Opened 11 years ago
Closed 9 years ago
#25422 closed defect (bug) (fixed)
Don't escape plugin author field when deleting plugin
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 4.4 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Plugins | Keywords: | has-patch |
Focuses: | administration | Cc: |
Description
When deleting a plugin, the plugin author field is escaped with esc_html()
, but HTML is allowed in this field so it shouldn't be escaped.
An example is when a plugin's Author field contains more than one author name, and each name is a hyperlink.
Attachments (1)
Change History (9)
#3
@
11 years ago
On the Plugins screen we display the author field without escaping it (conditionally wrapped in a link to AuthorURI if it's present). This means we have disparity between the Plugins screen and the plugin deletion confirmation screen.
On both screens, the plugin data passes through KSES with a restrictive set of tags in _get_plugin_data_markup_translate()
.
Note: See
TracTickets for help on using
tickets.
See [15521] and #15662. The former was security hardening in 3.0.2. Possible XSS (but only if you could delete plugins, which implies you can arbitrarily execute PHP anyway). I don't remember the exact vector and am having trouble locating details, but it shouldn't be hard to figure out.