Make WordPress Core

Opened 14 years ago

Closed 11 years ago

#14361 closed defect (bug) (duplicate)

the_title does not escape HTML special characters properly

Reported by: peaceablewhale's profile peaceablewhale Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0
Component: Themes Keywords: close
Focuses: template Cc:

Description

The 'the_title' function does not escape HTML special characters properly, causing invalid HTML.

Test case: "<test>This is a test</test>"

Attachments (1)

14361.patch (522 bytes) - added by peaceablewhale 14 years ago.

Download all attachments as: .zip

Change History (11)

#1 @nacin
14 years ago

  • Keywords needs-patch 2nd-opinion added; has-patch removed
  • Milestone changed from Awaiting Review to Future Release

Woah, that'd break quite a bit. HTML is allowed inside the title.

We need to be careful not to break valid HTML if we would ever try to account for escaping other characters that make up HTML.

#2 @solarissmoke
14 years ago

Could we put the title through kses on save?

#3 @peaceablewhale
14 years ago

Why is HTML allowed inside the title?

#5 @peaceablewhale
14 years ago

I think bloggers usually expect the system displays exactly what they have typed in the title. It is unfortunate that the behavior is considered intended...

#6 @badconker
12 years ago

  • Cc aurelien.joahny@… added

#7 @badconker
12 years ago

  • Cc aurelien.joahny@… removed

#8 @nacin
11 years ago

  • Component changed from Template to Themes
  • Focuses template added

#9 @obenland
11 years ago

  • Keywords close added; needs-patch 2nd-opinion removed

As Nacin pointed out, HTML is allowed in titles. And even if we were to add a kses filter on save, it could break existing post's titles on updates.

#10 @SergeyBiryukov
11 years ago

  • Milestone Future Release deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #4789.

Note: See TracTickets for help on using tickets.