adjacent_post_link fails to strip anchor tags from post titles

[jaylett]

If you create a post with a title of "Started using <a href='​http://wordpress.org/'>WordPress</a>", adjacent_post_link() emits a link that has that entire string (including the anchor tags) inside its own link.

The expected behaviour would be to strip the anchor tag to leave the link generated to the WordPress post.

This would then match being able to put links in post titles and using template code such as <h2><?php the_title(); ?></h2> which results in a heading with the appropriate title including the link that is part of the title. (If you see what I mean.)

A (but possibly the wrong) fix is to strip the anchor tags using:

1265a1266,1268
 	$allowed_html_in_titles = $allowedtags;
 	unset($allowed_html_in_titles['a']);
 	$title = wp_kses($title, $allowed_html_in_titles);

applied to wp-includes/link-template.php

Sigh. Apologies for the formatting. Someone with suitable edit privs may want to drop some curly braces round that patch.

Maybe we should instead strip all tags?

Replying to nacin:

Maybe we should instead strip all tags?

Would you like them stripped in each function or to hook it to the_title filter in default-filters?

I am wondering if we are breaking things in a lot more places than just the adjacent posts by allowing a elements in post titles.

I agree. I thought about sanitizing get_the_post_title before returning the value but several functions skip that function and call $post->title directly. Most of them use apply_filters('the_title') though. That's why I was wondering if it might be appropriate to sanitize it with in default-filter... plugin and theme authors could remove that filter if needed... or strip it on the way into the DB.

added default filter fixes the problem anywhere apply_filters('the_title', ... ) is called.

-1 on using filters here. We should strip tags on insert. This shouldn't be filterable for any use case I can think of.

I'm firmly of the opinion that unless you can 100% guarantee that your invariant is going to be honoured everywhere, you should sanitise output as well as anything you do to the input.

Given the number of tools available for frobbing the wordpress database directly (including but by no means limited to import scripts to get you up and running from another system such as Drupal), an invariant such as "titles must not contain HTML tags" simply isn't going to be honoured.

On top of this I don't believe that ruling out having tags in a title simply because it's a pain is a good decision. (Indeed, it would prejudice me against Wordpress just when I was getting to like it.) What's the user-focussed justification here for removing the ability to put emphasis in a title, for instance?

(Removing links in titles on input I could live with, just about.)

So +1 on filters, and +1 on stripping tags, providing it gets documented clearly as an invariant of the data model.

I don't mind the code suggested in the body of the ticket, using wp_kses like that. I wasn't trying to imply that we remove the ability to have a elements in titles, only that we may need to strip a elements from more places.

My only thought is that there may be other areas in core other than adjacent_post_link where we would need to do this.

My only thought is that there may be other areas in core other than adjacent_post_link where we would need to do this.

Remains valid.