Opened 20 years ago
Closed 18 years ago
#1600 closed defect (bug) (fixed)
list_cats needs to filter category description more aggressively
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | minor | Version: | 1.5.2 |
| Component: | General | Keywords: | category description filter tag |
| Focuses: | Cc: |
Description
The list_cats function performs insufficient cleaning up of the category's description field before placing it in the title tag.
Steps to reproduce
- Create a new category through the admin screen.
- Specify a category description that contains an anchor tag containing double-quoatation marks.
For example, you might create a category called WordPress which contains the description
Articles related to <a href="http://www.wordpress.org">WordPress</a>
- Create an article and assign it to the category, so that the category will appear in the list_cats output.
- Using the default template (or any that take advantage of list_cats), display the main page.
- Note that the display of the categories list appears broken (in my browser, it does not display that category at all). Viewing the source of the page reveals that the quotation marks inside the anchor tag that is inside the title tag have terminated the title unexpectedly.
Analysis
In template-functions-category.php is a function called list_cats. This function has a line:
$link .= 'title="' . wp_specialchars(apply_filters('category_description',$category->category_description,$category)) . '"';
The filtering on this line is not enough to prevent mishaps - perhaps the defect is in wp_specialchars, or perhaps the defect is the the choice of wp_specialchars as the filtering function.
In particular, double-quote marks inside tags (including both anchor tags and script tags, as an example) are left in place. Double-quote marks outside of tags seem to be successfully handled.
This is probably related to Ticket #727. Unfortunately, that report recommended a code change without giving a reason, so it is unclear whether I am experiencing the same symptoms. Certainly, the fix associated with that ticket didn't solve the problem.
Other problems with this current implementation include:
- Including any tags in a anchor tag's title tag value seems wrong. The tags should be stripped.
- The length of the title field might get quite long.
It strikes me that an excerpt of the category's description might be appropriate here. That should deal with length, tag-stripping and inappropriate characters.
Closing as fixed. Function
list_catshas been deprecated and replaced bywp_list_categoriesinwp-includes/catgeory-template.phpand link titles now display "View all posts in [cat_name]" instead of the category description, thus, the bug has been removed.