get_plugin_data() doesn't apply kses when $markup and $translate are false

[kawauso]

get_plugin_data() uses _get_plugin_data_markup_translate() to apply kses, but this isn't invoked if $markup and $translate are both false.

This behaviour is rather unexpected, since kses application isn't controlled directly by either parameter.

[kawauso]

Always use _get_plugin_data_markup_translate()

[dd32]

I see not reason for wp_kses not being run over the data.. In Core, $markup||$translate is always true, so there isn't an immediate problem in core of displaying non-kses'd data.

[nacin]

get_plugins() is $markup = $translate = false, as it then gets cached. Later, we call _get_plugin_data_markup_translate() directly.

A few points:

1. If we decide to hold off on translation until later, it is most accurate if it runs on the raw data, rather than the sanitized data.
2. I ignored point 1 in WP_Theme. Sanitized data is a sanity check. If your data is different after being sanitized (and therefore the translation won't be found), then you need to fix your data. (See [20233] for a tweak to ensure URLs with ampersands can be translated.)
3. Doing this will cause multiple kses runs to occur over the same data, as we then call _get_plugin_data_markup_translate() again in the list table. And since this is just a sanity check (plugins can do anything; this isn't a security issue), it'd be nicer to just run it once. wp_kses() is very expensive.
4. These kinds of issues were what led me to writing WP_Theme.

See also #20266 which led me here.

[chriscct7]

@nacin Do you want this closed then?