Make WordPress Core

Opened 2 years ago

Closed 7 weeks ago

#25422 closed defect (bug) (fixed)

Don't escape plugin author field when deleting plugin

Reported by: johnbillion Owned by: johnbillion
Milestone: 4.4 Priority: normal
Severity: normal Version:
Component: Plugins Keywords: has-patch
Focuses: administration Cc:


When deleting a plugin, the plugin author field is escaped with esc_html(), but HTML is allowed in this field so it shouldn't be escaped.

An example is when a plugin's Author field contains more than one author name, and each name is a hyperlink.

Attachments (1)

25422.diff (1.1 KB) - added by johnbillion 2 years ago.

Download all attachments as: .zip

Change History (9)

2 years ago

#1 @johnbillion
2 years ago

  • Keywords has-patch added

#2 @nacin
2 years ago

See [15521] and #15662. The former was security hardening in 3.0.2. Possible XSS (but only if you could delete plugins, which implies you can arbitrarily execute PHP anyway). I don't remember the exact vector and am having trouble locating details, but it shouldn't be hard to figure out.

Last edited 2 years ago by johnbillion (previous) (diff)

#3 @johnbillion
2 years ago

On the Plugins screen we display the author field without escaping it (conditionally wrapped in a link to AuthorURI if it's present). This means we have disparity between the Plugins screen and the plugin deletion confirmation screen.

On both screens, the plugin data passes through KSES with a restrictive set of tags in _get_plugin_data_markup_translate().

#4 @nacin
22 months ago

  • Component changed from Administration to Plugins
  • Focuses administration added

#5 @chriscct7
8 weeks ago

  • Severity changed from minor to normal

#6 @DrewAPicture
8 weeks ago

@johnbillion Do you still want to pursue this?

#7 @johnbillion
7 weeks ago

  • Milestone changed from Awaiting Review to 4.4
  • Owner set to johnbillion
  • Status changed from new to assigned

#8 @johnbillion
7 weeks ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 34973:

Remove HTML escaping for the plugin name and author fields that are displayed when deleting a plugin.

While it might seem counter-intuitive to remove HTML escaping, these fields are already safe (they originate in _get_plugin_data_markup_translate() which handles sanitization and escaping), and the AuthorName field actually allows some HTML. This change prevents escaped HTML from appearing here.

Fixes #25422

Note: See TracTickets for help on using tickets.