Make WordPress Core

#26330 closed defect (bug) (invalid)

Plugin descriptions aren't HTML-escaped on /wp-admin/plugins.php

Reported by: _doherty Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.7.1
Component: Plugins Keywords:
Focuses: administration Cc:


The text from the header comment is just dumped into the HTML of the plugins listing. It should be escaped. Consider the following description:

This plugin embeds using the <object> tag

Change History (3)

comment:1 @SergeyBiryukov15 months ago

  • Component changed from General to Plugins

comment:2 @dd3215 months ago

Plugin descriptions are sanitized on output on the plugins page, but any unescaped tags are removed, rather than replaced with escaped tags.
Plugins are expected to escape any HTML they wish to display themselves.

The tags which we allow to be rendered:

// Sanitize fields
$allowed_tags = $allowed_tags_in_links = array(
    'abbr'    => array( 'title' => true ),
    'acronym' => array( 'title' => true ),
    'code'    => true,
    'em'      => true,
    'strong'  => true,
$allowed_tags['a'] = array( 'href' => true, 'title' => true );

comment:3 @SergeyBiryukov11 months ago

  • Focuses administration added
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.