WordPress.org

Make WordPress Core

Opened 7 years ago

Last modified 2 years ago

#16418 accepted defect (bug)

get_plugin_data() doesn't apply kses when $markup and $translate are false

Reported by: kawauso Owned by: dd32
Milestone: Future Release Priority: normal
Severity: normal Version: 3.0.4
Component: Plugins Keywords: has-patch close
Focuses: Cc:

Description

get_plugin_data() uses _get_plugin_data_markup_translate() to apply kses, but this isn't invoked if $markup and $translate are both false.

This behaviour is rather unexpected, since kses application isn't controlled directly by either parameter.

Attachments (1)

16418.diff (674 bytes) - added by kawauso 7 years ago.
Always use _get_plugin_data_markup_translate()

Download all attachments as: .zip

Change History (7)

@kawauso
7 years ago

Always use _get_plugin_data_markup_translate()

#1 @kawauso
7 years ago

  • Keywords has-patch added

#2 @kawauso
7 years ago

  • Version changed from 3.1 to 3.0.4

#3 @dd32
7 years ago

  • Keywords 3.2-early added
  • Milestone changed from Awaiting Review to Future Release
  • Owner set to dd32
  • Status changed from new to accepted

I see not reason for wp_kses not being run over the data.. In Core, $markup||$translate is always true, so there isn't an immediate problem in core of displaying non-kses'd data.

#4 @nacin
6 years ago

  • Keywords 3.2-early removed

get_plugins() is $markup = $translate = false, as it then gets cached. Later, we call _get_plugin_data_markup_translate() directly.

A few points:

  1. If we decide to hold off on translation until later, it is most accurate if it runs on the raw data, rather than the sanitized data.
  2. I ignored point 1 in WP_Theme. Sanitized data is a sanity check. If your data is different after being sanitized (and therefore the translation won't be found), then you need to fix your data. (See [20233] for a tweak to ensure URLs with ampersands can be translated.)
  3. Doing this will cause multiple kses runs to occur over the same data, as we then call _get_plugin_data_markup_translate() again in the list table. And since this is just a sanity check (plugins can do anything; this isn't a security issue), it'd be nicer to just run it once. wp_kses() is very expensive.
  4. These kinds of issues were what led me to writing WP_Theme.

See also #20266 which led me here.

#5 @chriscct7
3 years ago

@nacin Do you want this closed then?

#6 @chriscct7
2 years ago

  • Keywords close added
Note: See TracTickets for help on using tickets.