WordPress.org

Make WordPress Core

Opened 7 months ago

Last modified 3 months ago

#25422 new defect (bug)

Don't escape plugin author field when deleting plugin

Reported by: johnbillion Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version:
Component: Plugins Keywords: has-patch
Focuses: administration Cc:

Description

When deleting a plugin, the plugin author field is escaped with esc_html(), but HTML is allowed in this field so it shouldn't be escaped.

An example is when a plugin's Author field contains more than one author name, and each name is a hyperlink.

Attachments (1)

25422.diff (1.1 KB) - added by johnbillion 7 months ago.

Download all attachments as: .zip

Change History (5)

johnbillion7 months ago

comment:1 johnbillion7 months ago

  • Keywords has-patch added

comment:2 nacin7 months ago

See [15521] and #15662. The former was security hardening in 3.0.2. Possible XSS (but only if you could delete plugins, which implies you can arbitrarily execute PHP anyway). I don't remember the exact vector and am having trouble locating details, but it shouldn't be hard to figure out.

Last edited 7 months ago by johnbillion (previous) (diff)

comment:3 johnbillion7 months ago

On the Plugins screen we display the author field without escaping it (conditionally wrapped in a link to AuthorURI if it's present). This means we have disparity between the Plugins screen and the plugin deletion confirmation screen.

On both screens, the plugin data passes through KSES with a restrictive set of tags in _get_plugin_data_markup_translate().

comment:4 nacin3 months ago

  • Component changed from Administration to Plugins
  • Focuses administration added
Note: See TracTickets for help on using tickets.