search

WordPress / plugin-check

A repository for the new Plugin Check plugin from the WordPress Performance and Plugins Team.
https://wordpress.org/plugins/plugin-check/
GNU General Public License v2.0
198 stars 39 forks source link

Allow HTML tags in error/warning messages #355

Open ernilambar opened 6 months ago

ernilambar commented 6 months ago

Followup from https://github.com/WordPress/plugin-check/issues/312

Currently we dont allow HTML tags in messages.

Opinions:

Using late escaping principles, it would make sense to me that if HTML is being stored in messages that each output target would be responsible for its own escaping, so we could use wp_kses to define the subset of HTML that is supported in the admin, while CLI strips all tags.

Originally posted by @joemcgill in https://github.com/WordPress/plugin-check/issues/312#issuecomment-1864730259

I like the idea of using wp_kses() instead of esc_html():

  • For regular UI output, support a few basic inline tags (e.g. a[href], strong, em, code, ...)
  • For CLI, support none, effectively the same as stripping tags (i.e. we probably would just use wp_strip_all_tags()

Originally posted by @felixarntz in https://github.com/WordPress/plugin-check/issues/312#issuecomment-1864803007

We need to finalize the Acceptance Criteria including list of tags those should be allowed.