WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass

A JavaScript payload such as “javascript&colon;alert(1)” in a URL could cause a Cross-Site Scripting (XSS) vulnerability. According to the commit message (see references): “wp_kses_bad_protocol() makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.”