Make WordPress Core

Opened 11 years ago

Closed 9 years ago

#25422 closed defect (bug) (fixed)

Don't escape plugin author field when deleting plugin

Reported by: johnbillion's profile johnbillion Owned by: johnbillion's profile johnbillion
Milestone: 4.4 Priority: normal
Severity: normal Version:
Component: Plugins Keywords: has-patch
Focuses: administration Cc:


When deleting a plugin, the plugin author field is escaped with esc_html(), but HTML is allowed in this field so it shouldn't be escaped.

An example is when a plugin's Author field contains more than one author name, and each name is a hyperlink.

Attachments (1)

25422.diff (1.1 KB) - added by johnbillion 11 years ago.

Download all attachments as: .zip

Change History (9)

11 years ago

#1 @johnbillion
11 years ago

  • Keywords has-patch added

#2 @nacin
11 years ago

See [15521] and [15662]. The former was security hardening in 3.0.2. Possible XSS (but only if you could delete plugins, which implies you can arbitrarily execute PHP anyway). I don't remember the exact vector and am having trouble locating details, but it shouldn't be hard to figure out.

Version 0, edited 11 years ago by nacin (next)

#3 @johnbillion
11 years ago

On the Plugins screen we display the author field without escaping it (conditionally wrapped in a link to AuthorURI if it's present). This means we have disparity between the Plugins screen and the plugin deletion confirmation screen.

On both screens, the plugin data passes through KSES with a restrictive set of tags in _get_plugin_data_markup_translate().

#4 @nacin
10 years ago

  • Component changed from Administration to Plugins
  • Focuses administration added

#5 @chriscct7
9 years ago

  • Severity changed from minor to normal

#6 @DrewAPicture
9 years ago

@johnbillion Do you still want to pursue this?

#7 @johnbillion
9 years ago

  • Milestone changed from Awaiting Review to 4.4
  • Owner set to johnbillion
  • Status changed from new to assigned

#8 @johnbillion
9 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 34973:

Remove HTML escaping for the plugin name and author fields that are displayed when deleting a plugin.

While it might seem counter-intuitive to remove HTML escaping, these fields are already safe (they originate in _get_plugin_data_markup_translate() which handles sanitization and escaping), and the AuthorName field actually allows some HTML. This change prevents escaped HTML from appearing here.

Fixes #25422

Note: See TracTickets for help on using tickets.