the_title_attribute() bug

[facemann_ru]

Hi, this bug appears when you try to use HTML for options as 'before' or 'after' on function the_title_attribute();

​http://core.trac.wordpress.org/browser/tags/3.0.4/wp-includes/post-template.php#L74

An example from docs doesn't work:

​http://codex.wordpress.org/Function_Reference/the_title_attribute

<?php the_title_attribute('before=<h3>&after=</h3>'); ?>

One of the solutions - we can move below the first line of this code:

$title = $before . $title . $after;
$title = esc_attr(strip_tags($title));

So, HTML from options won't be stripped.

fix

facemann_ru's fix in .diff format

Where are you trying to use this function?

It's not supposed to output html, thus the 'attribute' part of the function name.

This function is designed to be used in this context:

<a href="" title="<?php the_title_attribute(); ?>">

In that context, HTML is invalid and should be striped from the output.

It sounds like you should be using the_title(); function instead to me..

Replying to dd32:

This function is designed to be used in this context:

<a href="" title="<?php the_title_attribute(); ?>">

In that context, HTML is invalid and should be striped from the output.

Then I think the example in the documentation needs to be revised:

​http://codex.wordpress.org/Function_Reference/the_title_attribute

Also, the inline documentation didn't mention that this function is designed to be used in title attribute only. If this is indeed the original intention of this function, shouldn't we modify both the inline documentation and codex to make sure theme developers know how to correctly use this function?

Replying to dd32:

Where are you trying to use this function?

It's not supposed to output html, thus the 'attribute' part of the function name.

This function is designed to be used in this context:

<a href="" title="<?php the_title_attribute(); ?>">

On my site users can add posts themselves. There are many moderators.

I wanted to use this function to strip any HTML from the title, because it can be added from the admin panel. Unwanted HTML can break design.

So, I have to use:

echo '<h1><span>' . esc_attr(strip_tags($title)) . '</span><ins></ins></h1>';

This code is more convenient:

the_title_attribute('before=<h1><span>&after=</span><ins></ins></h1>');

the_title_attribute() is only for attributes. The Codex needs to be updated. If you don't want HTML in titles, then you should filter that on save and/or display.

On my site users can add posts themselves. There are many moderators.

I wanted to use this function to strip any HTML from the title, because it can be added from the admin panel. Unwanted HTML can break design.

To me, This sounds like you should be filtering the posts on save to remove anything which you do not want the user to add. In addition to that, Users with an Author or Contributor role lack the 'unfiltered_html' capability, that capability is what allows for HTML in titles (IIRC).

You might want to use a role manager Plugin to apply some finer-grained control over what your users can, and can't do.

In this case, The function is supposed to be used within attributes (thus, the attribute in the name, the esc_attr() and the strip_tags(), so the documentation needs to be updated to mention this.

I'm not too sure if the docblock needs updating, but the codex certainly does.

Note, If you want to strip html from all titles, this will work:

add_filter('the_title', 'strip_html');

}}}

Note, If you want to strip html from all titles, this will work:

add_filter('the_title', 'strip_html');

}}}

Filter hook is a good one, I will use it. Role manager plugin also a nice approach.

Thanks for all, you are doing a great job.

Has this ticket been done?

The codex seems to clearly explain in the description that HTML will be stripped, and the example shows the correct placing of the function and does not include any HTML within the function's parameters.

Yep, the Codex page is already updated by dd32.