WordPress · sirreal · Aug 21, 2025 · Aug 21, 2025
diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
@@ -1824,7 +1824,7 @@ function wp_kses_no_null( $content, $options = null ) {
  * @return string Fixed string with quoted slashes.
  */
 function wp_kses_stripslashes( $content ) {
-	return preg_replace( '%\\\\"%', '"', $content );
+	return preg_replace( '%(?<!\\\\)(\\\\\\\\)*\\\\"%', '$1"', $content );
 }
 
 /**

diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php
@@ -2377,4 +2377,36 @@ public function data_allowed_attributes_in_descriptions() {
 			),
 		);
 	}
+
+	/**
+	 * @dataProvider data_kses_stripslashes
+	 *
+	 * @ticket TBD
+	 *
+	 * @param string $input    Input string.
+	 * @param array  $expected Expected result after applying `wp_kses_stripslashes()`.
+	 */
+	public function test_kses_stripslashes( $input, $expected ) {
+		$this->assertSame( $expected, wp_kses_stripslashes( $input ) );
+	}
+
+	/**
+	 * Data provider for test_specific_attributes_preserved_in_context.
+	 *
+	 * @return array
+	 */
+	public static function data_kses_stripslashes() {
+		return array(
+			'Text untouched'                      => array( 'Text is untouched', 'Text is untouched' ),
+			'Multibyte untouched'                 => array( 'áêiõü🏴󠁧󠁢󠁥󠁮󠁧󠁿', 'áêiõü🏴󠁧󠁢󠁥󠁮󠁧󠁿' ),
+			'HTML characters untouched'           => array( '<>&\'"', '<>&\'"' ),
+			'" on its own untouched'              => array( '"', '"' ),
+			'\\" to "'                            => array( '\\"', '"' ),
+			'\\\' ignored'                        => array( '\\\'', '\\\'' ),
+			'\\ ignored'                          => array( '\\', '\\' ),
+
+			'unescaped \\ before " is stripped'   => array( '\\\\\\"', '\\\\"' ),
+			'escaped \\ before " is not stripped' => array( '\\\\"', '\\\\"' ),
+		);
+	}
 }