Adminbar title not escaped

[kkmuffme]

class-wp-admin-bar.php

<?php
echo ">{$arrow}{$node->title}";

The title isn't getting escaped, there should be an esc_html() there?

[kkmuffme]

e.g.

<?php
$wp_admin_bar->add_menu(
        array(
                'id'     => 'foo',
                'title'  => 'This & that',
                'href'   => 'https://foo.com',  
        )
);

The & will not be & but literal

FIxes: https://core.trac.wordpress.org/ticket/62545

Doesn't this break the admin bar whenever HTML is used in a title (which is commonly done)?

I have attached a screenshot:

[sabernhardt]

It should not use esc_html() because that would break almost all links with an icon or image, including links—and the search form—from Core.

I'll leave the ticket open in case there is a better way to sanitize the node titles (or to skip creating a node if it finds something that does not belong).

[yogeshbhutkar]

Patch to use wp_kses_post to escape the admin bar title instead of using esc_url or not escaping at all.

[yogeshbhutkar]

@sabernhardt, If escaping is required in this context, we can utilize wp_kses_post(). This function allows safe HTML to pass through while preventing potentially harmful elements, avoiding the side effects illustrated in the screenshot.

[yogeshbhutkar]

Screenshot of using wp_kses_post() to escape the admin bar title.

[sabernhardt]

The wp_kses_post() function does not fit either. It would change & to &, but it would also break the search node (the screenshot shows the front end without a search icon). The ​default KSES post array does not allow form or input elements, and the filter could remove other elements that plugins rely on.

[sabernhardt]

The title probably could normalize HTML entities:
wp_kses_normalize_entities( $node->title )

That is not escaping, but the function is part of esc_html().