WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#14323 closed defect (bug) (fixed)

Quick Edit stores filtering of title to database

Reported by: kingjeffrey Owned by: filosofo
Milestone: 3.1 Priority: normal
Severity: normal Version: 3.0
Component: Quick/Bulk Edit Keywords: has-patch
Focuses: Cc:

Description

line 1188 of /wp-admin/includes/template.php consists of this line:

$title = esc_attr( get_the_title( $post->ID ) );

$title is later stored to the title text field in the quick edit form for posts.

The problem with this structure is that any filtering done by plugins on the the_title hook is saved to the database via the quick edit form – creating destructive change that is not reversed when the plugin is deactivated.

Please consider using the_title_attribute or a direct db call so that the the_title hook is not called.

Attachments (1)

do-not-filter-editable-title.14323.diff (473 bytes) - added by filosofo 5 years ago.

Download all attachments as: .zip

Change History (10)

comment:1 @kingjeffrey5 years ago

The issue can be recreated with the wp-Typography plugin:

  1. Enable the plugin and the "wrap acronyms" option
  2. Create and save a post with a word consisting of only capital letters ( i.e. 'FOO bar')
  3. Go to the "Posts" page in the admin panel
  4. Click on the Quick Edit link for this post.
  5. The title text box now contains injected HTML tags: '<span class="caps">FOO</span> bar'

comment:2 follow-up: @scribu5 years ago

The root cause is that 'the_title' filter is applied in get_the_title(), when it should logically be applied in the_title().

comment:3 @scribu5 years ago

  • Severity changed from blocker to normal

comment:4 @scribu5 years ago

  • Milestone changed from Awaiting Review to 3.1

comment:5 in reply to: ↑ 2 ; follow-up: @filosofo5 years ago

  • Keywords has-patch added; destructive filtering removed
  • Owner set to filosofo
  • Status changed from new to accepted

Replying to scribu:

The root cause is that 'the_title' filter is applied in get_the_title(), when it should logically be applied in the_title().

Could you elaborate on why you think that would be more logical? the_title() basically just prints get_the_title() with optional prepended and appended text, so I don't see why it would need its own filter.

I think the issue in this ticket is using filtered content at all for a field that's going to be saved.

comment:6 in reply to: ↑ 5 ; follow-up: @scribu5 years ago

Replying to filosofo:

Replying to scribu:

The root cause is that 'the_title' filter is applied in get_the_title(), when it should logically be applied in the_title().

Could you elaborate on why you think that would be more logical? the_title() basically just prints get_the_title() with optional prepended and appended text, so I don't see why it would need its own filter.

Because it would be consistent with a lot of other template tags like the_content() & get_the_content(), the_excerpt() & get_the_excerpt() etc.

That said, your patch is the best solution in this case.

comment:7 in reply to: ↑ 6 @filosofo5 years ago

Replying to scribu:

Because it would be consistent with a lot of other template tags like the_content() & get_the_content(), the_excerpt() & get_the_excerpt() etc.

That behavior is maintained for backwards-compatibility reasons; those particular functions are among the most problematic in WP for numerous reasons, so I hope you don't look to them for precedent. :)

comment:8 @nacin4 years ago

#11307, [13079] - Middle ground somewhere?

comment:9 @nacin4 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

(In [16278]) Use direct post_title instead of get_the_title() in get_inline_data(). reverts [13079] but adds trim() to solve original bug. fixes #14323, props filosofo.

Note: See TracTickets for help on using tickets.