[wp-trac] [WordPress Trac] #60373: plugin activation errors are accidentally hidden
WordPress Trac
noreply at wordpress.org
Mon Jan 29 15:25:08 UTC 2024
#60373: plugin activation errors are accidentally hidden
--------------------------+-----------------------------
Reporter: ttodua | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Plugins | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
in recent versions (can't tell exactly when) seems the admin_notice
messages were being filtered by wp_kses_post, which caused breaking
changes, which contradicts WP core itself.
to reproduce, add this to plugin:
{{{#!php
register_activation_hook(__FILE__, function($x){ die('plugin can not
activate, because XYZ'); } );
}}}
then try to activate. it will show admin notice `Plugin could not be
activated because it triggered a fatal error` and nothing more. however,
it should have shown that XYZ message inside iframe, you can confirm that
by looking :
https://core.trac.wordpress.org/browser/tags/6.4.2/src/wp-
admin/plugins.php#L685
(if you do `var_dump($errmsg)` before that `wp_admin_notice` line, you
will see that iframe part is also included in `$errmsg`)
however, inside `wp_admin_notice` there is `wp_kses_post` which filters
out the `iframe` that was added by core itself:
https://core.trac.wordpress.org/browser/tags/6.4.2/src/wp-
includes/functions.php#L8891
so, that is contradiction in WP, and should be solved either way. I
understand that stripping `iframe` might have been a security step,
however, it was done incorrectly. that wp_kses_post should allow iframe,
but itself the XYZ message itself (coming from plugin's activation) should
be filtered, so that would achieve the security goal.
at this moment, that change/misbehavior (which we noticed too late) have
broken dozens of our plugins on wp.org. please fix it.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60373>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list