browser/tags/6.4.2/src/wp-admin/plugins.php#L685
(if you do var_dump($errmsg) before that wp_admin_notice line, you will see that iframe part is also included in $errmsg)

however, inside wp_admin_notice there is wp_kses_post which filters out the iframe that was added by core itself:
https://core.trac.wordpress.org/browser/tags/6.4.2/src/wp-includes/functions.php#L8891

so, that is contradiction in WP, and should be solved either way. I understand that stripping iframe might have been a security step, however, it was done incorrectly. that wp_kses_post should allow iframe, but itself the XYZ message itself (coming from plugin's activation) should be filtered, so that would achieve the security goal.

at this moment, that change/misbehavior (which we noticed too late) have broken dozens of our plugins on wp.org. please fix it.

[ttodua]

possible patch

[ttodua]

can anyone do something for this?? @chaion07 @peterwilsoncc

[ttodua]

until fix is applied in WP core, for anyone reading this, if you are developing a plugin and can't view the fatal-error reasons, you might use ​https://wordpress.org/plugins/additional-wp-tweaks-options/ and enable Enable Plugin activation error iframe option, and then it will show the error