REST API: Allow inline rich text in Notes content

[adamsilverstein]

Summary

Backports the server-side piece of Gutenberg PR WordPress/gutenberg#78242, which adds a minimal rich-text input to Notes (bold/italic/link/code) in the editor. Without a matching server-side filter, the default `pre_comment_content` sanitization (`wp_filter_kses`) strips those tags for users without `unfiltered_html`.

This change installs a narrower, note-specific kses allowlist on `pre_comment_content` for the duration of any REST request that targets a note, leaving non-note comments on their existing filter chain. Outbound links get a forced `rel="noopener nofollow"` normalized via the HTML API.

What changed

• `src/wp-includes/comment.php`
  • `wp_get_note_allowed_html()` — returns the small allowlist (`strong`, `em`, `a`, `code`) and is itself filterable via `wp_note_allowed_html` for plugins that need to extend it.
  • `_wp_note_content_pre_filter()` — runs `wp_kses` with that allowlist and rewrites `` `rel` to `noopener nofollow` using `WP_HTML_Tag_Processor`.
  • `_wp_maybe_install_note_kses()` / `_wp_uninstall_note_kses()` — swap the standard comment kses filters in and out only when a REST POST/PUT/PATCH to `/wp/v2/comments` targets a note (create or update).
• `src/wp-includes/default-filters.php` — wires the install hook on `rest_pre_dispatch`.
• `tests/phpunit/tests/rest-api/rest-comments-controller.php` — adds six tests covering: allowed inline formatting preserved, links keep `noopener nofollow` (client-supplied `rel` is overridden), disallowed tags and event handlers are stripped, and the allowlist does not leak to non-note comments.

Why HTML API (not regex)

The Gutenberg compat version used a regex to rewrite ``. The core version uses `WP_HTML_Tag_Processor` per the project guidance to favor WordPress APIs over native PHP APIs, and to handle quoting/attribute edge cases correctly.

Testing

• `php -l` clean on all modified files.
• PHPCS clean on `src/wp-includes/comment.php` and `src/wp-includes/default-filters.php` (no new warnings/errors).
• Local PHPUnit run skipped — the local docker MySQL volume mismatches the current image version; the new tests mirror logic already passing in the Gutenberg PR's CI and will be exercised by core CI here.

Manual

1. Apply the Gutenberg PR locally.
2. POST to `/wp/v2/comments` with `type=note` and content like `X <a href="https://wordpress.org/\">link<script>alert(1)</script>`.
3. Confirm the stored `comment_content`:
   • Keeps ``/``.
   • Drops `<script>`.
   • Has `rel="noopener nofollow"` on the link.
4. POST a regular comment (no `type=note`) and confirm the filter is not applied (`noopener` absent).

Trac

Needs a Trac ticket — the test annotations use `@ticket XXXXX` as a placeholder. Will swap in the real number once filed.

Related

• Gutenberg PR: WordPress/gutenberg#78242
• Notes ship: 6.9 (this is purely an enhancement to the existing notes path).

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props adamsilverstein.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[github-actions]

Trac Ticket Missing

This pull request is missing a link to a Trac ticket. For a contribution to be considered, there must be a corresponding ticket in Trac.

To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description. More information about contributing to WordPress on GitHub can be found in the Core Handbook.

[github-actions]

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

• All changes will be lost when closing a tab with a Playground instance.
• All changes will be lost when refreshing the page.
• A fresh instance is created each time the link below is clicked.
• Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
  it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

[apermo]

Lgtm