[wp-trac] [WordPress Trac] #62630: Site Health plugin information display html tags in plugin name
WordPress Trac
noreply at wordpress.org
Tue Dec 3 07:53:36 UTC 2024
#62630: Site Health plugin information display html tags in plugin name
---------------------------+------------------------------
Reporter: ignatiusjeroe | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Site Health | Version: 6.7.1
Severity: trivial | Resolution:
Keywords: | Focuses: administration
---------------------------+------------------------------
Comment (by sainathpoojary):
I agree @yogeshbhutkar that this behavior seems to be expected, as labels
are properly escaped for security purposes using `esc_html`. Additionally,
I noticed that in plugins.php, the plugin name is sanitized using the
following approach:
{{{
// Sanitize fields.
$allowed_tags_in_links = array(
'abbr' => array( 'title' => true ),
'acronym' => array( 'title' => true ),
'code' => true,
'em' => true,
'strong' => true,
);
/*
* The name is marked up inside <a> tags. These tags are not allowed.
* The author field also uses markup, but some plugins include <a> tags
here (omitting the Author URI).
*/
$plugin_data['Name'] = wp_kses( $plugin_data['Name'],
$allowed_tags_in_links );
}}}
Perhaps we could adopt a similar sanitization approach here as well to
maintain consistency and further enhance security. Let me know your
thoughts!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62630#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list