Make WordPress Core

Opened 4 weeks ago

Last modified 3 weeks ago

#42608 new defect (bug)

Allow basic inline HTML tags and attributes in sidebar description on "Widgets" page

Reported by: flixos90 Owned by:
Milestone: 5.0 Priority: normal
Severity: normal Version:
Component: Widgets Keywords: has-patch
Focuses: Cc:

Description (last modified by flixos90)

When registering a sidebar, it can sometimes be useful to use simple HTML in the description for it, like a link or emphasized text. For example, I wanted to add a message like the following:

__( 'In order for this sidebar to be active, you need to enable it first. You can do so <a href="...">in the Customizer</a>.', 'my-theme' ) (the link would point to the respective area in the Customizer)

However, all HTML in sidebar descriptions is currently escaped on the Widgets page in the admin, which makes this impossible (generally, anytime when using the wp_sidebar_description() function). Using basic inline tags and attributes should be allowed. Strangely enough it is supported in the Customizer already, where this content is not escaped. So it should be similar on the admin page.

Instead of simply removing the esc_html() call in wp_sidebar_description(), I think a more secure way would be to replace it with wp_kses_data() to still make sure only those valid tags and attributes pass.

Attachments (1)

42608.diff (463 bytes) - added by flixos90 4 weeks ago.

Download all attachments as: .zip

Change History (5)

4 weeks ago

#1 @flixos90
4 weeks ago

  • Keywords has-patch added; needs-patch removed

#2 @flixos90
4 weeks ago

  • Description modified (diff)

#3 @westonruter
4 weeks ago

  • Keywords 2nd-opinion removed
  • Milestone changed from Awaiting Review to 4.9.1

Yeah, this makes sense to me.

#4 @johnbillion
3 weeks ago

  • Milestone changed from 4.9.1 to 5.0
Note: See TracTickets for help on using tickets.