WordPress.org
Get WordPress

Make WordPress Core

Opened 16 years ago

Closed 15 years ago

#13025 closed defect (bug) (wontfix)

Post titles are not escaped properly

Reported by: singpolyma's profile singpolyma Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.9.2
Component: General Keywords: close
Focuses: Cc:

Description

Post titles are supposed to be treated as plain text, but on https://singpolyma.net/2010/04/html5-doesnt-support/ it seems that entities in the post title are output unescaped? This breaks my site...

Change History (6)

#1 @solarissmoke
16 years ago

  • Keywords reporter-feedback added

I can't reproduce this - entities are escaped just fine when I try it on WP 2.9.2

Looking at wp-includes/default-filters.php, there is an esc_html action on wp_title (line 86) which ensures that the title is properly escaped.

I think that the problem is being caused by your theme.

#2 @solarissmoke
16 years ago

  • Keywords close added

#3 @solarissmoke
16 years ago

  • Keywords close removed

On further testing, I realised that it ignores known entities (of which ™ is one, and then escapes anything else. It seems that this behaviour is by design, in which case post titles are not treated as plain text, and you would have to manually escape such things.

#4 @solarissmoke
16 years ago

  • Keywords reporter-feedback removed

#5 @nacin
15 years ago

  • Keywords close added
  • Severity changed from critical to normal

#6 @dd32
15 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

As above, this is by design.

Users who do not have the unfiltered_html capability will have their titles escaped.

Note: See TracTickets for help on using tickets.