Output without escaping for dynamic link text #65090

[maheshpatel27]

File: src/wp-login.php

• Line: 234
• Problem: $message output without escaping (filterable content)
• Current Code:

  if ( ! empty( $message ) ) {
      echo $message . "\n";
  }

• Context: $message comes from apply_filters( 'login_message', $message ) but could contain HTML or special chars
• Fix: Context-dependent, could be:

  // If message is expected to have HTML:
  if ( ! empty( $message ) ) {
      echo wp_kses_post( $message ) . "\n";
  }
  // Or if plain text:
  if ( ! empty( $message ) ) {
      echo esc_html( $message ) . "\n";
  }

Trac ticket: https://core.trac.wordpress.org/ticket/65090#ticket

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props maheshpatel.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.