Make WordPress Core

Opened 6 weeks ago

Last modified 4 weeks ago

#62630 new defect (bug)

Site Health plugin information display html tags in plugin name

Reported by: ignatiusjeroe's profile ignatiusjeroe Owned by:
Milestone: Awaiting Review Priority: normal
Severity: trivial Version: 6.7.1
Component: Site Health Keywords: has-patch
Focuses: administration Cc:

Description

html tag usage is permissible in plugin metadata. For some reason the Site Health -> info tab doesnt remove html tags in plugin names. See attached image.

Attachments (1)

Screen Shot 2024-12-02 at 15.34.14.png (160.3 KB) - added by ignatiusjeroe 6 weeks ago.
Site Health - plugin information

Download all attachments as: .zip

Change History (6)

@ignatiusjeroe
6 weeks ago

Site Health - plugin information

#1 @yogeshbhutkar
6 weeks ago

Hello @ignatiusjeroe,

This behavior seems to be expected, as the labels are appropriately escaped for security purposes. I'll wait to hear insights from other contributors on this matter.

site-health-info.php

esc_html( $field['label'] )

#2 @sainathpoojary
6 weeks ago

Reproduction Report

Description

This report validates whether the issue can be reproduced.

Environment

  • WordPress: 6.8-alpha-59274-src
  • PHP: 8.2.26
  • Server: nginx/1.27.3
  • Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.26)
  • Browser: Chrome 131.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.0
  • MU Plugins: None activated
  • Plugins: None activated

Actual Results

✅ Error condition occurs.

Supplemental Artifacts

https://utfs.io/f/PL8E4NiPUWyOYlPyHuSEjTuBUcxARf0WXLmdMPOsCkZrVbta
https://utfs.io/f/PL8E4NiPUWyOaV2vLcHJcb5UXrLqDIo97jZKdMWg8iplmysR

#3 @sainathpoojary
6 weeks ago

I agree, @yogeshbhutkar, that this behavior seems expected, as labels are properly escaped for security purposes using esc_html. Additionally, we can sanitize the text using wp_kses, but this is not the recommended approach. More details on this can be found in https://core.trac.wordpress.org/ticket/62619

Last edited 6 weeks ago by sainathpoojary (previous) (diff)

This ticket was mentioned in PR #7952 on WordPress/wordpress-develop by @akshat2802.


6 weeks ago
#4

  • Keywords has-patch added

PR for https://core.trac.wordpress.org/ticket/62630

This PR fixes the problem of HTML tags appearing in the labels of plugin in site health.

#5 @ankitkumarshah
4 weeks ago

Test Report

Description

This report validates whether the indicated patch works as expected.

Patch tested: https://github.com/WordPress/wordpress-develop/pull/7952

Environment

  • WordPress: 6.8-alpha-59506
  • PHP: 8.1.29
  • Server: nginx/1.16.0
  • Database: mysqli (Server: 8.0.16 / Client: mysqlnd 8.1.29)
  • Browser: Chrome 131.0.0.0
  • OS: macOS
  • Theme: Twenty Fifteen 3.9

Actual Results

  1. ✅ Issue resolved with patch.

Additional Notes

Thank you for providing the patch. I have tested it, and it resolves the issue successfully.

Supplemental Artifacts

https://i.postimg.cc/mgQkt1p2/Before-Patch-1.png

Note: See TracTickets for help on using tickets.