Opened 14 years ago
Closed 14 years ago
#16463 closed defect (bug) (invalid)
the_title_attribute() bug
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.0.4 |
Component: | Template | Keywords: | needs-docs |
Focuses: | Cc: |
Description
Hi, this bug appears when you try to use HTML for options as 'before' or 'after' on function the_title_attribute();
http://core.trac.wordpress.org/browser/tags/3.0.4/wp-includes/post-template.php#L74
An example from docs doesn't work:
http://codex.wordpress.org/Function_Reference/the_title_attribute
<?php the_title_attribute('before=<h3>&after=</h3>'); ?>
One of the solutions - we can move below the first line of this code:
$title = $before . $title . $after; $title = esc_attr(strip_tags($title));
So, HTML from options won't be stripped.
Attachments (2)
Change History (15)
#2
follow-ups:
↓ 3
↓ 5
@
14 years ago
- Component changed from General to Template
- Keywords reporter-feedback added; has-patch removed
Where are you trying to use this function?
It's not supposed to output html, thus the 'attribute' part of the function name.
This function is designed to be used in this context:
<a href="" title="<?php the_title_attribute(); ?>">
In that context, HTML is invalid and should be striped from the output.
It sounds like you should be using the_title();
function instead to me..
#3
in reply to:
↑ 2
@
14 years ago
Replying to dd32:
This function is designed to be used in this context:
<a href="" title="<?php the_title_attribute(); ?>">In that context, HTML is invalid and should be striped from the output.
Then I think the example in the documentation needs to be revised:
http://codex.wordpress.org/Function_Reference/the_title_attribute
#4
@
14 years ago
Also, the inline documentation didn't mention that this function is designed to be used in title
attribute only. If this is indeed the original intention of this function, shouldn't we modify both the inline documentation and codex to make sure theme developers know how to correctly use this function?
#5
in reply to:
↑ 2
@
14 years ago
Replying to dd32:
Where are you trying to use this function?
It's not supposed to output html, thus the 'attribute' part of the function name.
This function is designed to be used in this context:
<a href="" title="<?php the_title_attribute(); ?>">
On my site users can add posts themselves. There are many moderators.
I wanted to use this function to strip any HTML from the title, because it can be added from the admin panel. Unwanted HTML can break design.
So, I have to use:
echo '<h1><span>' . esc_attr(strip_tags($title)) . '</span><ins></ins></h1>';
This code is more convenient:
the_title_attribute('before=<h1><span>&after=</span><ins></ins></h1>');
#6
@
14 years ago
- Milestone changed from Awaiting Review to 3.1
the_title_attribute() is only for attributes. The Codex needs to be updated. If you don't want HTML in titles, then you should filter that on save and/or display.
#8
follow-up:
↓ 9
@
14 years ago
- Keywords needs-docs added; reporter-feedback removed
On my site users can add posts themselves. There are many moderators.
I wanted to use this function to strip any HTML from the title, because it can be added from the admin panel. Unwanted HTML can break design.
To me, This sounds like you should be filtering the posts on save to remove anything which you do not want the user to add. In addition to that, Users with an Author or Contributor role lack the 'unfiltered_html' capability, that capability is what allows for HTML in titles (IIRC).
You might want to use a role manager Plugin to apply some finer-grained control over what your users can, and can't do.
In this case, The function is supposed to be used within attributes (thus, the attribute in the name, the esc_attr() and the strip_tags(), so the documentation needs to be updated to mention this.
I'm not too sure if the docblock needs updating, but the codex certainly does.
Note, If you want to strip html from all titles, this will work:
add_filter('the_title', 'strip_html');
}}}
#9
in reply to:
↑ 8
@
14 years ago
Note, If you want to strip html from all titles, this will work:
add_filter('the_title', 'strip_html');}}}
Filter hook is a good one, I will use it. Role manager plugin also a nice approach.
Thanks for all, you are doing a great job.
#10
@
14 years ago
Has this ticket been done?
The codex seems to clearly explain in the description that HTML will be stripped, and the example shows the correct placing of the function and does not include any HTML within the function's parameters.
#11
@
14 years ago
- Resolution set to fixed
- Status changed from new to closed
Yep, the Codex page is already updated by dd32.
fix