WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 11 years ago

#15662 closed defect (bug) (fixed)

Too much escaping when Deleting a plugin

Reported by: TobiasBg Owned by:
Milestone: 3.1 Priority: normal
Severity: normal Version: 3.1
Component: General Keywords:
Focuses: Cc:

Description

There's a little bit too much HTML escaping when deleting a plugin.

To reproduce, on a clean SVN of trunk, click "Delete" on the "Plugins" page, e.g. for "Helly Dolly".
Instead of a link, you will see the plain HTML for the link, here

Hello Dolly by <a href="http://ma.tt/" title="Visit author homepage">Matt Mullenweg</a>

This seems to come from this line, where escaping was added to $plugin['Author'] (which contains HTML for the link) in [15521].

Change History (11)

#1 @scribu
11 years ago

This is indeed inconsistent, since we don't escape it when displaying it in the list table.

#2 @nacin
11 years ago

  • Milestone changed from Awaiting Review to 3.1

Two options:

  • Strip tags.
  • Add AuthorName to get_plugins(), which is Author without AuthorURI. This would be consistent with themes.

Let's do the latter.

#3 @johnpbloch
11 years ago

  • Cc johnpbloch added

#4 @duck_
11 years ago

Closed #15678 as duplicate, has a patch for strip tags instead of adding AuthorName to get_plugins.

#5 @nacin
11 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [16757]) Add AuthorName to get_plugins() and use it when deleting a plugin. fixes #15662.

#6 @TobiasBg
11 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

While this is fixed for Hello Dolly now (the link (i.e. its HTML) is now only the name), it does not for Akismet: There is no author name there at all, so it only reads

Akismet by

In all other locations, as well as in its readme.txt, the author is provided as "Automattic".

#7 @nacin
11 years ago

(In [16758]) Set AuthorName even when no translation or markup is processed. see #15662.

#8 @nacin
11 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

I keep saying get_plugins(), but I mean get_plugin_data().

#9 @TobiasBg
11 years ago

Thanks, nacin!

Just for clarity: Am I correct that plugins in a sub-folder (like Akismet) do not get their plugin data processed for markup/translation, while plugins in the main plugins folder (like Dolly) do? For the first ones, the plugin data comes from get_plugin_data( $file, $markup = false, $translate = false ) in get_plugins(), while for the latter ones, it comes from a get_plugin_data( $file, true, true ).
Due to that, the data for plugins like Akismet (in sub folder) also does not seem to run through kses.

#10 @nacin
11 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

get_plugins() gets cached, thus without markup or translations. Those are then run later on via direct calls to get_plugin_data().

You're right in that's how the code works re: directories, but I don't think that's by design. We should place a call to _get_plugin_data_markup_translate() somewhere.

#11 @nacin
11 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

Fixed and I opened #15742.

Note: See TracTickets for help on using tickets.