Make WordPress Core

Opened 5 years ago

Closed 15 months ago

#14361 closed defect (bug) (duplicate)

the_title does not escape HTML special characters properly

Reported by: peaceablewhale Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0
Component: Themes Keywords: close
Focuses: template Cc:


The 'the_title' function does not escape HTML special characters properly, causing invalid HTML.

Test case: "<test>This is a test</test>"

Attachments (1)

14361.patch (522 bytes) - added by peaceablewhale 5 years ago.

Download all attachments as: .zip

Change History (11)

@peaceablewhale5 years ago

comment:1 @nacin5 years ago

  • Keywords needs-patch 2nd-opinion added; has-patch removed
  • Milestone changed from Awaiting Review to Future Release

Woah, that'd break quite a bit. HTML is allowed inside the title.

We need to be careful not to break valid HTML if we would ever try to account for escaping other characters that make up HTML.

comment:2 @solarissmoke4 years ago

Could we put the title through kses on save?

comment:3 @peaceablewhale4 years ago

Why is HTML allowed inside the title?

comment:5 @peaceablewhale4 years ago

I think bloggers usually expect the system displays exactly what they have typed in the title. It is unfortunate that the behavior is considered intended...

comment:6 @badconker3 years ago

  • Cc aurelien.joahny@… added

comment:7 @badconker3 years ago

  • Cc aurelien.joahny@… removed

comment:8 @nacin19 months ago

  • Component changed from Template to Themes
  • Focuses template added

comment:9 @obenland16 months ago

  • Keywords close added; needs-patch 2nd-opinion removed

As Nacin pointed out, HTML is allowed in titles. And even if we were to add a kses filter on save, it could break existing post's titles on updates.

comment:10 @SergeyBiryukov15 months ago

  • Milestone Future Release deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #4789.

Note: See TracTickets for help on using tickets.