Opened 11 years ago
Closed 11 years ago
#26330 closed defect (bug) (invalid)
Plugin descriptions aren't HTML-escaped on /wp-admin/plugins.php
Reported by: | _doherty | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.7.1 |
Component: | Plugins | Keywords: | |
Focuses: | administration | Cc: |
Description
The text from the header comment is just dumped into the HTML of the plugins listing. It should be escaped. Consider the following description:
This plugin embeds using the <object> tag
Change History (3)
Note: See
TracTickets for help on using
tickets.
Plugin descriptions are sanitized on output on the plugins page, but any unescaped tags are removed, rather than replaced with escaped tags.
Plugins are expected to escape any HTML they wish to display themselves.
The tags which we allow to be rendered:
http://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/plugin.php#L136