WordPress.org

Making WordPress.org

Opened 3 years ago

Closed 2 months ago

Last modified 2 months ago

#2846 closed defect (reported-upstream)

Shortcodes in Plugin Description aren't handled in the 'View Details' popup

Reported by: garrett-eclipse Owned by:
Milestone: Priority: normal
Component: Plugin Directory Keywords:
Cc:

Description

Hello,

Just wanted to flag that the shortcodes which are present within Plugin Description work on the Plugin Directory but not in the 'View Details' popup in the Plugin listing on an install, screen;
http://i.imgur.com/qcuYoLe.png

Cheers

Change History (7)

#1 @Otto42
3 years ago

  • Component changed from General to Plugin Directory
  • Milestone set to Plugin Directory v3 - Future

#2 @tellyworth
3 years ago

  • Keywords 2nd-opinion added

What security implications would this have (ie rendering shortcodes within the API)?

Is this a regression from the old API?

#3 @dd32
3 years ago

I believe the limited whitelisted shortcodes did work in the previous API.
Core has a wp_kses() over the API output which may strip/block/prevent the embeds though.

#4 @dd32
2 months ago

3 years later, this is a Core bug.

The WordPress.org plugins api does send the embeds, but core wp_kses strips them out.

If you have Jetpack Active, it appears that you see a [vimeo] shortcode instead.

The first plugin I found which uses a Vimeo embed is Updraft plus, you'll see the iframe code in the https://api.wordpress.org/plugins/info/1.1/?action=plugin_information&request[slug=updraftplus API response] but not within WordPress's plugin info page.

The core wp_kses in question strips the embed down from this

<div class="embed-vimeo" style="text-align: center;">
<iframe src="https://player.vimeo.com/video/154870690" width="640" height="360" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
</div>

to <div class="embed-vimeo"></div>

#5 @dd32
2 months ago

  • Keywords 2nd-opinion removed
  • Milestone Plugin Directory v3 - Future deleted
  • Resolution set to reported-upstream
  • Status changed from new to closed

Reported upstream as #core49731

#6 @dd32
2 months ago

Vimeo Example: https://wordpress.org/plugins/updraftplus/
Youtube Example: https://wordpress.org/plugins/wp-smushit/

I can't find anything using VideoPress embeds, so I'm going to remove that support instead.

#7 @dd32
2 months ago

In 9647:

Plugin Directory: Drop [videopress embed support, no plugins are currently using it.

See #2846

Note: See TracTickets for help on using tickets.