Add escaping

maheshpatel27 · maheshpatel27 · commit d38848bf28de · 2026-04-17T20:13:40.000+05:30
diff --git a/src/wp-login.php b/src/wp-login.php
@@ -231,7 +231,7 @@ function login_header( $title = null, $message = '', $wp_error = null ) {
 	$message = apply_filters( 'login_message', $message );
 
 	if ( ! empty( $message ) ) {
-		echo $message . "\n";
+		echo wp_kses_post( $message ) . "\n";
 	}
 
 	// In case a plugin uses $error rather than the $wp_errors object.

Original file line number	Diff line number	Diff line change
`@@ -231,7 +231,7 @@ function login_header( $title = null, $message = '', $wp_error = null ) {`
`231`	`231`	`$message = apply_filters( 'login_message', $message );`
`232`	`232`
`233`	`233`	`if ( ! empty( $message ) ) {`
`234`		`- echo $message . "\n";`
	`234`	`+ echo wp_kses_post( $message ) . "\n";`
`235`	`235`	`}`
`236`	`236`
`237`	`237`	`// In case a plugin uses $error rather than the $wp_errors object.`