WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#27641 closed defect (bug) (fixed)

Theme Install screen displays encoded entities

Reported by: johnbillion Owned by: nacin
Milestone: 3.9 Priority: normal
Severity: normal Version: 3.9
Component: Themes Keywords: 2nd-opinion has-patch
Focuses: ui Cc:

Description

The theme description (that's displayed in the left hand panel when you view a theme's details) on the theme install screen is output in the template using {{ double curly braces }} which encodes the output instead of outputting it as HTML.

The result is that ampersands show up as & instead of &. You can see this in action if you view details of "Alexandria" in the "Featured" tab.

Is it safe to use {{{ triple braces }}} instead? It should be, but could do with a second opinion as I'm not sure how much sanitising is done in the theme repo.

Attachments (1)

27641.patch (612 bytes) - added by johnbillion 5 years ago.

Download all attachments as: .zip

Change History (4)

@johnbillion
5 years ago

#1 @johnbillion
5 years ago

  • Keywords has-patch added; needs-patch removed

#2 @nacin
5 years ago

Hmm. Anything coming back from WordPress.org should be considered safe, but I do not really want to treat it as safe.

#3 @nacin
5 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 27962:

Theme Installer: Don't encode description entities/HTML.

props johnbillion.
fixes #27641.

Note: See TracTickets for help on using tickets.