From 849a199dae7103f620334b585ded205e41bb0d6f Mon Sep 17 00:00:00 2001 From: Devasheesh Kaul Date: Wed, 13 Aug 2025 14:38:16 +0530 Subject: [PATCH 1/2] fix: escaping of < and > in admin comment list --- src/wp-includes/comment-template.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/wp-includes/comment-template.php b/src/wp-includes/comment-template.php index 59f89f3a847bf..d6cb1be812068 100644 --- a/src/wp-includes/comment-template.php +++ b/src/wp-includes/comment-template.php @@ -1076,6 +1076,18 @@ function comment_text( $comment_id = 0, $args = array() ) { $comment_text = get_comment_text( $comment, $args ); + if ( is_admin() ) { + // Encode < and > in a numeric comparisons, + // to prevent them being parsed as HTML tags. + $comment_text = preg_replace_callback( + '/(<)(\s*\d+(?:\.\d+)?[^<>]*?)(>)(\s*\d+(?:\.\d+)?)/', + function ( $matches ) { + return htmlspecialchars( $matches[1] ) . $matches[2] . htmlspecialchars( $matches[3] ) . $matches[4]; + }, + $comment_text + ); + } + /** * Filters the text of a comment to be displayed. * From 82e1d10accd3e502045581618d66b9a151051720 Mon Sep 17 00:00:00 2001 From: Devasheesh Kaul Date: Wed, 27 Aug 2025 13:29:48 +0530 Subject: [PATCH 2/2] fix: scope encoding for users with unfiltered_html permission --- src/wp-includes/comment-template.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/comment-template.php b/src/wp-includes/comment-template.php index d6cb1be812068..5d0f8292fc9fb 100644 --- a/src/wp-includes/comment-template.php +++ b/src/wp-includes/comment-template.php @@ -1076,7 +1076,7 @@ function comment_text( $comment_id = 0, $args = array() ) { $comment_text = get_comment_text( $comment, $args ); - if ( is_admin() ) { + if ( current_user_can( 'unfiltered_html' ) ) { // Encode < and > in a numeric comparisons, // to prevent them being parsed as HTML tags. $comment_text = preg_replace_callback(