Strip HTML tags in privacy policy link

[shail-mehta]

Trac ticket: https://core.trac.wordpress.org/ticket/64748

• Used wp_kses_post() instead of esc_html()

Before	After

Use of AI Tools

• None

---

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props shailu25, westonruter, huzaifaalmesbah, mukesh27.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[github-actions]

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

• All changes will be lost when closing a tab with a Playground instance.
• All changes will be lost when refreshing the page.
• A fresh instance is created each time the link below is clicked.
• Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
  it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

[huzaifaalmesbah]

Looks Good

Before Apply Patch	After Apply Patch ✅

[westonruter]

Technically, since get_the_title() was used, is Kses even needed? True it would be nicer for late escaping, but it would also be redundant:

Suggested change

	wp_kses_post( $page_title )
	$page_title

Not saying we should do this, but I wanted to point this out.

[mukeshpanchal27]

WP core use esc_html for get_the_title in many places https://github.com/search?q=repo%3AWordPress%2Fwordpress-develop%20esc_html(%20get_the_title&type=code Do we needs to open separate issue for this to review all those instances?

Can we update the codebase something like:

$link               = '';
$privacy_policy_url = get_privacy_policy_url();
$policy_page_id     = (int) get_option( 'wp_page_for_privacy_policy' );

if ( $privacy_policy_url && $policy_page_id ) {
	$link = sprintf(
		'<a class="privacy-policy-link" href="%s" rel="privacy-policy">%s</a>',
		esc_url( $privacy_policy_url ),
		get_the_title( $policy_page_id ) ?? ''
	);
}

[westonruter]

Here is a smaller set with a more tailored regex: https://github.com/search?q=repo%3AWordPress%2Fwordpress-develop+%2Fesc_html%5C%28+get_the_title%5C%28%2F&type=code

This doesn't catch cases where get_the_title() is stored in a variable and then later echoed.

I think it would sense to change the scope of the ticket to address this issue for all these cases.

[sabernhardt]

get_the_title() needs to keep some escaping/cleaning.

Consider this absurdly extreme example for the title I added in Quick Edit:
<p class="privacy-policy-link"><span style="color:darkgreen">P</span><b>r</b><i>i</i><strong>v</strong><em>a</em><code>c</code><kbd>y</kbd></p><div>&nbsp;</div><h1>P</h1><h2>o</h2><h3>l</h3><h4>i</h4><h5>c</h5><h6>y</h6><span> & <a>Terms</a></span><style>.privacy-policy-link{font-size:1.2em}</style><script>console.log('privacy-policy-link');</script>

The link(s) should not allow style or script tags, the a element does not fit within a link, and I do not know of a case in which any of the block elements would be appropriate.

If someone wants the entire link text bold or italic, that would be better in CSS than adding HTML in the title wherever it appears. In the case when someone wants part of the title emphasized, such as <strong>Privacy</strong> Policy, the link filter can un-escape the desired element right now with esc_html().

function enable_strong_in_the_privacy_policy_link( $link ) {
	if ( str_contains( $link, '<' ) ) {
		$link = str_replace(
			array( '<strong>', '</strong>' ),
			array( '<strong>', '</strong>' ),
			$link
		);
	}

	return $link;
}
add_filter( 'the_privacy_policy_link', 'enable_strong_in_the_privacy_policy_link' );

Similarly, if the function switches to wp_strip_all_tags(), someone could use the filter to replace Privacy with <strong>Privacy</strong>.

If we have clear examples of appropriate tags to start allowing for any site, the function(s) could use
wp_kses( $page_title, array( 'strong' => array(), 'em' => array() ) )

[shail-mehta]

Should we consider removing esc_html() across all related instances?

[westonruter]

Yes.

Update: But probably with KSES to allowlist a specific set of formatting tags.