#4789 closed enhancement (wontfix)
Write Post title doesn't escape HTML tags
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Administration | Version: | 2.3.2 |
| Severity: | normal | Keywords: | dev-feedback |
| Cc: |
Description
I was writing a new post and I used the title "Curse of the <p>". When saving the post, it appears under Your Drafts but the <p> has not been escaped, so the browser renders a line break.
Change History (16)
comment:2
in reply to:
↑ 1
JeremyVisser — 6 years ago
Replying to santosj:
Perhaps a setting, where it allows you to place HTML in the title if you want and escape it if you don't.
Noooo! We don't need Yet Another (tm) setting, for such a niche thing. Do The Right Thing (tm) in the first place, and we don't need it to be changed.
comment:3
markjaquith — 6 years ago
I don't think HTML belongs in titles, but there is a small-but-vocal contingent who thinks it does.
If we do entitize it, we should do it in a way that allows a plugin to circumvent it.
This kind of input should be sanitized. The exception is the Code view, where it is clear that a restricted set of XHTML is allowed.
comment:7
follow-up:
↓ 8
Viper007Bond — 6 years ago
It's a toughy. Personally, I like being able to <del> and <em> stuff in my titles.
comment:8
in reply to:
↑ 7
Viper007Bond — 6 years ago
Replying to Viper007Bond:
It's a toughy. Personally, I like being able to <del> and <em> stuff in my titles.
Although for the average user, I think they'd expect that those items would display as typed.
So, a solution:
On output (anywhere and everywhere), filter the title and do a htmlspecialchars() on it rendering HTML invalid. For us wishing to still post HTML in titles, we could just remove the filter.
- Component changed from General to Administration
- Milestone set to 2.4
- Resolution duplicate deleted
- Status changed from closed to reopened
- Version set to 2.3.2
I wrote a post with the title "</2007>" for New Years Eve today. Instead, my post title turns up blank in the web browser. This is not expected behavior! It is not clear that HTML is acceptable and must be escaped in the title anywhere in the interface. I had to edit the post title to "</2007>" manually, which fixed it, but I shouldn't have had to do that.
Additionally, with the original title I specified above, the auto-generated post-slug was "176" which was the post ID of the post, not "2007" which is the expected, sanitized slug (I changed it to "closing-2007" manually, but it was still incorrect).
I do agree that allowing a plugin to override this behavior if people want to use HTML in their titles is a good idea.
I am re-opening this ticket as although it is marked duplicate, I can't find where the duplicate ticket is! I searched.
comment:10
westi — 5 years ago
- Keywords needs-patch added
- Milestone changed from 2.5 to 2.6
Moving to 2.6
Not a simple change and needs a patch.
comment:11
Viper007Bond — 4 years ago
- Type changed from defect (bug) to enhancement
Intended behavior currently, so it's not a bug.
- Keywords dup added
- Milestone changed from 2.9 to Future Release
Moreover, it's still a dup... Can't recall where it is, but I'm pretty certain it's in there...
- Keywords dup removed
comment:14
solarissmoke — 2 years ago
- Keywords dev-feedback added; needs-patch removed
Any thoughts from senior devs on whether this is worth keeping open? Suggestions above are basically:
- Add an esc_html filter to the title, which advanced users can remove (I can see serious back-compat issues here)
- Add a setting to determine behaviour
- Do nothing, it's intended behaviour
comment:15
nacin — 2 years ago
- Milestone Future Release deleted
- Resolution set to wontfix
- Status changed from reopened to closed
This has been called intended behavior for quite a while. Closing due to lack of traction.
comment:16
peaceablewhale — 2 years ago
See also #14361
Fix
"Curse of the <p>"
Perhaps a setting, where it allows you to place HTML in the title if you want and escape it if you don't.