Make WordPress Core

Opened 2 years ago

Last modified 19 months ago

#25422 new defect (bug)

Don't escape plugin author field when deleting plugin

Reported by: johnbillion Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version:
Component: Plugins Keywords: has-patch
Focuses: administration Cc:


When deleting a plugin, the plugin author field is escaped with esc_html(), but HTML is allowed in this field so it shouldn't be escaped.

An example is when a plugin's Author field contains more than one author name, and each name is a hyperlink.

Attachments (1)

25422.diff (1.1 KB) - added by johnbillion 2 years ago.

Download all attachments as: .zip

Change History (5)

@johnbillion2 years ago

comment:1 @johnbillion2 years ago

  • Keywords has-patch added

comment:2 @nacin2 years ago

See [15521] and #15662. The former was security hardening in 3.0.2. Possible XSS (but only if you could delete plugins, which implies you can arbitrarily execute PHP anyway). I don't remember the exact vector and am having trouble locating details, but it shouldn't be hard to figure out.

Last edited 2 years ago by johnbillion (previous) (diff)

comment:3 @johnbillion2 years ago

On the Plugins screen we display the author field without escaping it (conditionally wrapped in a link to AuthorURI if it's present). This means we have disparity between the Plugins screen and the plugin deletion confirmation screen.

On both screens, the plugin data passes through KSES with a restrictive set of tags in _get_plugin_data_markup_translate().

comment:4 @nacin19 months ago

  • Component changed from Administration to Plugins
  • Focuses administration added
Note: See TracTickets for help on using tickets.