Make WordPress Core

Opened 5 years ago

Closed 18 months ago

#14361 closed defect (bug) (duplicate)

the_title does not escape HTML special characters properly

Reported by: peaceablewhale Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0
Component: Themes Keywords: close
Focuses: template Cc:


The 'the_title' function does not escape HTML special characters properly, causing invalid HTML.

Test case: "<test>This is a test</test>"

Attachments (1)

14361.patch (522 bytes) - added by peaceablewhale 5 years ago.

Download all attachments as: .zip

Change History (11)

#1 @nacin
5 years ago

  • Keywords needs-patch 2nd-opinion added; has-patch removed
  • Milestone changed from Awaiting Review to Future Release

Woah, that'd break quite a bit. HTML is allowed inside the title.

We need to be careful not to break valid HTML if we would ever try to account for escaping other characters that make up HTML.

#2 @solarissmoke
5 years ago

Could we put the title through kses on save?

#3 @peaceablewhale
5 years ago

Why is HTML allowed inside the title?

#5 @peaceablewhale
5 years ago

I think bloggers usually expect the system displays exactly what they have typed in the title. It is unfortunate that the behavior is considered intended...

#6 @badconker
3 years ago

  • Cc aurelien.joahny@… added

#7 @badconker
3 years ago

  • Cc aurelien.joahny@… removed

#8 @nacin
22 months ago

  • Component changed from Template to Themes
  • Focuses template added

#9 @obenland
18 months ago

  • Keywords close added; needs-patch 2nd-opinion removed

As Nacin pointed out, HTML is allowed in titles. And even if we were to add a kses filter on save, it could break existing post's titles on updates.

#10 @SergeyBiryukov
18 months ago

  • Milestone Future Release deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #4789.

Note: See TracTickets for help on using tickets.