Opened 10 years ago
Last modified 5 years ago
#29555 new defect (bug)
Theme details allowed HTML
Reported by: | afercia | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.9 |
Component: | Themes | Keywords: | dev-feedback needs-patch |
Focuses: | Cc: |
Description
Theme authors can use some HTML in their theme's style.css Description (and Theme Name and Author). If I'm not wrong, sanitize_header() in WP_Theme class sets the allowed HTML tags and attributes and for Description they are:
'a' => array( 'href' => true, 'title' => true ), 'abbr' => array( 'title' => true ), 'acronym' => array( 'title' => true ), 'code' => true, 'em' => true, 'strong' => true,
This works in the installed themes browser, where theme details are grabbed from the theme's style.css. But in the theme install views, where theme details come from WordPress.org API, some HTML tags (for example "a") are completely stripped out (don't know if this is intentional) while others (for example "abbr") are not unencoded before being used as HTML in the view and they end up being displayed as plain text, even in the WordPress.org site (see the last two screenshot).
I've found the someway related #27641 but please notice HTML is returned by the API already encoded so even using triple braces >
etc. will still be >
Installed themes browser:
Themes install:
WordPress.org themes site:
Change History (4)
#1
@
10 years ago
- Keywords dev-feedback added
- Milestone changed from Awaiting Review to Future Release
- Version changed from 4.0 to 3.9
#2
follow-up:
↓ 4
@
10 years ago
This feels like something we should fix on the wporg side, for both display and API.
It'd still be limited to the small subset of tags though.
#4
in reply to:
↑ 2
@
9 years ago
Replying to dd32:
This feels like something we should fix on the wporg side, for both display and API.
Just checked and this is still an issue both in the Theme installer and on the wp.org Themes directory, see https://wordpress.org/themes/ravel/ Any news on the wp.org API side? :)
It looks like the .org Themes API returns escaped HTML in its response.
So we could either decode it on the core side, or not escape it on the API side. Not sure what the preferred method would be here.