WordPress.org

Make WordPress Core

Opened 9 years ago

Closed 9 years ago

#16463 closed defect (bug) (invalid)

the_title_attribute() bug

Reported by: facemann_ru Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0.4
Component: Template Keywords: needs-docs
Focuses: Cc:

Description

Hi, this bug appears when you try to use HTML for options as 'before' or 'after' on function the_title_attribute();

http://core.trac.wordpress.org/browser/tags/3.0.4/wp-includes/post-template.php#L74

An example from docs doesn't work:

http://codex.wordpress.org/Function_Reference/the_title_attribute

<?php the_title_attribute('before=<h3>&after=</h3>'); ?>

One of the solutions - we can move below the first line of this code:

$title = $before . $title . $after;
$title = esc_attr(strip_tags($title));

So, HTML from options won't be stripped.

Attachments (2)

the_title_attribute_fix.php (397 bytes) - added by facemann_ru 9 years ago.
fix
16463.diff (454 bytes) - added by garyc40 9 years ago.
facemann_ru's fix in .diff format

Download all attachments as: .zip

Change History (15)

@facemann_ru
9 years ago

fix

@garyc40
9 years ago

facemann_ru's fix in .diff format

#1 @garyc40
9 years ago

  • Keywords has-patch added; get_the_title the_title_attribute removed

#2 follow-ups: @dd32
9 years ago

  • Component changed from General to Template
  • Keywords reporter-feedback added; has-patch removed

Where are you trying to use this function?

It's not supposed to output html, thus the 'attribute' part of the function name.

This function is designed to be used in this context: 

<a href="" title="<?php the_title_attribute(); ?>">

In that context, HTML is invalid and should be striped from the output.

It sounds like you should be using the_title(); function instead to me..

#3 in reply to: ↑ 2 @garyc40
9 years ago

Replying to dd32:

This function is designed to be used in this context: 

<a href="" title="<?php the_title_attribute(); ?>">

In that context, HTML is invalid and should be striped from the output.

Then I think the example in the documentation needs to be revised:

http://codex.wordpress.org/Function_Reference/the_title_attribute

#4 @garyc40
9 years ago

Also, the inline documentation didn't mention that this function is designed to be used in title attribute only. If this is indeed the original intention of this function, shouldn't we modify both the inline documentation and codex to make sure theme developers know how to correctly use this function?

Last edited 9 years ago by garyc40 (previous) (diff)

#5 in reply to: ↑ 2 @facemann_ru
9 years ago

Replying to dd32:

Where are you trying to use this function?

It's not supposed to output html, thus the 'attribute' part of the function name.

This function is designed to be used in this context: 

<a href="" title="<?php the_title_attribute(); ?>">

On my site users can add posts themselves. There are many moderators.

I wanted to use this function to strip any HTML from the title, because it can be added from the admin panel. Unwanted HTML can break design.

So, I have to use:

echo '<h1><span>' . esc_attr(strip_tags($title)) . '</span><ins></ins></h1>';

This code is more convenient:

the_title_attribute('before=<h1><span>&after=</span><ins></ins></h1>');
Last edited 9 years ago by facemann_ru (previous) (diff)

#6 @nacin
9 years ago

  • Milestone changed from Awaiting Review to 3.1

the_title_attribute() is only for attributes. The Codex needs to be updated. If you don't want HTML in titles, then you should filter that on save and/or display.

#7 @nacin
9 years ago

  • Milestone changed from 3.1 to Awaiting Review

#8 follow-up: @dd32
9 years ago

  • Keywords needs-docs added; reporter-feedback removed

On my site users can add posts themselves. There are many moderators.

I wanted to use this function to strip any HTML from the title, because it can be added from the admin panel. Unwanted HTML can break design.

To me, This sounds like you should be filtering the posts on save to remove anything which you do not want the user to add. In addition to that, Users with an Author or Contributor role lack the 'unfiltered_html' capability, that capability is what allows for HTML in titles (IIRC).

You might want to use a role manager Plugin to apply some finer-grained control over what your users can, and can't do.

In this case, The function is supposed to be used within attributes (thus, the attribute in the name, the esc_attr() and the strip_tags(), so the documentation needs to be updated to mention this.

I'm not too sure if the docblock needs updating, but the codex certainly does.

Note, If you want to strip html from all titles, this will work:

add_filter('the_title', 'strip_html');

}}}

#9 in reply to: ↑ 8 @facemann_ru
9 years ago

Note, If you want to strip html from all titles, this will work:

add_filter('the_title', 'strip_html');

}}}

Filter hook is a good one, I will use it. Role manager plugin also a nice approach.

Thanks for all, you are doing a great job.

#10 @japh
9 years ago

Has this ticket been done?

The codex seems to clearly explain in the description that HTML will be stripped, and the example shows the correct placing of the function and does not include any HTML within the function's parameters.

Last edited 9 years ago by japh (previous) (diff)

#11 @SergeyBiryukov
9 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Yep, the Codex page is already updated by dd32.

#12 @nacin
9 years ago

  • Milestone Awaiting Review deleted
  • Resolution fixed deleted
  • Status changed from closed to reopened

#13 @nacin
9 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.