Making WordPress.org

Changeset 12506


Ignore:
Timestamp:
03/28/2023 06:29:16 AM (21 months ago)
Author:
dd32
Message:

Plugin Directory: Author Notice: Enforce a smaller set of HTML tags.

This results in <span>'s and various hidden styles from being saved.

See #6880.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/metabox/class-author-notice.php

    r12497 r12506  
    1212    const DEFAULT_TEXT  = '<p>This is a message that will be displayed on the top of the plugins page to plugin authors, even if the plugin is closed. To edit, simply click and type.</p>';
    1313    const POST_META_KEY = '_author_notice';
     14
     15    /**
     16     * The HTML allowed in the author notice.
     17     */
     18    const ALLOWED_TAGS = [
     19        'p'      => true,
     20        'strong' => true,
     21        'em'     => true,
     22        'a'      => [
     23            'href' => true,
     24        ],
     25        'i'      => true,
     26        'b'      => true,
     27        'br'     => true,
     28        'code'   => true,
     29        'pre'    => true,
     30        'ul'     => true,
     31        'ol'     => true,
     32        'li'     => true,
     33    ];
    1434
    1535    /**
     
    4666
    4767        <div id="author-notice-texteditable" class="inline notice notice-alt notice-<?php echo esc_attr( $notice['type'] ); ?>" contentEditable="true">
    48             <?php echo wp_kses_post( $notice['html'] ); ?>
     68            <?php echo wp_kses( $notice['html'], self::ALLOWED_TAGS ); ?>
    4969        </div>
    5070
     
    97117            $new_author_notice         = wp_unslash( $_REQUEST['author_notice'] );
    98118            $new_author_notice['type'] = sanitize_key( $new_author_notice['type'] );
    99             $new_author_notice['html'] = wp_kses_post( trim( $new_author_notice['html'] ) );
     119            $new_author_notice['html'] = wp_kses( trim( $new_author_notice['html'] ), self::ALLOWED_TAGS );
    100120
    101121            // Check it's not empty with tags removed.
Note: See TracChangeset for help on using the changeset viewer.