Adminbar title not escaped

[kkmuffme]

class-wp-admin-bar.php

<?php
echo ">{$arrow}{$node->title}";

The title isn't getting escaped, there should be an esc_html() there?

[kkmuffme]

e.g.

<?php
$wp_admin_bar->add_menu(
        array(
                'id'     => 'foo',
                'title'  => 'This & that',
                'href'   => 'https://foo.com',  
        )
);

The & will not be & but literal

FIxes: https://core.trac.wordpress.org/ticket/62545

Doesn't this break the admin bar whenever HTML is used in a title (which is commonly done)?

I have attached a screenshot:

[sabernhardt]

It should not use esc_html() because that would break almost all links with an icon or image, including links—and the search form—from Core.

I'll leave the ticket open in case there is a better way to sanitize the node titles (or to skip creating a node if it finds something that does not belong).

[yogeshbhutkar]

Patch to use wp_kses_post to escape the admin bar title instead of using esc_url or not escaping at all.

[yogeshbhutkar]

@sabernhardt, If escaping is required in this context, we can utilize wp_kses_post(). This function allows safe HTML to pass through while preventing potentially harmful elements, avoiding the side effects illustrated in the screenshot.

[yogeshbhutkar]

Screenshot of using wp_kses_post() to escape the admin bar title.

[sabernhardt]

The wp_kses_post() function does not fit either. It would change & to &, but it would also break the search node (the screenshot shows the front end without a search icon). The ​default KSES post array does not allow form or input elements, and the filter could remove other elements that plugins rely on.

[sabernhardt]

The title probably could normalize HTML entities:
wp_kses_normalize_entities( $node->title )

That is not escaping, but the function is part of esc_html().

The GitHub user that created this PR has been deleted. Closing the PR.

## Summary
Normalize HTML entities when rendering admin bar node titles without escaping valid markup used by core and plugins.

## Problem
WP_Admin_Bar::_render_item() outputs $node->title directly. This means text like This & that is rendered with a literal & instead of a normalized &, while broad escaping approaches would break existing admin bar titles that intentionally include HTML.

## Solution
Use wp_kses_normalize_entities() when rendering the admin bar title. This normalizes entities in text content while preserving valid embedded markup.

## Testing
Added a PHPUnit regression test covering an admin bar title that includes both HTML markup and an ampersand.

Verified in the configured local wordpress-develop environment with:

• node ./tools/local-env/scripts/docker.js exec --user wp_php php ./vendor/bin/phpunit --filter test_admin_bar_normalizes_title_entities_without_escaping_html tests/phpunit/tests/adminbar.php
• node ./tools/local-env/scripts/docker.js exec --user wp_php php ./vendor/bin/phpunit tests/phpunit/tests/adminbar.php