WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 2 years ago

#29555 new defect (bug)

Theme details allowed HTML

Reported by: afercia Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 3.9
Component: Themes Keywords: dev-feedback needs-patch
Focuses: Cc:

Description

Theme authors can use some HTML in their theme's style.css Description (and Theme Name and Author). If I'm not wrong, sanitize_header() in WP_Theme class sets the allowed HTML tags and attributes and for Description they are:

'a'       => array( 'href' => true, 'title' => true ),
'abbr'    => array( 'title' => true ),
'acronym' => array( 'title' => true ),
'code'    => true,
'em'      => true,
'strong'  => true,

This works in the installed themes browser, where theme details are grabbed from the theme's style.css. But in the theme install views, where theme details come from WordPress.org API, some HTML tags (for example "a") are completely stripped out (don't know if this is intentional) while others (for example "abbr") are not unencoded before being used as HTML in the view and they end up being displayed as plain text, even in the WordPress.org site (see the last two screenshot).
I've found the someway related #27641 but please notice HTML is returned by the API already encoded so even using triple braces > etc. will still be >

Installed themes browser:

http://i.imgur.com/B9TdIUa.png

Themes install:

http://i.imgur.com/JoP1yjp.png

WordPress.org themes site:

http://i.imgur.com/fyYmdeK.png

Change History (4)

#1 @obenland
3 years ago

  • Keywords dev-feedback added
  • Milestone changed from Awaiting Review to Future Release
  • Version changed from 4.0 to 3.9

It looks like the .org Themes API returns escaped HTML in its response.
So we could either decode it on the core side, or not escape it on the API side. Not sure what the preferred method would be here.

#2 follow-up: @dd32
3 years ago

This feels like something we should fix on the wporg side, for both display and API.

It'd still be limited to the small subset of tags though.

#3 @chriscct7
2 years ago

  • Keywords needs-patch added

#4 in reply to: ↑ 2 @afercia
2 years ago

Replying to dd32:

This feels like something we should fix on the wporg side, for both display and API.

Just checked and this is still an issue both in the Theme installer and on the wp.org Themes directory, see https://wordpress.org/themes/ravel/ Any news on the wp.org API side? :)

Note: See TracTickets for help on using tickets.