diff --git a/wp-admin/includes/plugin.php b/wp-admin/includes/plugin.php
index eee63479a7..9e86160eb6 100644
--- a/wp-admin/includes/plugin.php
+++ b/wp-admin/includes/plugin.php
@@ -65,8 +65,8 @@
  * @since 1.5.0
  *
  * @param string $plugin_file Path to the plugin file
- * @param bool $markup If the returned data should have HTML markup applied
- * @param bool $translate If the returned data should be translated
+ * @param bool $markup Optional. If the returned data should have HTML markup applied. Defaults to true.
+ * @param bool $translate Optional. If the returned data should be translated. Defaults to true.
  * @return array See above for description.
  */
 function get_plugin_data( $plugin_file, $markup = true, $translate = true ) {
@@ -88,30 +88,36 @@ function get_plugin_data( $plugin_file, $markup = true, $translate = true ) {
 	$plugin_data = get_file_data( $plugin_file, $default_headers, 'plugin' );
 
 	// Site Wide Only is the old header for Network
-	if ( empty( $plugin_data['Network'] ) && ! empty( $plugin_data['_sitewide'] ) ) {
+	if ( ! $plugin_data['Network'] && $plugin_data['_sitewide'] ) {
 		_deprecated_argument( __FUNCTION__, '3.0', sprintf( __( 'The <code>%1$s</code> plugin header is deprecated. Use <code>%2$s</code> instead.' ), 'Site Wide Only: true', 'Network: true' ) );
 		$plugin_data['Network'] = $plugin_data['_sitewide'];
 	}
 	$plugin_data['Network'] = ( 'true' == strtolower( $plugin_data['Network'] ) );
 	unset( $plugin_data['_sitewide'] );
 
-	//For backward compatibility by default Title is the same as Name.
-	$plugin_data['Title'] = $plugin_data['Name'];
-
-	if ( $markup || $translate )
+	if ( $markup || $translate ) {
 		$plugin_data = _get_plugin_data_markup_translate( $plugin_file, $plugin_data, $markup, $translate );
-	else
+	} else {
+		$plugin_data['Title']      = $plugin_data['Name'];
 		$plugin_data['AuthorName'] = $plugin_data['Author'];
+	}
 
 	return $plugin_data;
 }
 
-function _get_plugin_data_markup_translate($plugin_file, $plugin_data, $markup = true, $translate = true) {
+/**
+ * Sanitizes plugin data, optionally adds markup, optionally translates.
+ *
+ * @since 2.7.0
+ * @access private
+ * @see get_plugin_data()
+ */
+function _get_plugin_data_markup_translate( $plugin_file, $plugin_data, $markup = true, $translate = true ) {
 
-	//Translate fields
+	// Translate fields
 	if ( $translate ) {
 		if ( $textdomain = $plugin_data['TextDomain'] ) {
-			if ( ! empty( $plugin_data['DomainPath'] ) )
+			if ( $plugin_data['DomainPath'] )
 				load_plugin_textdomain( $textdomain, false, dirname( $plugin_file ) . $plugin_data['DomainPath'] );
 			else
 				load_plugin_textdomain( $textdomain, false, dirname( $plugin_file ) );
@@ -124,37 +130,43 @@ function _get_plugin_data_markup_translate($plugin_file, $plugin_data, $markup =
 		}
 	}
 
-	$plugins_allowedtags = array(
-		'a'       => array( 'href' => array(), 'title' => array() ),
-		'abbr'    => array( 'title' => array() ),
-		'acronym' => array( 'title' => array() ),
-		'code'    => array(),
-		'em'      => array(),
-		'strong'  => array(),
+	// Sanitize fields
+	$allowed_tags = $allowed_tags_in_links = array(
+		'abbr'    => array( 'title' => true ),
+		'acronym' => array( 'title' => true ),
+		'code'    => true,
+		'em'      => true,
+		'strong'  => true,
 	);
+	$allowed_tags['a'] = array( 'href' => true, 'title' => true );
 
-	$plugin_data['AuthorName'] = $plugin_data['Author'] = wp_kses( $plugin_data['Author'], $plugins_allowedtags );
+	// Name is marked up inside <a> tags. Don't allow these.
+	// Author is too, but some plugins have used <a> here (omitting Author URI).
+	$plugin_data['Name']        = wp_kses( $plugin_data['Name'],        $allowed_tags_in_links );
+	$plugin_data['Author']      = wp_kses( $plugin_data['Author'],      $allowed_tags );
 
-	//Apply Markup
+	$plugin_data['Description'] = wp_kses( $plugin_data['Description'], $allowed_tags );
+	$plugin_data['Version']     = wp_kses( $plugin_data['Version'],     $allowed_tags );
+
+	$plugin_data['PluginURI']   = esc_url( $plugin_data['PluginURI'] );
+	$plugin_data['AuthorURI']   = esc_url( $plugin_data['AuthorURI'] );
+
+	$plugin_data['Title']      = $plugin_data['Name'];
+	$plugin_data['AuthorName'] = $plugin_data['Author'];
+
+	// Apply markup
 	if ( $markup ) {
-		if ( ! empty($plugin_data['PluginURI']) && ! empty($plugin_data['Name']) )
+		if ( $plugin_data['PluginURI'] && $plugin_data['Name'] )
 			$plugin_data['Title'] = '<a href="' . $plugin_data['PluginURI'] . '" title="' . esc_attr__( 'Visit plugin homepage' ) . '">' . $plugin_data['Name'] . '</a>';
-		else
-			$plugin_data['Title'] = $plugin_data['Name'];
 
-		if ( ! empty($plugin_data['AuthorURI']) && ! empty($plugin_data['Author']) )
+		if ( $plugin_data['AuthorURI'] && $plugin_data['Author'] )
 			$plugin_data['Author'] = '<a href="' . $plugin_data['AuthorURI'] . '" title="' . esc_attr__( 'Visit author homepage' ) . '">' . $plugin_data['Author'] . '</a>';
 
 		$plugin_data['Description'] = wptexturize( $plugin_data['Description'] );
-		if ( ! empty($plugin_data['Author']) )
-			$plugin_data['Description'] .= ' <cite>' . sprintf( __('By %s'), $plugin_data['Author'] ) . '.</cite>';
-	}
 
-	// Sanitize all displayed data. Author and AuthorName sanitized above.
-	$plugin_data['Title']       = wp_kses( $plugin_data['Title'],       $plugins_allowedtags );
-	$plugin_data['Version']     = wp_kses( $plugin_data['Version'],     $plugins_allowedtags );
-	$plugin_data['Description'] = wp_kses( $plugin_data['Description'], $plugins_allowedtags );
-	$plugin_data['Name']        = wp_kses( $plugin_data['Name'],        $plugins_allowedtags );
+		if ( $plugin_data['Author'] )
+			$plugin_data['Description'] .= ' <cite>' . sprintf( __('By %s.'), $plugin_data['Author'] ) . '</cite>';
+	}
 
 	return $plugin_data;
 }