wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring. Reference and upstream commit: https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
Created wordpress tracking bugs for this issue: Affects: epel-6 [bug 1793630] Affects: epel-7 [bug 1793631]