#2846 closed defect (bug) (reported-upstream)
Shortcodes in Plugin Description aren't handled in the 'View Details' popup
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | Plugin Directory | Keywords: | |
Cc: |
Description
Hello,
Just wanted to flag that the shortcodes which are present within Plugin Description work on the Plugin Directory but not in the 'View Details' popup in the Plugin listing on an install, screen;
http://i.imgur.com/qcuYoLe.png
Cheers
Change History (7)
#1
@
8 years ago
- Component changed from General to Plugin Directory
- Milestone set to Plugin Directory v3 - Future
#3
@
7 years ago
I believe the limited whitelisted shortcodes did work in the previous API.
Core has a wp_kses()
over the API output which may strip/block/prevent the embeds though.
#4
@
5 years ago
3 years later, this is a Core bug.
The WordPress.org plugins api does send the embeds, but core wp_kses
strips them out.
If you have Jetpack Active, it appears that you see a [vimeo]
shortcode instead.
The first plugin I found which uses a Vimeo embed is Updraft plus, you'll see the iframe code in the https://api.wordpress.org/plugins/info/1.1/?action=plugin_information&request[slug=updraftplus API response] but not within WordPress's plugin info page.
The core wp_kses in question strips the embed down from this
<div class="embed-vimeo" style="text-align: center;"> <iframe src="https://player.vimeo.com/video/154870690" width="640" height="360" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe> </div>
to <div class="embed-vimeo"></div>
#5
@
5 years ago
- Keywords 2nd-opinion removed
- Milestone Plugin Directory v3 - Future deleted
- Resolution set to reported-upstream
- Status changed from new to closed
Reported upstream as #core49731
#6
@
5 years ago
Vimeo Example: https://wordpress.org/plugins/updraftplus/
Youtube Example: https://wordpress.org/plugins/wp-smushit/
I can't find anything using VideoPress embeds, so I'm going to remove that support instead.
What security implications would this have (ie rendering shortcodes within the API)?
Is this a regression from the old API?