Skip to content

Added escaping on several strings in wp-login.php#11578

Open
OpuRockey wants to merge 1 commit intoWordPress:trunkfrom
OpuRockey:ticket/65076
Open

Added escaping on several strings in wp-login.php#11578
OpuRockey wants to merge 1 commit intoWordPress:trunkfrom
OpuRockey:ticket/65076

Conversation

@OpuRockey
Copy link
Copy Markdown

@OpuRockey OpuRockey commented Apr 15, 2026

Ticket: https://core.trac.wordpress.org/ticket/65076

Summary

This PR addresses multiple instances of improperly escaped output in wp-login.php. It ensures that dynamic strings are escaped at the point of output using appropriate WordPress escaping functions, aligning with core security best practices.

Problem

Several strings in wp-login.php were output without proper escaping or with inconsistent escaping. This can lead to:

  • Potential security risks (e.g., XSS vulnerabilities)
  • Violation of WordPress coding standards regarding output escaping

WordPress recommends escaping data as late as possible (on output) to avoid issues like double-escaping or unsafe rendering.

Solution

  • Audited multiple output points in wp-login.php
  • Applied appropriate escaping functions based on context:.
  • Ensured consistency across all login-related messages and UI elements

Impact

  • Improves security by preventing unescaped output
  • Aligns with WordPress Core coding standards

Notes

  • No backward compatibility issues expected
  • Changes are limited to output escaping and do not alter logic or functionality

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props opurockey.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@OpuRockey