WordPress.org

Make WordPress Core

Opened 7 months ago

Closed 4 weeks ago

Last modified 4 weeks ago

#42608 closed defect (bug) (fixed)

Allow basic inline HTML tags and attributes in sidebar description on "Widgets" page

Reported by: flixos90 Owned by: flixos90
Milestone: 4.9.7 Priority: normal
Severity: normal Version:
Component: Widgets Keywords: has-patch fixed-major
Focuses: Cc:

Description (last modified by flixos90)

When registering a sidebar, it can sometimes be useful to use simple HTML in the description for it, like a link or emphasized text. For example, I wanted to add a message like the following:

__( 'In order for this sidebar to be active, you need to enable it first. You can do so <a href="...">in the Customizer</a>.', 'my-theme' ) (the link would point to the respective area in the Customizer)

However, all HTML in sidebar descriptions is currently escaped on the Widgets page in the admin, which makes this impossible (generally, anytime when using the wp_sidebar_description() function). Using basic inline tags and attributes should be allowed. Strangely enough it is supported in the Customizer already, where this content is not escaped. So it should be similar on the admin page.

Instead of simply removing the esc_html() call in wp_sidebar_description(), I think a more secure way would be to replace it with wp_kses_data() to still make sure only those valid tags and attributes pass.

Attachments (2)

42608.diff (463 bytes) - added by flixos90 7 months ago.
42608.2.diff (490 bytes) - added by flixos90 5 weeks ago.

Download all attachments as: .zip

Change History (15)

@flixos90
7 months ago

#1 @flixos90
7 months ago

  • Keywords has-patch added; needs-patch removed

#2 @flixos90
7 months ago

  • Description modified (diff)

#3 @westonruter
7 months ago

  • Keywords 2nd-opinion removed
  • Milestone changed from Awaiting Review to 4.9.1

Yeah, this makes sense to me.

#4 @johnbillion
7 months ago

  • Milestone changed from 4.9.1 to 5.0

#5 @philclothier
6 weeks ago

Could we also extend this to descriptions in wp_widget_description() too? https://core.trac.wordpress.org/browser/tags/4.9/src/wp-includes/widgets.php#L401

I'd like to link to a screenshot highlighting where a a particular widget section is shown on the front end.

#6 @philclothier
6 weeks ago

...wait, I misread this and the original patch already does what I need. Ignore me 😁

Any chance we can push this to a 4.9 release rather than waiting for 5.0?

@flixos90
5 weeks ago

#7 @flixos90
5 weeks ago

  • Milestone changed from 5.0 to 4.9.7

42608.2.diff uses a more appropriate wp_kses() call using sidebar_description as context which will internally ensure that tags from the global $allowedtags are allowed in this case.

@philclothier

Any chance we can push this to a 4.9 release rather than waiting for 5.0?

I agree that makes sense.

#8 @flixos90
5 weeks ago

  • Owner set to flixos90
  • Status changed from new to assigned

#9 @flixos90
5 weeks ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 43275:

Widgets: Allow basic inline tags in wp_sidebar_description().

The customizer has allowed HTML in sidebar descriptions since adding support for sidebars. This change ensures that basic HTML is also allowed for them in the widgets admin screen.

Fixes #42608.

#10 @flixos90
5 weeks ago

  • Keywords fixed-major added
  • Resolution fixed deleted
  • Status changed from closed to reopened

This needs to be backported to 4.9.7.

#11 @SergeyBiryukov
4 weeks ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 43302:

Widgets: Allow basic inline tags in wp_sidebar_description().

The customizer has allowed HTML in sidebar descriptions since adding support for sidebars. This change ensures that basic HTML is also allowed for them in the widgets admin screen.

Props flixos90.
Merges [43275] to the 4.9 branch.
Fixes #42608.

#12 @desrosj
4 weeks ago

  • Milestone changed from 4.9.7 to 4.9.8

Moving all tickets in 4.9.7 to 4.9.8.

#13 @SergeyBiryukov
4 weeks ago

  • Milestone changed from 4.9.8 to 4.9.7

Moving already backported tickets back to 4.9.7.

Note: See TracTickets for help on using tickets.