WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 3 years ago

#13025 closed defect (bug) (wontfix)

Post titles are not escaped properly

Reported by: singpolyma Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.9.2
Component: General Keywords: close
Focuses: Cc:

Description

Post titles are supposed to be treated as plain text, but on https://singpolyma.net/2010/04/html5-doesnt-support/ it seems that entities in the post title are output unescaped? This breaks my site...

Change History (6)

comment:1 solarissmoke4 years ago

  • Keywords reporter-feedback added

I can't reproduce this - entities are escaped just fine when I try it on WP 2.9.2

Looking at wp-includes/default-filters.php, there is an esc_html action on wp_title (line 86) which ensures that the title is properly escaped.

I think that the problem is being caused by your theme.

comment:2 solarissmoke4 years ago

  • Keywords close added

comment:3 solarissmoke4 years ago

  • Keywords close removed

On further testing, I realised that it ignores known entities (of which ™ is one, and then escapes anything else. It seems that this behaviour is by design, in which case post titles are not treated as plain text, and you would have to manually escape such things.

comment:4 solarissmoke4 years ago

  • Keywords reporter-feedback removed

comment:5 nacin3 years ago

  • Keywords close added
  • Severity changed from critical to normal

comment:6 dd323 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

As above, this is by design.

Users who do not have the unfiltered_html capability will have their titles escaped.

Note: See TracTickets for help on using tickets.