escaped HTML elements present in title attributes generated by wp_​list_​pages()

[kingjeffrey]

When wp_​list_​pages() creates a title attribute for a listed page, it escapes HTML tags so they are visible. The desired operation would be the stripping of HTML tags, not their escaping.

[scribu]

I agree: esc_attr() should strip HTML tags.

[scribu]

Use wp_strip_all_tags() instead of _wp_specialchars()

[scribu]

Changing summary to highlight underlying issue.

[filosofo]

You can't make esc_attr() strip out tags, because it's used, for example, to format the output of textarea fields.

It would be better in my opinion just to strip out the tags where they should be stripped out, which is not necessarily for every attribute.

[scribu]

Textareas and inputs should use esc_html() instead. Besides that, when is it useful to have escaped html in an attribute?

Besides, esc_attr() and esc_html() are currently identical. So what's the point of having two functions that do the same thing?

[filosofo]

Replying to scribu:

when is it useful to have escaped html in an attribute?

The esc_* functions are meant to be used by plugin and theme developers. That means:

• They should be named in a way that reflects their use. If something strips out the html, call it "strip_tags()", not "esc_attr()".
• We can't think of every possible use to which someone might want to put them. For example, supposed I want in the "title" attribute of my link: "Click here to learn more about the <p> element." It makes sense for me to be able to use esc_attr() on it to escape it.
• HTML entities are legal in attributes. Why should they be removed?
• Any place in the code that needs to strip out tags can nest strip_tags() in esc_attr().

Besides, esc_attr() and esc_html() are currently identical. So what's the point of having two functions that do the same thing?

They do have different filter names, so you can always filter out HTML entities in escaped attributes for your own purposes.

[dd32]

I agree with filosofo, HTML entities are legal in attribue values (Not only text areas, but input form elemens, Titles, other attr's). It should be escaped appropriately for display rather than messing with the passed content.

[scribu]

Replying to dd32:

I agree with filosofo, HTML entities are legal in attribue values (Not only text areas, but input form elemens, Titles, other attr's). It should be escaped appropriately for display rather than messing with the passed content.

I didn't say they were illegal, I said they weren't useful in elements other than textareas and inputs.

So, if esc_attr() isn't changed, why do we need esc_html() for? It's the exact same code in both.

[scribu]

Sorry, didn't see filosofo's comment.

[scribu]

Related #10997

[ryan]

wontfix for aforementioned reasons.

[kingjeffrey]

It is great that you settled on esc_attr() not stripping tags. But my original submission had a specific case in the core of WP that is improper. Escaped tags should not be included in the title attribute for wp_​list_​pages(). I don't care if this is fixed by changing esc_attr() or calling it as strip_tags(esc_attr()) in wp_​list_​pages(), but escaped elements should not be present within this specific title attribute.

I changed the title of this bug back to the original, as that is still the outstanding issue.

[scribu]

Nest wp_strip_all_tags() in esc_attr() for page title

[scribu]

11040.diff addresses the orginal issue.

I'm still wondering why we allow HTML in the title in the first place.

[nacin]

This looks good. I imagine we include post titles in title attributes elsewhere, though? This seems like a bandaid.

Holding off until post-freeze, we can continue to call this a bug.

[scribu]

Replying to nacin:

This looks good. I imagine we include post titles in title attributes elsewhere, though? This seems like a bandaid.

the_title_attribute() is used within The Loop.

[nacin]

(In [14104]) Strip tags before escaping the title element in wp_list_pages(). props scribu. fixes #11040.