Missing escaping in title tag

[maheshpatel]

Missing escaping in <title> tag ⭐ TOP PICK

• File: [src/wp-login.php](src/wp-login.php#L97)
• Line: 97
• Problem: <title> tag outputs $login_title without escaping. Special characters could break HTML structure.
• Severity: Security best practice
• Current Code:

    <title><?php echo $login_title; ?></title>
  

• Fix:

    <title><?php echo esc_html( $login_title ); ?></title>
  

Missing escaping in <title> tag

• File: [src/wp-login.php#L97 src/wp-login.php]
• Line: 97
• Problem: <title> tag outputs $login_title without escaping. Special characters could break HTML structure.
• Severity: Security best practice
• Current Code:

  <title><?php echo $login_title; ?></title>
  

• Fix:

  <title><?php echo esc_html( $login_title ); ?></title>
  

[maheshpatel]

The issue has been addressed and a fix has been implemented.

A pull request has been submitted for review: ​https://github.com/WordPress/wordpress-develop/pull/11575

Kindly take a look and share your feedback. Happy to make any required changes.

Ticket: https://core.trac.wordpress.org/ticket/65076

### Summary

This PR addresses multiple instances of improperly escaped output in wp-login.php. It ensures that dynamic strings are escaped at the point of output using appropriate WordPress escaping functions, aligning with core security best practices.

### Problem

Several strings in wp-login.php were output without proper escaping or with inconsistent escaping. This can lead to:

• Potential security risks (e.g., XSS vulnerabilities)
• Violation of WordPress coding standards regarding output escaping

WordPress recommends escaping data as late as possible (on output) to avoid issues like double-escaping or unsafe rendering.

### Solution

• Audited multiple output points in wp-login.php
• Applied appropriate escaping functions based on context:.
• Ensured consistency across all login-related messages and UI elements

### Impact

• Improves security by preventing unescaped output
• Aligns with WordPress Core coding standards

### Notes

• No backward compatibility issues expected
• Changes are limited to output escaping and do not alter logic or functionality

[opurockey]

Hi, Along with the originally reported issue, I’ve also fixed a few additional instances in wp-login.php where strings were not properly escaped or were inconsistently handled. These were updated to use the appropriate escaping functions based on context to ensure safer and more consistent output.
Let me know if you’d like me to split these into a separate PR or keep them as part of this fix.

[dmsnell]

All. Please follow the instructions in the large box with the bolded title ARE YOU IN THE RIGHT PLACE? before submitting security-related tickets, and ​follow the security-reporting instructions.

Please continue this discussion in the appropriate place according to those instructions. Thank you for your contributions; there is a process for handling security issues though, which is why those warnings are everywhere.

Looking forward to getting your changes in!