Make WordPress Core

Opened 7 years ago

Closed 6 years ago

#26330 closed defect (bug) (invalid)

Plugin descriptions aren't HTML-escaped on /wp-admin/plugins.php

Reported by: _doherty Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.7.1
Component: Plugins Keywords:
Focuses: administration Cc:


The text from the header comment is just dumped into the HTML of the plugins listing. It should be escaped. Consider the following description:

This plugin embeds using the <object> tag

Change History (3)

#1 @SergeyBiryukov
7 years ago

  • Component changed from General to Plugins

#2 @dd32
7 years ago

Plugin descriptions are sanitized on output on the plugins page, but any unescaped tags are removed, rather than replaced with escaped tags.
Plugins are expected to escape any HTML they wish to display themselves.

The tags which we allow to be rendered:

// Sanitize fields
$allowed_tags = $allowed_tags_in_links = array(
    'abbr'    => array( 'title' => true ),
    'acronym' => array( 'title' => true ),
    'code'    => true,
    'em'      => true,
    'strong'  => true,
$allowed_tags['a'] = array( 'href' => true, 'title' => true );

#3 @SergeyBiryukov
6 years ago

  • Focuses administration added
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.