Skip to content

Strip HTML tags in privacy policy link #11088

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
shail-mehta wants to merge 1 commit into
base: trunk
Choose a base branch
from
+1 −1
Open

Strip HTML tags in privacy policy link #11088

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/wp-includes/link-template.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4820,7 +4820,7 @@ function get_the_privacy_policy_link( $before = '', $after = '' ) {
$link = sprintf(
'<a class="privacy-policy-link" href="%s" rel="privacy-policy">%s</a>',
esc_url( $privacy_policy_url ),
esc_html( $page_title )
wp_kses_post( $page_title )
Copy link
Copy Markdown
Member

@westonruter westonruter Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically, since get_the_title() was used, is Kses even needed? True it would be nicer for late escaping, but it would also be redundant:

Suggested change
wp_kses_post( $page_title )
$page_title

Not saying we should do this, but I wanted to point this out.

Copy link
Copy Markdown
Member

@mukeshpanchal27 mukeshpanchal27 Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WP core use esc_html for get_the_title in many places https://github.com/search?q=repo%3AWordPress%2Fwordpress-develop%20esc_html(%20get_the_title&type=code Do we needs to open separate issue for this to review all those instances?

Can we update the codebase something like:

$link               = '';
$privacy_policy_url = get_privacy_policy_url();
$policy_page_id     = (int) get_option( 'wp_page_for_privacy_policy' );

if ( $privacy_policy_url && $policy_page_id ) {
	$link = sprintf(
		'<a class="privacy-policy-link" href="%s" rel="privacy-policy">%s</a>',
		esc_url( $privacy_policy_url ),
		get_the_title( $policy_page_id ) ?? ''
	);
}

Copy link
Copy Markdown
Member

@westonruter westonruter Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is a smaller set with a more tailored regex: https://github.com/search?q=repo%3AWordPress%2Fwordpress-develop+%2Fesc_html%5C%28+get_the_title%5C%28%2F&type=code

This doesn't catch cases where get_the_title() is stored in a variable and then later echoed.

I think it would sense to change the scope of the ticket to address this issue for all these cases.

Copy link
Copy Markdown

@sabernhardt sabernhardt Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

get_the_title() needs to keep some escaping/cleaning.

Consider this absurdly extreme example for the title I added in Quick Edit:
<p class="privacy-policy-link"><span style="color:darkgreen">P</span><b>r</b><i>i</i><strong>v</strong><em>a</em><code>c</code><kbd>y</kbd></p><div>&nbsp;</div><h1>P</h1><h2>o</h2><h3>l</h3><h4>i</h4><h5>c</h5><h6>y</h6><span> & <a>Terms</a></span><style>.privacy-policy-link{font-size:1.2em}</style><script>console.log('privacy-policy-link');</script>

The link(s) should not allow style or script tags, the a element does not fit within a link, and I do not know of a case in which any of the block elements would be appropriate.

If someone wants the entire link text bold or italic, that would be better in CSS than adding HTML in the title wherever it appears. In the case when someone wants part of the title emphasized, such as <strong>Privacy</strong> Policy, the link filter can un-escape the desired element right now with esc_html().

function enable_strong_in_the_privacy_policy_link( $link ) {
	if ( str_contains( $link, '&lt;' ) ) {
		$link = str_replace(
			array( '&lt;strong&gt;', '&lt;/strong&gt;' ),
			array( '<strong>', '</strong>' ),
			$link
		);
	}

	return $link;
}
add_filter( 'the_privacy_policy_link', 'enable_strong_in_the_privacy_policy_link' );

Similarly, if the function switches to wp_strip_all_tags(), someone could use the filter to replace Privacy with <strong>Privacy</strong>.

If we have clear examples of appropriate tags to start allowing for any site, the function(s) could use
wp_kses( $page_title, array( 'strong' => array(), 'em' => array() ) )

);
}

Expand Down
Loading