[wp-trac] [WordPress Trac] #62630: Site Health plugin information display html tags in plugin name
    WordPress Trac 
    noreply at wordpress.org
       
    Tue Dec  3 07:53:36 UTC 2024
    
    
  
#62630: Site Health plugin information display html tags in plugin name
---------------------------+------------------------------
 Reporter:  ignatiusjeroe  |       Owner:  (none)
     Type:  defect (bug)   |      Status:  new
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Site Health    |     Version:  6.7.1
 Severity:  trivial        |  Resolution:
 Keywords:                 |     Focuses:  administration
---------------------------+------------------------------
Comment (by sainathpoojary):
 I agree @yogeshbhutkar that this behavior seems to be expected, as labels
 are properly escaped for security purposes using `esc_html`. Additionally,
 I noticed that in plugins.php, the plugin name is sanitized using the
 following approach:
 {{{
 // Sanitize fields.
 $allowed_tags_in_links = array(
         'abbr'    => array( 'title' => true ),
         'acronym' => array( 'title' => true ),
         'code'    => true,
         'em'      => true,
         'strong'  => true,
 );
 /*
  * The name is marked up inside <a> tags. These tags are not allowed.
  * The author field also uses markup, but some plugins include <a> tags
 here (omitting the Author URI).
  */
 $plugin_data['Name']   = wp_kses( $plugin_data['Name'],
 $allowed_tags_in_links );
 }}}
 Perhaps we could adopt a similar sanitization approach here as well to
 maintain consistency and further enhance security. Let me know your
 thoughts!
-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62630#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
    
    
More information about the wp-trac
mailing list