[wp-trac] [WordPress Trac] #42608: Allow basic inline HTML tags and attributes in sidebar description on "Widgets" page

WordPress Trac noreply at wordpress.org
Fri Nov 17 20:36:49 UTC 2017 

#42608: Allow basic inline HTML tags and attributes in sidebar description on
"Widgets" page
-----------------------------------+------------------------------
 Reporter:  flixos90               |       Owner:
     Type:  defect (bug)           |      Status:  new
 Priority:  normal                 |   Milestone:  Awaiting Review
Component:  Widgets                |     Version:
 Severity:  normal                 |  Resolution:
 Keywords:  2nd-opinion has-patch  |     Focuses:
-----------------------------------+------------------------------
Description changed by flixos90:

Old description:

> When registering a sidebar, it can sometimes be useful to use simple HTML
> in the description for it, like a link or emphasized text. For example, I
> wanted to add a message like the following:
>
> `__( 'In order for this sidebar to be active, you need to enable it
> first. You can do so <a href="...">in the Customizer.', 'my-theme' )`
> (the link would point to the respective area in the Customizer)
>
> However, all HTML in sidebar descriptions is currently escaped on the
> Widgets page in the admin, which makes this impossible (generally,
> anytime when using the `wp_sidebar_description()` function). Using basic
> inline tags and attributes should be allowed. Strangely enough it ''is''
> supported in the Customizer already, where this content is not escaped.
> So it should be similar on the admin page.
>
> Instead of simply removing the `esc_html()` call in
> `wp_sidebar_description()`, I think a more secure way would be to replace
> it with `wp_kses_data()` to still make sure only those valid tags and
> attributes pass.

New description:

 When registering a sidebar, it can sometimes be useful to use simple HTML
 in the description for it, like a link or emphasized text. For example, I
 wanted to add a message like the following:

 `__( 'In order for this sidebar to be active, you need to enable it first.
 You can do so <a href="...">in the Customizer</a>.', 'my-theme' )` (the
 link would point to the respective area in the Customizer)

 However, all HTML in sidebar descriptions is currently escaped on the
 Widgets page in the admin, which makes this impossible (generally, anytime
 when using the `wp_sidebar_description()` function). Using basic inline
 tags and attributes should be allowed. Strangely enough it ''is''
 supported in the Customizer already, where this content is not escaped. So
 it should be similar on the admin page.

 Instead of simply removing the `esc_html()` call in
 `wp_sidebar_description()`, I think a more secure way would be to replace
 it with `wp_kses_data()` to still make sure only those valid tags and
 attributes pass.

--

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42608#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list