Make WordPress Core

Opened 3 months ago

Last modified 3 months ago

#42608 new defect (bug)

Allow basic inline HTML tags and attributes in sidebar description on "Widgets" page

Reported by: flixos90 Owned by:
Milestone: 5.0 Priority: normal
Severity: normal Version:
Component: Widgets Keywords: has-patch
Focuses: Cc:

Description (last modified by flixos90)

When registering a sidebar, it can sometimes be useful to use simple HTML in the description for it, like a link or emphasized text. For example, I wanted to add a message like the following:

__( 'In order for this sidebar to be active, you need to enable it first. You can do so <a href="...">in the Customizer</a>.', 'my-theme' ) (the link would point to the respective area in the Customizer)

However, all HTML in sidebar descriptions is currently escaped on the Widgets page in the admin, which makes this impossible (generally, anytime when using the wp_sidebar_description() function). Using basic inline tags and attributes should be allowed. Strangely enough it is supported in the Customizer already, where this content is not escaped. So it should be similar on the admin page.

Instead of simply removing the esc_html() call in wp_sidebar_description(), I think a more secure way would be to replace it with wp_kses_data() to still make sure only those valid tags and attributes pass.

Attachments (1)

42608.diff (463 bytes) - added by flixos90 3 months ago.

Download all attachments as: .zip

Change History (5)

3 months ago

#1 @flixos90
3 months ago

  • Keywords has-patch added; needs-patch removed

#2 @flixos90
3 months ago

  • Description modified (diff)

#3 @westonruter
3 months ago

  • Keywords 2nd-opinion removed
  • Milestone changed from Awaiting Review to 4.9.1

Yeah, this makes sense to me.

#4 @johnbillion
3 months ago

  • Milestone changed from 4.9.1 to 5.0
Note: See TracTickets for help on using tickets.