Pings/Trackbacks: Escape the XML error message in trackback_response().

SergeyBiryukov · SergeyBiryukov · commit 195d67dd956c · 2026-05-24T21:45:30.000Z
Props maheshpatel, pbiron, sabernhardt, westonruter, SergeyBiryukov. Fixes #65047. git-svn-id: https://develop.svn.wordpress.org/trunk@62414 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-trackback.php b/src/wp-trackback.php
@@ -34,7 +34,7 @@ function trackback_response( $error = 0, $error_message = '' ) {
 		echo '<?xml version="1.0" encoding="utf-8"?' . ">\n";
 		echo "<response>\n";
 		echo "<error>1</error>\n";
-		echo "<message>$error_message</message>\n";
+		echo '<message>' . esc_xml( $error_message ) . "</message>\n";
 		echo '</response>';
 		die();
 	} else {
