Make WordPress Core

Opened 4 weeks ago

#60373 new defect (bug)

plugin activation errors are accidentally hidden

Reported by: ttodua's profile ttodua Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Plugins Keywords:
Focuses: Cc:

Description

in recent versions (can't tell exactly when) seems the admin_notice messages were being filtered by wp_kses_post, which caused breaking changes, which contradicts WP core itself.

to reproduce, add this to plugin:

register_activation_hook(__FILE__, function($x){ die('plugin can not activate, because XYZ'); } );

then try to activate. it will show admin notice Plugin could not be activated because it triggered a fatal error and nothing more. however, it should have shown that XYZ message inside iframe, you can confirm that by looking :
https://core.trac.wordpress.org/browser/tags/6.4.2/src/wp-admin/plugins.php#L685
(if you do var_dump($errmsg) before that wp_admin_notice line, you will see that iframe part is also included in $errmsg)

however, inside wp_admin_notice there is wp_kses_post which filters out the iframe that was added by core itself:
https://core.trac.wordpress.org/browser/tags/6.4.2/src/wp-includes/functions.php#L8891

so, that is contradiction in WP, and should be solved either way. I understand that stripping iframe might have been a security step, however, it was done incorrectly. that wp_kses_post should allow iframe, but itself the XYZ message itself (coming from plugin's activation) should be filtered, so that would achieve the security goal.

at this moment, that change/misbehavior (which we noticed too late) have broken dozens of our plugins on wp.org. please fix it.

Attachments (1)

60373.patch (1.3 KB) - added by ttodua 4 weeks ago.
possible patch

Download all attachments as: .zip

Change History (1)

@ttodua
4 weeks ago

possible patch

Note: See TracTickets for help on using tickets.