WordPress.org

Make WordPress Core

Opened 5 months ago

Closed 4 weeks ago

#26330 closed defect (bug) (invalid)

Plugin descriptions aren't HTML-escaped on /wp-admin/plugins.php

Reported by: _doherty Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.7.1
Component: Plugins Keywords:
Focuses: administration Cc:

Description

The text from the header comment is just dumped into the HTML of the plugins listing. It should be escaped. Consider the following description:

This plugin embeds using the <object> tag

Change History (3)

comment:1 SergeyBiryukov5 months ago

  • Component changed from General to Plugins

comment:2 dd325 months ago

Plugin descriptions are sanitized on output on the plugins page, but any unescaped tags are removed, rather than replaced with escaped tags.
Plugins are expected to escape any HTML they wish to display themselves.

The tags which we allow to be rendered:
http://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/plugin.php#L136

// Sanitize fields
$allowed_tags = $allowed_tags_in_links = array(
    'abbr'    => array( 'title' => true ),
    'acronym' => array( 'title' => true ),
    'code'    => true,
    'em'      => true,
    'strong'  => true,
);
$allowed_tags['a'] = array( 'href' => true, 'title' => true );

comment:3 SergeyBiryukov4 weeks ago

  • Focuses administration added
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.