Constructing URIs using the slug (post_name) can result in arbitrary characters being passed through to the final HTML
|Reported by:||jaylett||Owned by:|
The characters in post_name are assumed to be safe for passing directly into a constructed URI (typically a permalink). The expected behaviour is for anything that is not valid directly in a URI to be suitably escaped, and then for the URI to be HTML entity escaped.
If the post_name contains say "> then the anchor tag emitted is terminated and the rest of the post_name will be displayed.
If the post_name contains say < then the URI that is followed by the web browser will contain < rather than the literal <.
(This is a niche case that I know should never happen because of input validation / construction of post_name.)