Make WordPress Core

Opened 5 years ago

Last modified 23 months ago

#47210 new enhancement

Allow html on site health titles and description

Reported by: juliobox's profile juliobox Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 5.2
Component: Site Health Keywords: needs-patch dev-feedback site-health 2nd-opinion
Focuses: Cc:


Hello there,

In /wp-admin/site-health-info.php#L115 we have this:

<?php echo esc_html( $details['label'] ); ?>

So we don't allow HTML content ? why!?
I propose the usage of wp_kses_* to allow clean html content.

Also line#141 we have this:

printf( '<p>%s</p>', $details['description'] );

We clearly allow any html, so I propose to sanitize using wp_kses_* too, we don't want embed/iframe/script here right?

Thank you for your feedback.

Change History (8)

#1 @audrasjb
5 years ago

  • Keywords site-health added

Related: #46878

#2 @SergeyBiryukov
5 years ago

  • Component changed from Security to Administration

#3 @azaozz
5 years ago

  • Keywords 2nd-opinion added

Couple of things:

  • KSES is not intended (not a good way) to sanitize things on displaying. It is a heavy/slow filtering of HTML tags and attributes best suited for saving to the DB.
  • What are the "user cases" for allowing HTML in item titles and collected data? I.e. how would that improve the user experience? :)

As far as I see it may be helpful to add a link to the "explanations" of some of the results, however keep in mind these will have to be translated and the link would (ideally) point to a "get more info" web page in the same language.

Seems displaying only "basic" info there and leaving it to the user to decide if they want to know more, and providing them with enough to "get them started" is a pretty good UX/workflow. There is a lot of (new/unfamiliar) info on that screen, we don't want to overwhelm them right from the start :)

Also, no HTML tags should be in the info that is for copying.

#4 @juliobox
5 years ago

Hey @azaozz !
Thanks for your interest and point of view :bow:, to answer to "how would that improve the user experience? :)"
Well, as a user I would rather prefer to have a quick view of all this stuff without having to (1) click on each to get more info, and (2) click on a link get … more info!
I agree to stay basic, however, too basic means I'll force the user to open the scan to really know what is the real issue.
For my case, nothing will be translated since all is already done, I'm just placing my security scan in this page, with is design to receive this kind of info.
Some examples of what I actually have:
And what I would like to have:
Also a screenshot when open:
I explain what is this scan, then explain more deeply + 1 link to the plugin page related to this scan + 1 link to my external documentation on that scan.

edit: quick test with switching infos:
Is this what you think is the best ux practice?

voilà !

Last edited 5 years ago by juliobox (previous) (diff)

#5 @palmiak
5 years ago

I fully understand @juliobox point of view. Using some html tags can improve the readability of the titles and his screenshots has shown it.

I see three ways to go:

  • we leave as it is
  • we remove the esc_html just as it's made in with $details['description']
  • we remove the esc_html and use strip_tags with a list of tags we can use (everything but not style or script tags. Also we can use it for $details['description'] to keep it the same as the title.

I would go with the third version - it's adds some sanitation, but also gives a chance to use extra tags.

#6 @desrosj
5 years ago

  • Component changed from Administration to Site Health

Moving Site Health tickets into their lovely new home, the Site Health component.

#7 @Clorith
23 months ago

I'm not sure if allowing markup in the title section is a good solution here, I'm not seeing any good explanation of what problem it solves, if anything it enables overly complex titles that (in my opinion) defeat the purpose of an overview screen.

A title should be short, concise and entice the user to look further for more details (again, my opinion).

#8 @audrasjb
23 months ago

While I agree that titles should be short and concise, I can see a couple edge cases where allowing some HTML tags would prove to be useful:

  • Using <code> tags could be useful for function names and other technical stuff.
  • Potential language changes could use a <span lang="en"> tag for better accessibility.

However, I'm frankly not sure such edge cases are the main reason why people want to use html markup in Site Health titles, and I honestly feel a bit concerned about plugin authors using any type of html markup and styles here :)

Note: See TracTickets for help on using tickets.