Make WordPress Core

Opened 11 years ago

Closed 11 years ago

#26330 closed defect (bug) (invalid)

Plugin descriptions aren't HTML-escaped on /wp-admin/plugins.php

Reported by: _doherty's profile _doherty Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.7.1
Component: Plugins Keywords:
Focuses: administration Cc:

Description

The text from the header comment is just dumped into the HTML of the plugins listing. It should be escaped. Consider the following description:

This plugin embeds using the <object> tag

Change History (3)

#1 @SergeyBiryukov
11 years ago

  • Component changed from General to Plugins

#2 @dd32
11 years ago

Plugin descriptions are sanitized on output on the plugins page, but any unescaped tags are removed, rather than replaced with escaped tags.
Plugins are expected to escape any HTML they wish to display themselves.

The tags which we allow to be rendered:
http://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/plugin.php#L136

// Sanitize fields
$allowed_tags = $allowed_tags_in_links = array(
    'abbr'    => array( 'title' => true ),
    'acronym' => array( 'title' => true ),
    'code'    => true,
    'em'      => true,
    'strong'  => true,
);
$allowed_tags['a'] = array( 'href' => true, 'title' => true );

#3 @SergeyBiryukov
11 years ago

  • Focuses administration added
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.