Make WordPress Core

Opened 10 years ago

Last modified 5 years ago

#29555 new defect (bug)

Theme details allowed HTML

Reported by: afercia's profile afercia Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.9
Component: Themes Keywords: dev-feedback needs-patch
Focuses: Cc:


Theme authors can use some HTML in their theme's style.css Description (and Theme Name and Author). If I'm not wrong, sanitize_header() in WP_Theme class sets the allowed HTML tags and attributes and for Description they are:

'a'       => array( 'href' => true, 'title' => true ),
'abbr'    => array( 'title' => true ),
'acronym' => array( 'title' => true ),
'code'    => true,
'em'      => true,
'strong'  => true,

This works in the installed themes browser, where theme details are grabbed from the theme's style.css. But in the theme install views, where theme details come from API, some HTML tags (for example "a") are completely stripped out (don't know if this is intentional) while others (for example "abbr") are not unencoded before being used as HTML in the view and they end up being displayed as plain text, even in the site (see the last two screenshot).
I've found the someway related #27641 but please notice HTML is returned by the API already encoded so even using triple braces > etc. will still be >

Installed themes browser:

Themes install: themes site:

Change History (4)

#1 @obenland
10 years ago

  • Keywords dev-feedback added
  • Milestone changed from Awaiting Review to Future Release
  • Version changed from 4.0 to 3.9

It looks like the .org Themes API returns escaped HTML in its response.
So we could either decode it on the core side, or not escape it on the API side. Not sure what the preferred method would be here.

#2 follow-up: @dd32
10 years ago

This feels like something we should fix on the wporg side, for both display and API.

It'd still be limited to the small subset of tags though.

#3 @chriscct7
8 years ago

  • Keywords needs-patch added

#4 in reply to: ↑ 2 @afercia
8 years ago

Replying to dd32:

This feels like something we should fix on the wporg side, for both display and API.

Just checked and this is still an issue both in the Theme installer and on the Themes directory, see Any news on the API side? :)

Note: See TracTickets for help on using tickets.