WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#11040 closed defect (bug) (fixed)

escaped HTML elements present in title attributes generated by wp_​list_​pages()

Reported by: kingjeffrey Owned by:
Milestone: 3.0 Priority: normal
Severity: normal Version:
Component: Formatting Keywords: has-patch commit
Focuses: Cc:

Description

When wp_​list_​pages() creates a title attribute for a listed page, it escapes HTML tags so they are visible. The desired operation would be the stripping of HTML tags, not their escaping.

Attachments (2)

esc_attr.patch (483 bytes) - added by scribu 6 years ago.
Use wp_strip_all_tags() instead of _wp_specialchars()
11040.diff (903 bytes) - added by scribu 5 years ago.
Nest wp_strip_all_tags() in esc_attr() for page title

Download all attachments as: .zip

Change History (20)

comment:1 @scribu6 years ago

  • Milestone changed from Unassigned to 2.9

I agree: esc_attr() should strip HTML tags.

comment:2 @scribu6 years ago

  • Keywords has-patch commit added

@scribu6 years ago

Use wp_strip_all_tags() instead of _wp_specialchars()

comment:3 @scribu6 years ago

  • Component changed from General to Formatting

comment:4 @scribu6 years ago

  • Summary changed from wp_​list_​pages title attribute creation to esc_attr() doesn't strip HTML tags

Changing summary to highlight underlying issue.

comment:5 @filosofo6 years ago

You can't make esc_attr() strip out tags, because it's used, for example, to format the output of textarea fields.

It would be better in my opinion just to strip out the tags where they should be stripped out, which is not necessarily for every attribute.

comment:6 follow-up: @scribu6 years ago

Textareas and inputs should use esc_html() instead. Besides that, when is it useful to have escaped html in an attribute?

Besides, esc_attr() and esc_html() are currently identical. So what's the point of having two functions that do the same thing?

comment:7 in reply to: ↑ 6 @filosofo6 years ago

Replying to scribu:

when is it useful to have escaped html in an attribute?

The esc_* functions are meant to be used by plugin and theme developers. That means:

  • They should be named in a way that reflects their use. If something strips out the html, call it "strip_tags()", not "esc_attr()".
  • We can't think of every possible use to which someone might want to put them. For example, supposed I want in the "title" attribute of my link: "Click here to learn more about the <p> element." It makes sense for me to be able to use esc_attr() on it to escape it.
  • HTML entities are legal in attributes. Why should they be removed?
  • Any place in the code that needs to strip out tags can nest strip_tags() in esc_attr().

Besides, esc_attr() and esc_html() are currently identical. So what's the point of having two functions that do the same thing?

They do have different filter names, so you can always filter out HTML entities in escaped attributes for your own purposes.

comment:8 follow-up: @dd326 years ago

  • Keywords needs-patch added; has-patch commit removed

I agree with filosofo, HTML entities are legal in attribue values (Not only text areas, but input form elemens, Titles, other attr's). It should be escaped appropriately for display rather than messing with the passed content.

comment:9 in reply to: ↑ 8 @scribu6 years ago

Replying to dd32:

I agree with filosofo, HTML entities are legal in attribue values (Not only text areas, but input form elemens, Titles, other attr's). It should be escaped appropriately for display rather than messing with the passed content.

I didn't say they were illegal, I said they weren't useful in elements other than textareas and inputs.

So, if esc_attr() isn't changed, why do we need esc_html() for? It's the exact same code in both.

comment:10 @scribu6 years ago

Sorry, didn't see filosofo's comment.

comment:12 @ryan6 years ago

  • Milestone 2.9 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

wontfix for aforementioned reasons.

comment:13 @kingjeffrey5 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened
  • Summary changed from esc_attr() doesn't strip HTML tags to escaped HTML elements present in title attributes generated by wp_​list_​pages()

It is great that you settled on esc_attr() not stripping tags. But my original submission had a specific case in the core of WP that is improper. Escaped tags should not be included in the title attribute for wp_​list_​pages(). I don't care if this is fixed by changing esc_attr() or calling it as strip_tags(esc_attr()) in wp_​list_​pages(), but escaped elements should not be present within this specific title attribute.

I changed the title of this bug back to the original, as that is still the outstanding issue.

@scribu5 years ago

Nest wp_strip_all_tags() in esc_attr() for page title

comment:14 @scribu5 years ago

  • Keywords has-patch added; needs-patch removed
  • Milestone set to 3.0

11040.diff addresses the orginal issue.

I'm still wondering why we allow HTML in the title in the first place.

comment:15 @scribu5 years ago

  • Keywords commit added

comment:16 follow-up: @nacin5 years ago

This looks good. I imagine we include post titles in title attributes elsewhere, though? This seems like a bandaid.

Holding off until post-freeze, we can continue to call this a bug.

comment:17 in reply to: ↑ 16 @scribu5 years ago

Replying to nacin:

This looks good. I imagine we include post titles in title attributes elsewhere, though? This seems like a bandaid.

the_title_attribute() is used within The Loop.

comment:18 @nacin5 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [14104]) Strip tags before escaping the title element in wp_list_pages(). props scribu. fixes #11040.

Note: See TracTickets for help on using tickets.