[wp-trac] [WordPress Trac] #26330: Plugin descriptions aren't HTML-escaped on /wp-admin/plugins.php

WordPress Trac noreply at wordpress.org
Fri Nov 29 22:12:22 UTC 2013


#26330: Plugin descriptions aren't HTML-escaped on /wp-admin/plugins.php
--------------------------+------------------------------
 Reporter:  _doherty      |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Plugins       |     Version:  3.7.1
 Severity:  normal        |  Resolution:
 Keywords:                |
--------------------------+------------------------------

Comment (by dd32):

 Plugin descriptions are sanitized on output on the plugins page, but any
 unescaped tags are removed, rather than replaced with escaped tags.
 Plugins are expected to escape any HTML they wish to display themselves.

 The tags which we allow to be rendered:
 http://core.trac.wordpress.org/browser/trunk/src/wp-
 admin/includes/plugin.php#L136
 {{{
 // Sanitize fields
 $allowed_tags = $allowed_tags_in_links = array(
     'abbr'    => array( 'title' => true ),
     'acronym' => array( 'title' => true ),
     'code'    => true,
     'em'      => true,
     'strong'  => true,
 );
 $allowed_tags['a'] = array( 'href' => true, 'title' => true );
 }}}

--
Ticket URL: <http://core.trac.wordpress.org/ticket/26330#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list