Quick Edit stores filtering of title to database

[kingjeffrey]

line 1188 of /wp-admin/includes/template.php consists of this line:

$title = esc_attr( get_the_title( $post->ID ) );

$title is later stored to the title text field in the quick edit form for posts.

The problem with this structure is that any filtering done by plugins on the the_title hook is saved to the database via the quick edit form – creating destructive change that is not reversed when the plugin is deactivated.

Please consider using the_title_attribute or a direct db call so that the the_title hook is not called.

[kingjeffrey]

The issue can be recreated with the wp-Typography plugin:

1. Enable the plugin and the "wrap acronyms" option
   
2. Create and save a post with a word consisting of only capital letters ( i.e. 'FOO bar')
   
3. Go to the "Posts" page in the admin panel
   
4. Click on the Quick Edit link for this post.
   
5. The title text box now contains injected HTML tags: '<span class="caps">FOO</span> bar'
   

[scribu]

The root cause is that 'the_title' filter is applied in get_the_title(), when it should logically be applied in the_title().

[filosofo]

Replying to scribu:

The root cause is that 'the_title' filter is applied in get_the_title(), when it should logically be applied in the_title().

Could you elaborate on why you think that would be more logical? the_title() basically just prints get_the_title() with optional prepended and appended text, so I don't see why it would need its own filter.

I think the issue in this ticket is using filtered content at all for a field that's going to be saved.

[scribu]

Replying to filosofo:

Replying to scribu:

The root cause is that 'the_title' filter is applied in get_the_title(), when it should logically be applied in the_title().

Could you elaborate on why you think that would be more logical? the_title() basically just prints get_the_title() with optional prepended and appended text, so I don't see why it would need its own filter.

Because it would be consistent with a lot of other template tags like the_content() & get_the_content(), the_excerpt() & get_the_excerpt() etc.

That said, your patch is the best solution in this case.

[filosofo]

Replying to scribu:

Because it would be consistent with a lot of other template tags like the_content() & get_the_content(), the_excerpt() & get_the_excerpt() etc.

That behavior is maintained for backwards-compatibility reasons; those particular functions are among the most problematic in WP for numerous reasons, so I hope you don't look to them for precedent. :)

[nacin]

#11307, [13079] - Middle ground somewhere?

[nacin]

(In [16278]) Use direct post_title instead of get_the_title() in get_inline_data(). reverts [13079] but adds trim() to solve original bug. fixes #14323, props filosofo.