Make WordPress Core

Opened 11 years ago

Closed 15 months ago

#11699 closed defect (bug) (wontfix)

adjacent_post_link fails to strip anchor tags from post titles

Reported by: jaylett Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.9
Component: Formatting Keywords:
Focuses: template Cc:

Description (last modified by nacin)

If you create a post with a title of "Started using <a href='http://wordpress.org/'>WordPress</a>", adjacent_post_link() emits a link that has that entire string (including the anchor tags) inside its own link.

The expected behaviour would be to strip the anchor tag to leave the link generated to the WordPress post.

This would then match being able to put links in post titles and using template code such as <h2><?php the_title(); ?></h2> which results in a heading with the appropriate title including the link that is part of the title. (If you see what I mean.)

A (but possibly the wrong) fix is to strip the anchor tags using:

 	$allowed_html_in_titles = $allowedtags;
 	$title = wp_kses($title, $allowed_html_in_titles);

applied to wp-includes/link-template.php

Attachments (1)

11699.diff (479 bytes) - added by blepoxp 10 years ago.
added default filter fixes the problem anywhere apply_filters('the_title', ... ) is called.

Download all attachments as: .zip

Change History (15)

#1 @jaylett
11 years ago

Sigh. Apologies for the formatting. Someone with suitable edit privs may want to drop some curly braces round that patch.

#2 follow-up: @nacin
10 years ago

  • Description modified (diff)
  • Milestone changed from Unassigned to 3.0

Maybe we should instead strip all tags?

#3 in reply to: ↑ 2 @blepoxp
10 years ago

Replying to nacin:

Maybe we should instead strip all tags?

Would you like them stripped in each function or to hook it to the_title filter in default-filters?

#4 @nacin
10 years ago

I am wondering if we are breaking things in a lot more places than just the adjacent posts by allowing a elements in post titles.

#5 @blepoxp
10 years ago

I agree. I thought about sanitizing get_the_post_title before returning the value but several functions skip that function and call $post->title directly. Most of them use apply_filters('the_title') though. That's why I was wondering if it might be appropriate to sanitize it with in default-filter... plugin and theme authors could remove that filter if needed... or strip it on the way into the DB.

10 years ago

added default filter fixes the problem anywhere apply_filters('the_title', ... ) is called.

#6 @blepoxp
10 years ago

  • Keywords has-patch dev-feedback added

#7 @technosailor
10 years ago

-1 on using filters here. We should strip tags on insert. This shouldn't be filterable for any use case I can think of.

#8 @jaylett
10 years ago

I'm firmly of the opinion that unless you can 100% guarantee that your invariant is going to be honoured everywhere, you should sanitise output as well as anything you do to the input.

Given the number of tools available for frobbing the wordpress database directly (including but by no means limited to import scripts to get you up and running from another system such as Drupal), an invariant such as "titles must not contain HTML tags" simply isn't going to be honoured.

On top of this I don't believe that ruling out having tags in a title simply because it's a pain is a good decision. (Indeed, it would prejudice me against Wordpress just when I was getting to like it.) What's the user-focussed justification here for removing the ability to put emphasis in a title, for instance?

(Removing links in titles on input I could live with, just about.)

So +1 on filters, and +1 on stripping tags, providing it gets documented clearly as an invariant of the data model.

#9 @nacin
10 years ago

I don't mind the code suggested in the body of the ticket, using wp_kses like that. I wasn't trying to imply that we remove the ability to have a elements in titles, only that we may need to strip a elements from more places.

My only thought is that there may be other areas in core other than adjacent_post_link where we would need to do this.

#10 @nacin
10 years ago

  • Milestone changed from 3.0 to 3.1

#11 @nacin
10 years ago

  • Milestone changed from Awaiting Triage to Future Release

My only thought is that there may be other areas in core other than adjacent_post_link where we would need to do this.

Remains valid.

#12 @nacin
6 years ago

  • Component changed from Template to Posts, Post Types
  • Focuses template added

#13 @chriscct7
5 years ago

  • Component changed from Posts, Post Types to Formatting

#14 @danielbachhuber
15 months ago

  • Keywords has-patch dev-feedback removed
  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from new to closed

At this point, 9 years after the opening of the ticket, WordPress developers have well-established patterns of sanitizing input and escaping output.

If you have <a> links in your post_title field after an import from some other source, this is a problem with your import process and not something WordPress needs to solve for.

Note: See TracTickets for help on using tickets.