[wp-trac] [WordPress Trac] #29555: Theme details allowed HTML
WordPress Trac
noreply at wordpress.org
Sat Sep 6 11:50:18 UTC 2014
#29555: Theme details allowed HTML
--------------------------+-----------------------------
Reporter: afercia | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Themes | Version: 4.0
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Theme authors can use some HTML in their theme's style.css Description
(and Theme Name and Author). If I'm not wrong, sanitize_header() in
WP_Theme class sets the allowed HTML tags and attributes and for
Description they are:
{{{
'a' => array( 'href' => true, 'title' => true ),
'abbr' => array( 'title' => true ),
'acronym' => array( 'title' => true ),
'code' => true,
'em' => true,
'strong' => true,
}}}
This works in the installed themes browser, where theme details are
grabbed from the theme's style.css. But in the theme install views, where
theme details come from WordPress.org API, some HTML tags (for example
"a") are completely stripped out (don't know if this is intentional) while
others (for example "abbr") are not unencoded before being used as HTML in
the view and they end up being displayed as plain text, even in the
WordPress.org site (see the last two screenshot).
I've found the someway related #27641 but please notice HTML is returned
by the API already encoded so even using triple braces `>` etc. will
still be `>`
Installed themes browser:
[[Image(http://i.imgur.com/B9TdIUa.png)]]
Themes install:
[[Image(http://i.imgur.com/JoP1yjp.png)]]
WordPress.org themes site:
[[Image(http://i.imgur.com/fyYmdeK.png)]]
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29555>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list