#162 closed defect (bug) (fixed)
get_archives_link does not strip quotes when generating title attribute
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | minor | Version: | 1.2 |
| Component: | General | Keywords: | |
| Focuses: | Cc: |
Description
If get_archives_link is passed text containing quotation marks, the quotes are not stripped when the title attribute is generated. Several plugins use this function to link to a post using its title, and if the title contains quotes, you can end up with invalid (X)HTML like <a href="url" title="Testing "Quotes" again">Testing "Quotes" again</a>
Attachments (1)
Change History (7)
#3
@
22 years ago
Could also just run htmlspecialchars(); on it, which would take care of < and > as well.
#4
@
22 years ago
- Owner changed from anonymous to rboren
- Resolution changed from 10 to 20
- Status changed from new to closed
This ticket was mentioned in Slack in #core-passwords by georgestephanis. View the logs.
9 years ago
Note: See
TracTickets for help on using
tickets.
Hmm, I see my example of the resulting broken HTML was completely stripped out. I guess mantis doesn't encode HTML.
(This is my fourth edit - I've given up figuring out how to choose entities or somehow get it to just show the raw code, so I'm just replacing all angle brackets with square brackets.)
Title: Yeah, this is "fun" all right.
Link: [a href="whatever" title="Yeah, this is "fun" all right."]Yeah, this is "fun" all right.a
The anchor here is broken. Its title attribute ends up being just "Yeah, this is" and there are several invalid attributes.
In the unlikely event that the post title has one quotation mark (say used to indicate inches) and ends in an equals sign, this might make the link invisible. Consider this:
[a href="whatever" title="Something 12" tall="]Something 12" tall=a
If I'm reading this right, the entire line is one opening A tag with various invalid attributes instead of a complete A element.
edited on: 07-09-04 20:33